Change description a bit

bug/bundler_fix
sinn3r 2015-01-27 12:14:55 -06:00
parent 2dedaee9ca
commit bb9c961847
1 changed files with 10 additions and 17 deletions

View File

@ -10,17 +10,6 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::RopDb
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({
# :ua_name => HttpClients::IE,
# :ua_minver => "8.0",
# :ua_maxver => "8.0",
# :javascript => true,
# :os_name => OperatingSystems::Match::WINDOWS,
# :rank => Rank
#})
def initialize(info={})
super(update_info(info,
@ -30,15 +19,18 @@ class Metasploit3 < Msf::Exploit::Remote
The vulnerability exists in the handling of the dashstyle.array length for vml
shapes on the vgx.dll module.
This module has been built and tested specifically against Windows 7 SP1 with
The exploit has been built and tested specifically against Windows 7 SP1 with
Internet Explorer 8. It uses either JRE6 or an information leak (to ntdll) to
bypass ASLR, and by default the info leak is used. The ntdll version should be
either v6.1.7601.17514 (the default dll version on a newly installed/unpatched
Windows 7 SP1), or ntdll.dll v6.1.7601.17725 (installed after apply MS12-001).
bypass ASLR, and by default the info leak is used. To make sure the leak is
successful, the ntdll version should be either v6.1.7601.17514 (the default dll
version on a newly installed/unpatched Windows 7 SP1), or ntdll.dll v6.1.7601.17725
(installed after apply MS12-001). If the target doesn't have the version the exploit
wants, it will refuse to attack by sending a fake 404 message (webpage not found).
If you wish to try the JRE6 component instead to bypass ASLR, you can set the
advanced datastore option to 'JRE6'. If JRE6 is chosen but the target doesn't
have this particular component, the exploit will refuse the attack.
have this particular component, the exploit will also refuse to attack by
sending a 404 message.
},
'License' => MSF_LICENSE,
'Author' =>
@ -389,6 +381,7 @@ function exploit(){
rescue RuntimeError => e
# This one is just a warning, because it's a requirement check so it's not that scary.
print_warning(e.message)
send_not_found(cli)
return
end
@ -421,7 +414,7 @@ function exploit(){
@ntdll_version = "6.1.7601.17725" # MS12-001
@ntdll_base = leak - 0x47090
else
print_error("ntdll version not detected, sending 404: #{agent}")
print_warning("ntdll version not detected, sending 404: #{agent}")
send_not_found(cli)
return
end