Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-0674 PoC — Microsoft Internet Explorer 资源管理错误漏洞

Source
https://github.com/Ken-Abruzzi/CVE-2020-0674
Associated Vulnerability
Title:Microsoft Internet Explorer 资源管理错误漏洞 (CVE-2020-0674)
Description:Microsoft Internet Explorer(IE)是美国微软(Microsoft)公司的一款Windows操作系统附带的Web浏览器。 Microsoft IE 9、10和11中脚本引擎处理内存对象的方法存在资源管理错误漏洞。攻击者可利用该漏洞在当前用户的上下文中执行任意代码,损坏内存。以下产品及版本受到影响: Internet Explorer 10版本, Internet Explorer 9版本, Internet Explorer 11版本。
Readme
# CVE-2020-0674
CVE-2020-0674 is a use-after-free vulnerability in the legacy jscript engine. It can be triggered in Internet Explorer. The exploit here is written by [maxpl0it](https://twitter.com/maxpl0it) but the vulnerability itself was discovered by [Qihoo 360](http://blogs.360.cn/) being used in the wild. This exploit simply pops calc.

[Exploit writeup can be found here](https://labs.f-secure.com/blog/internet-exploiter-understanding-vulnerabilities-in-internet-explorer/).

# Vulnerability Overview
- The vulnerability exists in the Array `sort` function when using a comparator function.
- The two supplied arguments for the comparator function are not tracked by the Garbage Collector and thus will point to freed memory after the GC is called.

# Exploit Notes
- The exploit was written for Windows 7 specifically, but could probably be ported without too much hassle.
- This exploit was written for x64 instances of IE, therefore will run on (and has been tested on) the following browser configurations:
  - IE 8 (x64 build)
  - IE 9 (x64 build)
  - IE 10 (Either with Enhanced Protected Mode enabled or TabProcGrowth enabled)
  - IE 11 (Either with Enhanced Protected Mode enabled or TabProcGrowth enabled)
- It's worth noting that Enhanced Protected Mode on Windows 7 simply enables the x64 version of the browser process so it's not a sandbox escape so much as there not being any additional sandbox. Ironically since this exploit is for x64, EPM actually allows it to work.
- The exploit isn't made to entirely bypass EMET (Only a stack pivot detection bypass has really been implemented), however the final version (5.52) doesn't seem to trigger EAF+ when the exploit is run whereas 5.5 does (at least, on Windows 7 x64). So IE 11 in Enhanced Protected Mode with maximum EMET settings enabled allows the exploit.
- The exploit is heavily commented but in order to get a better understanding of how the exploit works and what it's doing at each stage, change `var debug = false;` to `var debug = true;` and either open the developer console to view the log or keep it closed and view the `alert` popups instead (which might be a little annoying).
File Snapshot

 [4.0K]  /data/pocs/43ca5b4ec5b92a181ef8737fdef077902a5203e0
├── [ 28K]  exploit.html
└── [2.1K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.