Metasploit modules that can be used to exploit Microsoft » Internet Explorer » 8

This module will use the Microsoft XMLDOM object to enumerate a remote machine's filenames. It will try to do so against Internet Explorer 8 and Internet Explorer 9. To use it, you must supply your own list of file paths. Each file path should look like this: c:\\windows\\system32\\calc.exe Authors: - Soroush Dalili - sinn3r <sinn3r@metasploit.com>

More information

This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a "onpropertychange" event handler. To set up the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called "onselect". The "onselect" event will allow us to set up for the actual event handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger "onpropertychange". During "onpropertychange" event handling, a free of the CDisplayPointer object can be forced by using an "Unselect" (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controlling this freed memory, it is possible to achieve arbitrary code execution under the context of the user. Authors: - Unknown - sinn3r <sinn3r@metasploit.com>

More information

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and pass on to more functions, eventuall this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack. Authors: - Unknown - sinn3r <sinn3r@metasploit.com> - Rich Lundeen

More information

This module exploits a use-after-free vulnerability found in Internet Explorer, specifically in how the browser handles the caret (text cursor) object. In IE's standards mode, the caret handling's vulnerable state can be triggered by first setting up an editable page with an input field, and then we can force the caret to update in an onbeforeeditfocus event by setting the body's innerHTML property. In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write() function, however, mshtml!CCaret::UpdateScreenCaret remains unaware of this change, and still uses the same reference to the CCaret object. When the function tries to use this invalid reference to call a virtual function at offset 0x2c, it finally results a crash. Precise control of the freed object allows arbitrary code execution under the context of the user. Authors: - corelanc0d3r - sinn3r <sinn3r@metasploit.com>

More information

In IE8 standards mode, it's possible to cause a use-after-free condition by first creating an illogical table tree, where a CPhraseElement comes after CTableRow, with the final node being a sub table element. When the CPhraseElement's outer content is reset by using either outerText or outerHTML through an event handler, this triggers a free of its child element (in this case, a CAnchorElement, but some other objects apply too), but a reference is still kept in function SRunPointer::SpanQualifier. This function will then pass on the invalid reference to the next functions, eventually used in mshtml!CElement::Doc when it's trying to make a call to the object's SecurityContext virtual function at offset +0x70, which results a crash. An attacker can take advantage of this by first creating an CAnchorElement object, let it free, and then replace the freed memory with another fake object. Successfully doing so may allow arbitrary code execution under the context of the user. This bug is specific to Internet Explorer 8 only. It was originally discovered by Jose Antonio Vazquez Gonzalez and reported to iDefense, but was discovered again by Orange Tsai at Hitcon 2013. Authors: - Jose Antonio Vazquez Gonzalez - Orange Tsai - Peter Vreugdenhil - sinn3r <sinn3r@metasploit.com>

More information

This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9, it seems to only affect certain releases of mshtml.dll, ranging from a newly installed IE9 (9.0.8112.16446), to 9.00.8112.16502 (July 2013 update). IE8 requires a different way to trigger the vulnerability, but not currently covered by this module. The issue is specific to the browser's IE7 document compatibility, which can be defined in X-UA-Compatible, and the content editable mode must be enabled. An "onmove" event handler is also necessary to be able to trigger the bug, and the event will be run twice before the crash. The first time is due to the position change of the body element, which is also when a MSHTML!CFlatMarkupPointer::`vftable' object is created during a "SelectAll" command, and this object will be used later on for the crash. The second onmove event seems to be triggered by a InsertButton (or Insert-whatever) command, which is also responsible for the free of object CFlatMarkupPointer during page rendering. The EnsureRecalcNotify() function will then still return an invalid reference to CFlatMarkupPointer (stored in EBX), and then passes this on to the next functions (GetLineInfo -> QIClassID). When this reference arrives in function QIClassID, an access violation finally occurs when the function is trying to call QueryInterface() with the bad reference, and this results a crash. Successful control of the freed memory may leverage arbitrary code execution under the context of the user. Note: It is also possible to see a different object being freed and used, doesn't always have to be CFlatMarkupPointer. Authors: - corelanc0d3r - sinn3r <sinn3r@metasploit.com>

More information

This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website. Authors: - Unknown - EMH - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com>

