• MS14-052 Microsoft Internet Explorer XMLDOM Filename Disclosure
    Disclosure Date: 2014-09-09
    First seen: 2020-04-26
    auxiliary/gather/ms14_052_xmldom
    This module will use the Microsoft XMLDOM object to enumerate a remote machine's filenames. It will try to do so against Internet Explorer 8 and Internet Explorer 9. To use it, you must supply your own list of file paths. Each file path should look like this: c:\\windows\\system32\\calc.exe Authors: - Soroush Dalili - sinn3r <sinn3r@metasploit.com>
  • MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free
    Disclosure Date: 2013-10-08
    First seen: 2020-04-26
    exploit/windows/browser/ms13_080_cdisplaypointer
    This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a "onpropertychange" event handler. To set up the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called "onselect". The "onselect" event will allow us to set up for the actual event handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger "onpropertychange". During "onpropertychange" event handling, a free of the CDisplayPointer object can be forced by using an "Unselect" (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controlling this freed memory, it is possible to achieve arbitrary code execution under the context of the user. Authors: - Unknown - sinn3r <sinn3r@metasploit.com>
  • MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free
    Disclosure Date: 2013-09-17
    First seen: 2020-04-26
    exploit/windows/browser/ie_setmousecapture_uaf
    This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and pass on to more functions, eventuall this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack. Authors: - Unknown - sinn3r <sinn3r@metasploit.com> - Rich Lundeen
  • MS13-069 Microsoft Internet Explorer CCaret Use-After-Free
    Disclosure Date: 2013-09-10
    First seen: 2020-04-26
    exploit/windows/browser/ms13_069_caret
    This module exploits a use-after-free vulnerability found in Internet Explorer, specifically in how the browser handles the caret (text cursor) object. In IE's standards mode, the caret handling's vulnerable state can be triggered by first setting up an editable page with an input field, and then we can force the caret to update in an onbeforeeditfocus event by setting the body's innerHTML property. In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write() function, however, mshtml!CCaret::UpdateScreenCaret remains unaware of this change, and still uses the same reference to the CCaret object. When the function tries to use this invalid reference to call a virtual function at offset 0x2c, it finally results a crash. Precise control of the freed object allows arbitrary code execution under the context of the user. Authors: - corelanc0d3r - sinn3r <sinn3r@metasploit.com>
  • MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow
    Disclosure Date: 2013-03-06
    First seen: 2020-04-26
    exploit/windows/browser/ms13_037_svg_dashstyle
    This module exploits an integer overflow vulnerability on Internet Explorer. The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. The exploit has been built and tested specifically against Windows 7 SP1 with Internet Explorer 8. It uses either JRE6 or an information leak (to ntdll) to bypass ASLR, and by default the info leak is used. To make sure the leak is successful, the ntdll version should be either v6.1.7601.17514 (the default dll version on a newly installed/unpatched Windows 7 SP1), or ntdll.dll v6.1.7601.17725 (installed after apply MS12-001). If the target doesn't have the version the exploit wants, it will refuse to attack by sending a fake 404 message (webpage not found). If you wish to try the JRE6 component instead to bypass ASLR, you can set the advanced datastore option to 'JRE6'. If JRE6 is chosen but the target doesn't have this particular component, the exploit will also refuse to attack by sending a 404 message. Authors: - Nicolas Joly - 4B5F5F4B - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com>
  • MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability
    Disclosure Date: 2012-12-27
    First seen: 2020-04-26
    exploit/windows/browser/ie_cbutton_uaf
    This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers. Authors: - eromang - mahmud ab rahman - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com> - Peter Vreugdenhil
  • MS11-081 Microsoft Internet Explorer Option Element Use-After-Free
    Disclosure Date: 2012-10-11
    First seen: 2020-04-26
    exploit/windows/browser/ms11_081_option
    This module exploits a vulnerability in Microsoft Internet Explorer. A memory corruption may occur when the Option cache isn't updated properly, which allows other JavaScript methods to access a deleted Option element, and results in code execution under the context of the user. Authors: - Ivan Fratric - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com>
  • MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability
    Disclosure Date: 2012-09-14
    First seen: 2020-04-26
    exploit/windows/browser/ie_execcommand_uaf
    This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012. Also note that presently, this module has some target dependencies for the ROP chain to be valid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default). For Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which is often the case). Authors: - unknown - eromang - binjo - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>
