Merge branch 'master' of github.com:rapid7/metasploit-framework
sinn3r
commit
1534c4af6f
|
|
@ -249,6 +249,13 @@ class Driver < Msf::Ui::Driver
|
||||||
# If the opt is nil here, we load ~/.msf3/msfconsole.rc
|
# If the opt is nil here, we load ~/.msf3/msfconsole.rc
|
||||||
load_resource(opts['Resource'])
|
load_resource(opts['Resource'])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Process any additional startup commands
|
||||||
|
if opts['XCommands'] and opts['XCommands'].kind_of? Array
|
||||||
|
opts['XCommands'].each { |c|
|
||||||
|
run_single(c)
|
||||||
|
}
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
|
||||||
|
|
@ -476,6 +476,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
multihandler.datastore['MODULE_OWNER'] = self.datastore['MODULE_OWNER']
|
multihandler.datastore['MODULE_OWNER'] = self.datastore['MODULE_OWNER']
|
||||||
multihandler.datastore['WORKSPACE'] = datastore["WORKSPACE"] if datastore["WORKSPACE"]
|
multihandler.datastore['WORKSPACE'] = datastore["WORKSPACE"] if datastore["WORKSPACE"]
|
||||||
multihandler.datastore['ParentUUID'] = datastore["ParentUUID"] if datastore["ParentUUID"]
|
multihandler.datastore['ParentUUID'] = datastore["ParentUUID"] if datastore["ParentUUID"]
|
||||||
|
multihandler.datastore['CAMPAIGN_ID'] = datastore["CAMPAIGN_ID"] if datastore["CAMPAIGN_ID"]
|
||||||
|
multihandler.datastore['BAP'] = true
|
||||||
multihandler.datastore['AutopwnUUID'] = self.uuid
|
multihandler.datastore['AutopwnUUID'] = self.uuid
|
||||||
multihandler.datastore['LPORT'] = lport
|
multihandler.datastore['LPORT'] = lport
|
||||||
multihandler.datastore['LHOST'] = @lhost
|
multihandler.datastore['LHOST'] = @lhost
|
||||||
|
|
|
||||||
|
|
@ -27,9 +27,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When
|
This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When
|
||||||
rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner,
|
rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner,
|
||||||
but the same memory is reused again later in the CMshtmlEd::Exec() function, leading
|
but the same memory is reused again later in the CMshtmlEd::Exec() function, leading
|
||||||
to a use-after-free condition. Please note that this vulnerability has
|
to a use-after-free condition.
|
||||||
been exploited in the wild since Sep 14 2012, and there is currently no official
|
|
||||||
patch for it.
|
Please note that this vulnerability has been exploited in the wild since Sep 14 2012,
|
||||||
|
and there is currently no official patch for it.
|
||||||
|
|
||||||
|
Also note that presently, this module has some target dependencies for the ROP chain to be
|
||||||
|
valid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default).
|
||||||
|
For Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which
|
||||||
|
is often the case).
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' =>
|
'Author' =>
|
||||||
|
|
|
||||||
|
|
@ -101,6 +101,11 @@ class OptsConsole
|
||||||
options['DisableBanner'] = true
|
options['DisableBanner'] = true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
opts.on("-x", "-x <command>", "Execute the specified string as console commands (use ; for multiples)") do |s|
|
||||||
|
options['XCommands'] ||= []
|
||||||
|
options['XCommands'] += s.split(/\s*;\s*/)
|
||||||
|
end
|
||||||
|
|
||||||
opts.separator ""
|
opts.separator ""
|
||||||
opts.separator "Common options:"
|
opts.separator "Common options:"
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue