Metasploit mailing list archives

ie_createtextrange [Was: Problems getting IE exploits to run]

From: buffer at antifork.org (Angelo Dell'Aera)
Date: Tue, 20 Jun 2006 16:57:03 +0200

On Fri, 16 Jun 2006 00:53:36 -0400
"Wang, Kathy" <knwang at mitre.org> wrote:

Test Case 1:
- Windows XP Professional version 2002 (no patches) as victim machine
  with IE 6.0.2600.0000 browser
- Metasploit 2.6 on Gentoo Linux host
- Using ie_createtextrange exploit in Metasploit framework


Just a note about this scenario. During a client-side penetration test
I did last week I noticed that the exploit doesn't work properly. It
seems there's a huge request of heap memory that Windows isn't
able to satisfy thus leading to IE crash. Thus I tried modifying the
exploit this way 

-    while($memblock.length+$slidesize<0x40000)
+  while($memblock.length+$slidesize<0x32000)

and it seems it works much more reliably even in other scenarios I'm
testing in these days.

Regards,

-- 

Angelo Dell'Aera 'buffer' 
Antifork Research, Inc.         http://buffer.antifork.org
Metro Olografix

PGP information in e-mail header


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060620/b11bf8c6/attachment.pgp>

Current thread:

Problems getting IE exploits to run Wang, Kathy (Jun 15)
- Problems getting IE exploits to run H D Moore (Jun 15)
- ie_createtextrange [Was: Problems getting IE exploits to run] Angelo Dell'Aera (Jun 20)