module
MS10-002 Microsoft Internet Explorer Object Memory Use-After-Free
| Disclosed | Created |
|---|---|
| 2010-01-21 | 2018-05-30 |
Disclosed
2010-01-21
Created
2018-05-30
Description
This module exploits a vulnerability found in Internet Explorer's
mshtml component. Due to the way IE handles objects in memory, it is
possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext
to be used even after it gets freed, therefore allowing remote code
execution under the context of the user.
This particular vulnerability was also one of 2012's Pwn2Own
challenges, and was later explained by Peter Vreugdenhil with exploitation
details. Instead of Peter's method, this module uses heap spraying like
the 99% to store a specially crafted memory layout before re-using the
freed memory.
mshtml component. Due to the way IE handles objects in memory, it is
possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext
to be used even after it gets freed, therefore allowing remote code
execution under the context of the user.
This particular vulnerability was also one of 2012's Pwn2Own
challenges, and was later explained by Peter Vreugdenhil with exploitation
details. Instead of Peter's method, this module uses heap spraying like
the 99% to store a specially crafted memory layout before re-using the
freed memory.
Authors
Peter Vreugdenhil
juan vazquez juan.vazquez@metasploit.com
sinn3r sinn3r@metasploit.com
juan vazquez juan.vazquez@metasploit.com
sinn3r sinn3r@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.