This module exploits a use-after-free vulnerability that currents targets Internet
Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11.
It was initially found in the wild in Japan, but other regions such as English,
Chinese, Korean, etc, were targeted as well.
The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a
reference during an event. An attacker first can setup two elements, where the second
is the child of the first, and then setup a onlosecapture event handler for the parent
element. The onlosecapture event seems to require two setCapture() calls to trigger,
one for the parent element, one for the child. When the setCapture() call for the child
element is called, it finally triggers the event, which allows the attacker to cause an
arbitrary memory release using document.write(), which in particular frees up a 0x54-byte
memory. The exact size of this memory may differ based on the version of IE. After the
free, an invalid reference will still be kept and pass on to more functions, eventuall
this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary
code execution) when this function attempts to use this reference to call what appears to
be a PrivateQueryInterface due to the offset (0x00).
To mimic the same exploit found in the wild, this module will try to use the same DLL
from Microsoft Office 2007 or 2010 to leverage the attack.
- sinn3r <email@example.com>
- Rich Lundeen