module
Microsoft WMI Administration Tools ActiveX Buffer Overflow
| Disclosed | Created |
|---|---|
| Dec 21, 2010 | May 30, 2018 |
Disclosed
Dec 21, 2010
Created
May 30, 2018
Description
This module exploits a memory trust issue in the Microsoft WMI
Administration tools ActiveX control. When processing a specially crafted
HTML page, the WEBSingleView.ocx ActiveX Control (1.50.1131.0) will treat
the 'lCtxHandle' parameter to the 'AddContextRef' and 'ReleaseContext' methods
as a trusted pointer. It makes an indirect call via this pointer which leads
to arbitrary code execution.
This exploit utilizes a combination of heap spraying and the
.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not
opt-in to ASLR. As such, this module should be reliable on all Windows
versions.
The WMI Administrative Tools are a standalone download & install (linked in the
references).
Administration tools ActiveX control. When processing a specially crafted
HTML page, the WEBSingleView.ocx ActiveX Control (1.50.1131.0) will treat
the 'lCtxHandle' parameter to the 'AddContextRef' and 'ReleaseContext' methods
as a trusted pointer. It makes an indirect call via this pointer which leads
to arbitrary code execution.
This exploit utilizes a combination of heap spraying and the
.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not
opt-in to ASLR. As such, this module should be reliable on all Windows
versions.
The WMI Administrative Tools are a standalone download & install (linked in the
references).
Authors
WooYun
MC mc@metasploit.com
jduck jduck@metasploit.com
MC mc@metasploit.com
jduck jduck@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.