Rapid7 VulnDB

MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free

Back to Search

MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free

Disclosed
09/17/2013
Created
05/30/2018

Description

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and pass on to more functions, eventuall this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack.

Author(s)

  • Unknown
  • sinn3r <sinn3r@metasploit.com>
  • Rich Lundeen

Platform

Windows

Development

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/ie_setmousecapture_uaf
msf exploit(ie_setmousecapture_uaf) > show targets
    ...targets...
msf exploit(ie_setmousecapture_uaf) > set TARGET < target-id >
msf exploit(ie_setmousecapture_uaf) > show options
    ...show and set options...
msf exploit(ie_setmousecapture_uaf) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;