MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free
This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a "onpropertychange" event handler. To set up the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called "onselect". The "onselect" event will allow us to set up for the actual event handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger "onpropertychange". During "onpropertychange" event handling, a free of the CDisplayPointer object can be forced by using an "Unselect" (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controlling this freed memory, it is possible to achieve arbitrary code execution under the context of the user.
- sinn3r <sinn3r [at] metasploit.com>
- IE 7 on Windows XP SP3
- IE 8 on Windows XP SP3
- IE 8 on Windows 7
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/browser/ms13_080_cdisplaypointer msf exploit(ms13_080_cdisplaypointer) > show targets ...targets... msf exploit(ms13_080_cdisplaypointer) > set TARGET <target-id> msf exploit(ms13_080_cdisplaypointer) > show options ...show and set options... msf exploit(ms13_080_cdisplaypointer) > exploit