CVE-2013-3896

Related Files

Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access

Posted Nov 26, 2013

Authored by Vitaliy Toropov, juan vazquez, James Forshaw | Site metasploit.com

This Metasploit module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This Metasploit module has been tested successfully on IE6 - IE10, Windows XP SP3 / Windows 7 SP1 on both x32 and x64 architectures.

tags | exploit, arbitrary, code execution, bug bounty, packet storm

systems | windows

advisories | CVE-2013-0074, CVE-2013-3896, OSVDB-91147, OSVDB-98223

SHA-256 | 3905f49c6a63195a8b150b72b89466bf89d932607328806dbfade7ebf03e25ce

Download | Favorite | View

Packet Storm Advisory 2013-1022-1 - Microsoft Silverlight Invalid Typecast / Memory Disclosure

Posted Oct 23, 2013

Authored by Vitaliy Toropov | Site packetstormsecurity.com

Microsoft Silverlight 5 suffers from invalid typecast and memory disclosure vulnerabilities that, when leveraged together, allow for arbitrary code execution. A memory disclosure vulnerability exists in the public WriteableBitmap class from System.Windows.dll. This class allows reading of image pixels from the user-defined data stream via the public SetSource() method. BitmapSource.ReadStream() allocates and returns byte array and a count of array items as out parameters. These returned values are taken from the input stream and they can be fully controlled by the untrusted code. When returned "count" is greater than "array.Length", then data outside the "array" are used as input stream data by the native BitmapSource_SetSource() from agcore.dll. Later all data can be viewed via the public WriteableBitmap.Pixels[] property. Exploitation details related to these findings were purchased through the Packet Storm Bug Bounty program.

tags | advisory, arbitrary, vulnerability, code execution, bug bounty, packet storm

systems | windows

advisories | CVE-2013-0074, CVE-2013-3896

SHA-256 | 3bb4d92511f689e34dee499a420b6463240d5b229dbaa5033abb953fb0ba3421

Download | Favorite | View

Packet Storm Exploit 2013-1022-1 - Microsoft Silverlight Invalid Typecast / Memory Disclosure

Posted Oct 23, 2013

Authored by Vitaliy Toropov | Site packetstormsecurity.com

This exploit leverages both invalid typecast and memory disclosure vulnerabilities in Microsoft Silverlight 5 in order to achieve code execution. This exploit code demonstrates remote code execution by popping calc.exe. It was obtained through the Packet Storm Bug Bounty program. Google flags this as malware so only use this if you know what you are doing. The password to unarchive this zip is the word "infected".

tags | exploit, remote, vulnerability, code execution, bug bounty, packet storm

systems | windows

advisories | CVE-2013-0074, CVE-2013-3896

SHA-256 | 52cb4ddd1cdf46517f03dc3f821a50041e929ed003d1d7575ad883ef43571280

Download | Favorite | View