More information

This module exploits an integer overflow vulnerability on Internet Explorer. The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. The exploit has been built and tested specifically against Windows 7 SP1 with Internet Explorer 8. It uses either JRE6 or an information leak (to ntdll) to bypass ASLR, and by default the info leak is used. To make sure the leak is successful, the ntdll version should be either v6.1.7601.17514 (the default dll version on a newly installed/unpatched Windows 7 SP1), or ntdll.dll v6.1.7601.17725 (installed after apply MS12-001). If the target doesn't have the version the exploit wants, it will refuse to attack by sending a fake 404 message (webpage not found). If you wish to try the JRE6 component instead to bypass ASLR, you can set the advanced datastore option to 'JRE6'. If JRE6 is chosen but the target doesn't have this particular component, the exploit will also refuse to attack by sending a 404 message. Authors: - Nicolas Joly - 4B5F5F4B - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com>

More information

This module exploits a use-after-free vulnerability in Microsoft Internet Explorer where a CParaElement node is released but a reference is still kept in CDoc. This memory is reused when a CDoc relayout is performed. Authors: - Scott Bell <scott.bell@security-assessment.com>

More information

This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers. Authors: - eromang - mahmud ab rahman - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com> - Peter Vreugdenhil

More information

This module exploits a vulnerability in Microsoft Internet Explorer. A memory corruption may occur when the Option cache isn't updated properly, which allows other JavaScript methods to access a deleted Option element, and results in code execution under the context of the user. Authors: - Ivan Fratric - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com>

More information

This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012. Also note that presently, this module has some target dependencies for the ROP chain to be valid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default). For Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which is often the case). Authors: - unknown - eromang - binjo - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a heap overflow vulnerability in Internet Explorer caused by an incorrect handling of the span attribute for col elements from a fixed table, when they are modified dynamically by javascript code. Authors: - Alexandre Pelletier - mr_me <steventhomasseeley@gmail.com> - binjo - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a memory corruption flaw in Internet Explorer 8 when handling objects with the same ID property. At the moment this module targets IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging as well as the heap spray method seen in the wild (Java msvcrt71.dll). Authors: - Dark Son - Unknown - Yichong Lin - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a use-after-free vulnerability in Internet Explorer. The vulnerability occurs when an invalid <object> tag exists and other elements overlap/cover where the object tag should be when rendered (due to their styles/positioning). The mshtml!CObjectElement is then freed from memory because it is invalid. However, the mshtml!CDisplay object for the page continues to keep a reference to the freed <object> and attempts to call a function on it, leading to the use-after-free. Please note that for IE 8 targets, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention). Authors: - d0c_s4vage - sinn3r <sinn3r@metasploit.com> - bannedit <bannedit@metasploit.com>

More information

This module exploits a memory corruption vulnerability within Microsoft\'s HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions with .NET 2.0.50727 installed. Authors: - passerby - d0c_s4vage - jduck <jduck@metasploit.com>

More information

This module exploits a memory corruption vulnerability within Microsoft's HTML engine (mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory corruption occurs that can lead arbitrary code execution. It seems like Microsoft code inadvertently increments a vtable pointer to point to an unaligned address within the vtable's function pointers. This leads to the program counter being set to the address determined by the address "[vtable+0x30+1]". The particular address depends on the exact version of the mshtml library in use. Since the address depends on the version of mshtml, some versions may not be exploitable. Specifically, those ending up with a program counter value within another module, in kernel space, or just not able to be reached with various memory spraying techniques. Also, since the address is not controllable, it is unlikely to be possible to use ROP to bypass non-executable memory protections. Authors: - unknown - Yuange - Matteo Memelli - jduck <jduck@metasploit.com>

More information

This module exploits a vulnerability found in Internet Explorer's mshtml component. Due to the way IE handles objects in memory, it is possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext to be used even after it gets freed, therefore allowing remote code execution under the context of the user. This particular vulnerability was also one of 2012's Pwn2Own challenges, and was later explained by Peter Vreugdenhil with exploitation details. Instead of Peter's method, this module uses heap spraying like the 99% to store a specially crafted memory layout before re-using the freed memory. Authors: - Peter Vreugdenhil - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com>

More information

This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the "Operation Aurora" attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the Wepawet malware analysis site. The technique used by this module is currently identical to the public sample, as such, only Internet Explorer 6 can be reliably exploited. Authors: - unknown - hdm <x@hdm.io>

More information