Metasploit modules that can be used to exploit Microsoft products

This module exploits a use-after-free vulnerability in Microsoft Internet Explorer where a CParaElement node is released but a reference is still kept in CDoc. This memory is reused when a CDoc relayout is performed. Authors: - Scott Bell <scott.bell@security-assessment.com>

More information

This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers. Authors: - eromang - mahmud ab rahman - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com> - Peter Vreugdenhil

More information

Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation. This issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and RT. Note that spawning a command prompt with the shortcut key combination Win+Shift+# does not work in Vista, so the attacker will have to check if the user is already running a command prompt and set SPAWN_PROMPT false. Three exploit techniques are available with this module. The WEB technique will execute a powershell encoded payload from a Web location. The FILE technique will drop an executable to the file system, set it to medium integrity and execute it. The TYPE technique will attempt to execute a powershell encoded payload directly from the command line, but may take some time to complete. Authors: - Tavis Ormandy - Axel Souchet - Ben Campbell <eat_meatballs@hotmail.co.uk>

More information

This module exploits a vulnerability in Microsoft Internet Explorer. A memory corruption may occur when the Option cache isn't updated properly, which allows other JavaScript methods to access a deleted Option element, and results in code execution under the context of the user. Authors: - Ivan Fratric - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com>

More information

This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012. Also note that presently, this module has some target dependencies for the ROP chain to be valid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default). For Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which is often the case). Authors: - unknown - eromang - binjo - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit Intel processors. By design, 64-bit processors following the X86-64 specification will trigger a general protection fault (GPF) when executing a SYSRET instruction with a non-canonical address in the RCX register. However, Intel processors check for a non-canonical address prior to dropping privileges, causing a GPF in privileged mode. As a result, the current userland RSP stack pointer is restored and executed, resulting in privileged code execution. This module has been tested successfully on: FreeBSD 8.3-RELEASE (amd64); and FreeBSD 9.0-RELEASE (amd64). Authors: - Rafal Wojtczuk - John Baldwin - iZsh - bcoles <bcoles@gmail.com>

More information

This module exploits a memory corruption flaw in Internet Explorer 8 when handling objects with the same ID property. At the moment this module targets IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging as well as the heap spray method seen in the wild (Java msvcrt71.dll). Authors: - Dark Son - Unknown - Yichong Lin - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a heap overflow vulnerability in Internet Explorer caused by an incorrect handling of the span attribute for col elements from a fixed table, when they are modified dynamically by javascript code. Authors: - Alexandre Pelletier - mr_me <steventhomasseeley@gmail.com> - binjo - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a memory corruption flaw in Microsoft XML Core Services when trying to access an uninitialized Node with the getDefinition API, which may corrupt memory allowing remote code execution. Authors: - inking26 - binjo - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses "msgr3en.dll", which will load after office got load, so the malicious file must be loaded through "File / Open" to achieve exploitation. Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com>

More information

This module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma. The flaw can be found in the way the T.125 ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service condition. Authors: - Luigi Auriemma - Daniel Godas-Lopez - Alex Ionescu - jduck <jduck@metasploit.com> - #ms12-020

More information

This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using the Windows Media Player ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than what is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either "inc al" or "dec al" a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. Note: At this time, for IE 8 target, msvcrt ROP is used by default. However, if you know your target's patch level, you may also try the 'MSHTML' advanced option for an info leak based attack. Currently, this module only supports two MSHTML builds: 8.0.6001.18702, which is often seen in a newly installed XP SP3. Or 8.0.6001.19120, which is patch level before the MS12-004 fix. Also, based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop. Authors: - Shane Garrett - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com>

More information

This module exploits a vulnerability found in Microsoft Office's ClickOnce feature. When handling a Macro document, the application fails to recognize certain file extensions as dangerous executables, which can be used to bypass the warning message. This can allow attackers to trick victims into opening the malicious document, which will load up either a python or ruby payload, and finally, download and execute an executable. Authors: - Yorick Koster - sinn3r <sinn3r@metasploit.com>

More information

This module exploits a type confusion vulnerability in the OLE32 component of Windows XP SP3. The vulnerability exists in the CPropertyStorage::ReadMultiple function. A Visio document with a specially crafted Summary Information Stream embedded allows to get remote code execution through Internet Explorer, on systems with Visio Viewer installed. Authors: - Luigi Auriemma - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring its own token to avoid causing system instability. Authors: - Matteo Memelli - Spencer McIntyre

More information

This module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack- based buffer overflow. This results in arbitrary code execution under the context of the user. Authors: - Aniway - Unknown - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a use-after-free vulnerability in Internet Explorer. The vulnerability occurs when an invalid <object> tag exists and other elements overlap/cover where the object tag should be when rendered (due to their styles/positioning). The mshtml!CObjectElement is then freed from memory because it is invalid. However, the mshtml!CDisplay object for the page continues to keep a reference to the freed <object> and attempts to call a function on it, leading to the use-after-free. Please note that for IE 8 targets, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention). Authors: - d0c_s4vage - sinn3r <sinn3r@metasploit.com> - bannedit <bannedit@metasploit.com>

More information

This module exploits a buffer underrun vulnerability in Microsoft's DNSAPI.dll as distributed with Windows Vista and later without KB2509553. By sending a specially crafted LLMNR query, containing a leading '.' character, an attacker can trigger stack exhaustion or potentially cause stack memory corruption. Although this vulnerability may lead to code execution, it has not been proven to be possible at the time of this writing. NOTE: In some circumstances, a '.' may be found before the top of the stack is reached. In these cases, this module may not be able to cause a crash. Authors: - jduck <jduck@metasploit.com>

More information

This module triggers a heap overflow when processing a specially crafted FTP request containing Telnet IAC (0xff) bytes. When constructing the response, the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes. This issue can be triggered pre-auth and may in fact be exploitable for remote code execution. Authors: - Matthew Bergin - jduck <jduck@metasploit.com>

More information

This module exploits a memory trust issue in the Microsoft WMI Administration tools ActiveX control. When processing a specially crafted HTML page, the WEBSingleView.ocx ActiveX Control (1.50.1131.0) will treat the 'lCtxHandle' parameter to the 'AddContextRef' and 'ReleaseContext' methods as a trusted pointer. It makes an indirect call via this pointer which leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. The WMI Administrative Tools are a standalone download & install (linked in the references). Authors: - WooYun - MC <mc@metasploit.com> - jduck <jduck@metasploit.com>

More information