  • MS12-037 Microsoft Internet Explorer Fixed Table Col Span Heap Overflow
    Disclosure Date: 2012-06-12
    First seen: 2020-04-26
    exploit/windows/browser/ms12_037_ie_colspan
    This module exploits a heap overflow vulnerability in Internet Explorer caused by an incorrect handling of the span attribute for col elements from a fixed table, when they are modified dynamically by javascript code. Authors: - Alexandre Pelletier - mr_me <steventhomasseeley@gmail.com> - binjo - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>
  • MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption
    Disclosure Date: 2010-11-03
    First seen: 2020-04-26
    exploit/windows/browser/ms10_090_ie_css_clip
    This module exploits a memory corruption vulnerability within Microsoft's HTML engine (mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory corruption occurs that can lead arbitrary code execution. It seems like Microsoft code inadvertently increments a vtable pointer to point to an unaligned address within the vtable's function pointers. This leads to the program counter being set to the address determined by the address "[vtable+0x30+1]". The particular address depends on the exact version of the mshtml library in use. Since the address depends on the version of mshtml, some versions may not be exploitable. Specifically, those ending up with a program counter value within another module, in kernel space, or just not able to be reached with various memory spraying techniques. Also, since the address is not controllable, it is unlikely to be possible to use ROP to bypass non-executable memory protections. Authors: - unknown - Yuange - Matteo Memelli - jduck <jduck@metasploit.com>
  • MS10-018 Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption
    Disclosure Date: 2010-03-09
    First seen: 2020-04-26
    exploit/windows/browser/ms10_018_ie_tabular_activex
    This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the "DataURL" parameter to this control, it is possible to write a NUL byte outside the bounds of an array. By targeting control flow data on the stack, an attacker can execute arbitrary code. Authors: - Unknown - jduck <jduck@metasploit.com>
  • MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free
    Disclosure Date: 2010-03-09
    First seen: 2020-04-26
    exploit/windows/browser/ms10_018_ie_behaviors
    This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the "iepeers" vulnerability. The name comes from Microsoft's suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, "The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorithm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which deref the reference and clean the object." NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected. Authors: - unknown - Trancer <mtrancer@gmail.com> - Nanika - jduck <jduck@metasploit.com>
  • MS10-002 Microsoft Internet Explorer Object Memory Use-After-Free
    Disclosure Date: 2010-01-21
    First seen: 2020-04-26
    exploit/windows/browser/ms10_002_ie_object
    This module exploits a vulnerability found in Internet Explorer's mshtml component. Due to the way IE handles objects in memory, it is possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext to be used even after it gets freed, therefore allowing remote code execution under the context of the user. This particular vulnerability was also one of 2012's Pwn2Own challenges, and was later explained by Peter Vreugdenhil with exploitation details. Instead of Peter's method, this module uses heap spraying like the 99% to store a specially crafted memory layout before re-using the freed memory. Authors: - Peter Vreugdenhil - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com>
  • MS09-072 Microsoft Internet Explorer Style getElementsByTagName Memory Corruption
    Disclosure Date: 2009-11-20
    First seen: 2020-04-26
    exploit/windows/browser/ms09_072_style_object
    This module exploits a vulnerability in the getElementsByTagName function as implemented within Internet Explorer. Authors: - securitylab.ir <K4mr4n_st@yahoo.com> - jduck <jduck@metasploit.com>
  • MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption
    Disclosure Date: 2008-12-07
    First seen: 2020-04-26
    exploit/windows/browser/ms08_078_xml_corruption
    This module exploits a vulnerability in the data binding feature of Internet Explorer. In order to execute code reliably, this module uses the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is used to create a fake vtable at a known location with all methods pointing to our payload. Since the .text segment of the .NET DLL is non-writable, a prefixed code stub is used to copy the payload into a new memory segment and continue execution from there. Authors: - hdm <x@hdm.io>
  • Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
    Disclosure Date: 2007-03-28
    First seen: 2020-04-26
    exploit/windows/email/ms07_017_ani_loadimage_chunksize
    This module exploits a buffer overflow vulnerability in the LoadAniIcon() function of USER32.dll. The flaw is triggered through Outlook Express by using the CURSOR style sheet directive to load a malicious .ANI file. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee. Authors: - hdm <x@hdm.io> - skape <mmiller@hick.org>
16 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!