The new version of Internet Explorer 11 brings the Enterprise Mode, which was previously developed for Windows 8.1 Update exclusively, on Windows 7 computers.
Internet Explorer 11.0.7 is not available as a standalone download for the time being, but you can get it by deploying KB2919355, which is actually the patch that includes Windows 8.1 Update for both 32- and 64-bit workstations. Return ((MutableVar.length > 15) & 0xff) + (((MutableVar.length > 23) & 0xff) > 15) & 0xff) + (((MutableVar.length > 23) & 0xff) > 15) & 0xff) + (((MutableVar.length > 23) & 0xff) > 15) & 0xff) + (((MutableVar.length > 23) & 0xff) > 15) & 0xff) + (((MutableVar.length > 23) & 0xff) > 15) & 0xff) + (((MutableVar.length > 23) & 0xff) > 15) & 0xff) + (((MutableVar.length > 23) & 0xff) > 15) & 0xff) + (((MutableVar.length > 23) & 0xff) > 15) & 0xff) + (((MutableVar.length > 23) & 0xff) > 15) & 0xff) + (((MutableVar.length > 23) & 0xff) > 15) & 0xff) + (((MutableVar.length > 23) & 0xff) = TargetExportNameTable.Internet Explorer has received a new pack of improvements this morning via Windows Update, as part of the new Windows 8.1 Update rollout that includes some changes for the Windows platform as well. Return (MutableVar.length > 15) & 0xff // Shift to align and get the byte. ReClaimNameList(0, CreateVar64(0x8, Address.low + 2, Address.high, 0, 0)) // +2 for BSTR length adjustment (only a WORD at a time can be cleanly read despite being a 32-bit field) NextPtrLow & 0xffff, (NextPtrLow > 16) & 0xffff, NextPtrHigh & 0xffff, (NextPtrHigh > 16) & 0xffff) SortArray.sort(GlitchedComparator) įor(var i = 0 i > 16) & 0xffff, ObjPtrHigh & 0xffff, (ObjPtrHigh > 16) & 0xffff, This try/catch in conjunction with a global initialization of the sort array allows the depth to be sufficient to produce an untracked var which will overlap with the type confusion offset in the re-claimed GcBlock. In IE, a stack overflow exception will occur around depth 250 however in WPAD it will occur on a depth of less than 150, ensuring a stack overflow exception/alert will be thrown in the exploit. There is a difference between the stack size between WPAD and Internet Explorer. VarSpray = new Array() // Erase references to sprayed vars within GcBlocks R9 = Leaked address of BSTR to hold out param NTDLL.DLL!NtContinue -> RIP = | MOV RSP, R11 RET Through use of NTDLL.DLL!NtContinue, an artificial stack (built on the heap)Īnd a dynamically resolved stack pivot ROP gadget. On a user defined shellcode stored within a BSTR on the heap. Ultimately the exploit aims to use KERNE元2.DLL!VirtualProtect to disable DEP References in the runtime script is then used for arbitrary read (via BSTR) Control of the memory of VAR structs with active JS var The UAF is a result of two untracked variables passed to a comparator for theĪrray.sort method, which can then be used to reference VAR structs withinĪllocated GcBlock regions which can subsequently be freed via garbageĬollection. Windows Exploit Guard or EMET 5.5 and does not work on IE11 or WPAD in Notably, this exploit does not contain bypasses for It uses dynamic ROP chain creation for its RIP
This is a 64-bit adaptation of CVE-2020-0674 which can exploit both IE8/11Ħ4-bit as well as the WPAD service on Windows 7 and 8.1 圆4.
|_| |_| | WPAD sandbox escape | -> | svchost.exe | | firefox.exe | -> | svchost.exe | -> | spoolsv.exe | Windows 8.1 IE/Firefox RCE -> Sandbox Escape -> SYSTEM EoP Exploit Chain # Original (IE-only/Windows 7-only) exploit credits: maxpl0it # Tested on: Windows 7 圆4, Windows 8.1 圆4 # Versions: IE 8-11 (64-bit) as well as the WPAD service (64-bit) on Windows 7 and 8.1 圆4 Change Mirror Download # Exploit Title: Microsoft Internet Explorer 8/11 and WPAD service 'Jscript.dll' - Use-After-Free