Latest Internet Explorer Remote Code Execution Vulnerability Analysis

Vulnerability Information
When Internet Explorer opens the attack page, the CMshtmlEd object is deleted and released, and the released memory is reused, resulting in Use-After-Free.
Affected Systems:
Microsoft Internet Explorer 9.x
Microsoft Internet Explorer 8.x
Microsoft Internet Explorer 7.x
Release date:2012-09-17
Vulnerability source information:
Http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/
Vulnerability Type:Use-After-Free
Crash info
Use IE to open exploit.htm, and an exception occurs. The stack is as follows:
 
Vulnerability Analysis
Exceptions occur in CMshtmlEd: Exec (), because objMshtmlEd is overwritten, resulting in control during virtual function addressing calls.
 
View the code in the POC. When document.exe cCommand ("SelectAll") is executed, the CBase: execCommand () function is called. The first parameter is the string of the command to be executed, the function checks whether the command to be executed is valid.
In mshtml! CEditRouter: ExecEditCommand. The function will call CEditRouter: SetInternalEditHandler to set the command event handler and create an MshtmlEd object.
 
Mshtml! CEditRouter: SetInternalEditHandler function internally calls mshtml! CDoc: GetHTMLEditor: Get the Editor on the page and use mshtml! CHTMLEditor: AddCommandTarget to create and initialize a command event.
Int _ stdcall CHTMLEditor: AddCommandTarget ()
{
CMshtmlEd * pEd = new CMshtmlEd ();
If (NULL! = PEd) & pEd-> Initialize ())
{
Return CImplPtrAry: Append (pEd );
}
Return 0x8007000E;
}
The event Handler will be executed.
 
The response function of selectAll set in POC is TestArray (), and the Command executed by exeCommand is selectAll
 
So here we get the CSelectAllCommand object and call the exec function.
 
Document. write ("xxx") in the TestArray () function will delete vecObjMgr in the document, so the previously applied CMshtmlEd object will also be deleted. www.2cto.com
 
When the selectAll command is executed, the address of the objMshtmlEd has been released. Continuing addressing causes program exceptions. and parent in TestArray. xxx. src = "AAAA \ u0c08 \ u0c0caaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa". The Free MshtmlEd object address can be occupied to control EIP execution.
Vulnerability Exploitation
1. Use the drop Chain in msvcrt to bypass DEP
2. Bypass DEP by using the module without ASLR enabled in JRE.
3. JIT Spray Injection