This Metasploit module exploits a memory corruption vulnerability within Microsoft's HTML engine (mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory corruption occurs that can lead arbitrary code execution. It seems like Microsoft code inadvertently increments a vtable pointer to point to an unaligned address within the vtable's function pointers. This leads to the program counter being set to the address determined by the address "[vtable+0x30+1]". The particular address depends on the exact version of the mshtml library in use. Since the address depends on the version of mshtml, some versions may not be exploitable. Specifically, those ending up with a program counter value within another module, in kernel space, or just not able to be reached with various memory spraying techniques. Also, since the address is not controllable, it is unlikely to be possible to use ROP to bypass non-executable memory protections.
c5af90428a60eae212629d6165cc2ab369c2d3111464b63c3d7505ceda36a191
iDefense Security Advisory 12.14.10 - Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Internet Explorer could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability exists due to an uninitialized variable in the "CLayout::EnsureDispNode" method. This method is called to recalculate the location of various HTML elements within the page. This function passes a "CDispNodeInfo" object to another function, "CLayout::GetDispNodeInfo," which is supposed to initialize the object passed in; however, the function fails to properly initialize a flag's value that is used later to determine how many "extra" bytes to allocate for a heap buffer. This eventually leads to an undersized buffer being allocated to hold a "CDispClipNode" object in the "CLayout::EnsureDispNodeCore" function. The vulnerability manifests itself when the "CDispNode::SetUserClip" function attempts to use the invalid "extra size" to calculate an offset into the object and manipulate a bit at this location. This corrupts the objects VTABLE by setting the second bit to 1, which can lead to the execution of arbitrary code when this pointer is accessed later. Microsoft Internet Explorer 6, 7 and 8 are vulnerable.
71219e3d4aa0a8af4a6f70f59166543e9d763cb490d82b8b85ea2ee887b4898d
This Metasploit module exploits a memory corruption vulnerability within Microsoft's HTML engine (mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory corruption occurs that can lead arbitrary code execution.
b5f68cfc74a96815adebfeab5b901e1febc67c4cb41f55ca40098dbd8d7ac9ff
Microsoft Internet Explorer versions 6, 7 and 8 memory corruption exploit.
31684eb156a1877d3e7a41622e50d6e6c00769cce04fc282658316fb9370a72d