Vulnerability & Exploit Database

Back to search

MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and pass on to more functions, eventuall this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/windows/browser/ie_setmousecapture_uaf

Authors

  • Unknown
  • sinn3r <sinn3r [at] metasploit.com>
  • Rich Lundeen

References

Targets

  • Automatic
  • Windows 7 with Office 2007|2010
  • Windows XP with IE 8

Platforms

  • windows

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/ie_setmousecapture_uaf msf exploit(ie_setmousecapture_uaf) > show targets ...targets... msf exploit(ie_setmousecapture_uaf) > set TARGET <target-id> msf exploit(ie_setmousecapture_uaf) > show options ...show and set options... msf exploit(ie_setmousecapture_uaf) > exploit

Related Vulnerabilities