msf exploit(ie_execcommand_uaf) > info
Name: MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability
Module: exploit
/windows/browser/ie_execcommand_uaf
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Good
Provided by:
unknown
eromang
binjo
sinn3r <sinn3r@metasploit.com>
juan vazquez <juan.vazquez@metasploit.com>
Available targets:
Id Name
-- ----
0 Automatic
1 IE 7 on Windows XP SP3
2 IE 8 on Windows XP SP3
3 IE 7 on Windows Vista
4 IE 8 on Windows Vista
5 IE 8 on Windows 7
6 IE 9 on Windows 7
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
OBFUSCATE
false
no Enable JavaScript obfuscation
SRVHOST 172.16.244.129
yes
The
local
host to listen on. This must be an address on the
local
machine or 0.0.0.0
SRVPORT 8080
yes
The
local
port to listen on.
SSL
false
no Negotiate SSL
for
incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use
for
this exploit (default is random)
Payload information:
Description:
This module exploits a vulnerability found
in
Microsoft Internet
Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object
gets deleted
in
an unexpected manner, but the same memory is reused
again later
in
the CMshtmlEd::Exec()
function
, leading to a
use-after-
free
condition. Please note that this vulnerability has
been exploited
in
the wild since Sep 14 2012. Also note that
presently, this module has some target dependencies
for
the ROP
chain to be valid. For WinXP SP3 with IE8, msvcrt must be present
(as it is by default). For Vista or Win7 with IE8, or Win7 with IE9,
JRE 1.6.x or below must be installed (
which
is often the
case
).
References:
http:
//cvedetails
.com
/cve/2012-4969/
http:
//www
.osvdb.org
/85532
http:
//www
.microsoft.com
/technet/security/bulletin/MS12-063
.mspx
http:
//technet
.microsoft.com
/en-us/security/advisory/2757760
http:
//eromang
.zataz.com
/2012/09/16/zero-day-season-is-really-not-over-yet/
http:
//blog
.vulnhunt.com
/index
.php
/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day/