Update information about original discovery

[wchen-r7]

Update info about original discovoery. See #2337 too.

[todb-r7]

Travis looks like it crapped out on this, running rspec locally

[todb-r7]

Info looks good:

msf > info exploit/windows/browser/ms13_055_canchor 

       Name: MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free
     Module: exploit/windows/browser/ms13_055_canchor
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Jose Antonio Vazquez Gonzalez
  Orange Tsai
  Peter Vreugdenhil
  sinn3r <sinn3r@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic
  1   IE 8 on Windows XP SP3
  2   IE 8 on Windows 7

Basic options:
  Name        Current Setting  Required  Description
  ----        ---------------  --------  -----------
  SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT     8080             yes       The local port to listen on.
  SSL         false            no        Negotiate SSL for incoming connections
  SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
  SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
  URIPATH                      no        The URI to use for this exploit (default is random)

Payload information:
  Avoid: 1 characters

Description:
  In IE8 standards mode, it's possible to cause a use-after-free 
  condition by first creating an illogical table tree, where a 
  CPhraseElement comes after CTableRow, with the final node being a 
  sub table element. When the CPhraseElement's outer content is reset 
  by using either outerText or outerHTML through an event handler, 
  this triggers a free of its child element (in this case, a 
  CAnchorElement, but some other objects apply too), but a reference 
  is still kept in function SRunPointer::SpanQualifier. This function 
  will then pass on the invalid reference to the next functions, 
  eventually used in mshtml!CElement::Doc when it's trying to make a 
  call to the object's SecurityContext virtual function at offset 
  +0x70, which results a crash. An attacker can take advantage of this 
  by first creating an CAnchorElement object, let it free, and then 
  replace the freed memory with another fake object. Successfully 
  doing so may allow arbitrary code execution under the context of the 
  user. This bug is specific to Internet Explorer 8 only. It was 
  originally discovered by Jose Antonio Vazquez Gonzalez and reported 
  to iDefense, but was discovered again by Orange Tsai at Hitcon 2013.

References:
  http://cvedetails.com/cve/2013-3163/
  http://www.osvdb.org/94981
  http://www.microsoft.com/technet/security/bulletin/MS13-055.mspx
  https://speakerd.s3.amazonaws.com/presentations/0df98910d26c0130e8927e81ab71b214/for-share.pdf

[todb-r7]

Looks like Travis is unscrewed now, Local rspec checks out

Finished in 4 minutes 10.4 seconds
1512 examples, 0 failures, 21 pending