ie_createtextrange [Was: Problems getting IE exploits to run]

[knwang at mitre.org (Wang, Kathy)]

Angelo,

Thanks for the suggestion. I made the change as you suggested, and am
still getting the same result, unfortunately. Thanks anyways, and I'll
keep looking into it.

Kathy 

-----Original Message-----
From: Angelo Dell'Aera [mailto:buffer at antifork.org] 
Sent: Tuesday, June 20, 2006 10:57 AM
To: framework at metasploit.com
Subject: [framework] ie_createtextrange [Was: Problems getting IE
exploits to run]

On Fri, 16 Jun 2006 00:53:36 -0400
"Wang, Kathy" <knwang at mitre.org> wrote:

> Test Case 1:
> - Windows XP Professional version 2002 (no patches) as victim machine
>   with IE 6.0.2600.0000 browser
> - Metasploit 2.6 on Gentoo Linux host
> - Using ie_createtextrange exploit in Metasploit framework

Just a note about this scenario. During a client-side penetration test
I did last week I noticed that the exploit doesn't work properly. It
seems there's a huge request of heap memory that Windows isn't
able to satisfy thus leading to IE crash. Thus I tried modifying the
exploit this way 

-    while($memblock.length+$slidesize<0x40000)
+  while($memblock.length+$slidesize<0x32000)

and it seems it works much more reliably even in other scenarios I'm
testing in these days.

Regards,

-- 

Angelo Dell'Aera 'buffer' 
Antifork Research, Inc.         http://buffer.antifork.org
Metro Olografix

PGP information in e-mail header