CVE-2013-3205
published 2013-09-11CVE-2013-3205: Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web…
PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
66.28%
99.2th percentile
Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x64\xa1\x18\x00\x00\x00\x83\xC0\x08\x8b\x20\x81\xC4\x30\xF8\xFF\xFF
bytes↗
\x81\xc4\x80\xc7\xfe\xff
- →The vulnerability is triggered via an onbeforeeditfocus event handler that calls document.write() to free mshtml!CCaret::`vftable', while mshtml!CCaret::UpdateScreenCaret still holds a stale reference. Detect suspicious onbeforeeditfocus event handlers combined with document.write() calls on pages with contenteditable/input fields. ↗
- →Crash/exploitation occurs at mshtml!CCaret::UpdateScreenCaret when a virtual function call is made via an invalid (freed) CCaret pointer at offset 0x2c. Look for access violations in mshtml.dll at the instruction sequence: mov ecx, [eax]; call dword ptr [ecx+2Ch]. ↗
- →The Metasploit module targets IE 8 on Windows XP SP3 using ROP gadgets from msvcrt.dll and heap spray to TargetAddr 0x1ec20101. Heap allocations near 0x1ec20020 and ROP pivot at 0x77C4FA1A (msvcrt.dll: mov esp,ebx; pop ebx; ret) are indicators of active exploitation. ↗
- →The exploit uses a property spray technique and sets Cache-Control: no-cache in the HTTP response. Suspicious IE traffic serving text/html with no-cache headers containing onbeforeeditfocus and document.write patterns should be investigated. ↗
- →The Metasploit module uses 'migrate -f' as InitialAutoRunScript, meaning post-exploitation process migration occurs immediately. Monitor for iexplore.exe spawning unexpected child processes shortly after page load. ↗
- ·The Metasploit module's stable target is limited to IE 8 on Windows XP SP3 using msvcrt.dll ROP chain. The Windows 7 target is explicitly noted as on hold pending a stable custom heap spray. ↗
- ·The exploit payload must be null-byte free; the BadChars setting excludes \x00. Payloads or shellcode containing null bytes will not function correctly with this exploit. ↗
- ·The exploit requires IE to be running in standards mode (not quirks mode) for the vulnerable CCaret state to be reachable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - CCaret Use-After-Free (MS13-069) (Metasploit)
exploitdb·2013-09-23
CVE-2013-3205 Microsoft Internet Explorer - CCaret Use-After-Free (MS13-069) (Metasploit)
Microsoft Internet Explorer - CCaret Use-After-Free (MS13-069) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "MS13-069 Microsoft Internet Explorer CCaret Use-After-Free",
'Description' => %q{
This module exploits a use-after-free vulnerability found in Internet Explorer,
specifically in how the browser handles the caret (text cursor) object. In IE's standards
mode, the caret handling's vulnerable state can be triggered by first setting up an
editable page with an input field, and then we can force the caret to update in an
onb
Metasploit
MS13-069 Microsoft Internet Explorer CCaret Use-After-Free
metasploit
MS13-069 Microsoft Internet Explorer CCaret Use-After-Free
MS13-069 Microsoft Internet Explorer CCaret Use-After-Free
This module exploits a use-after-free vulnerability found in Internet Explorer, specifically in how the browser handles the caret (text cursor) object. In IE's standards mode, the caret handling's vulnerable state can be triggered by first setting up an editable page with an input field, and then we can force the caret to update in an onbeforeeditfocus event by setting the body's innerHTML property. In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write() function, however, mshtml!CCaret::UpdateScreenCaret remains unaware of this change, and still uses the same reference to the CCaret object. When the function tries to use this invalid reference to call a virtual function at offset 0x2c, it finally res
http://www.us-cert.gov/ncas/alerts/TA13-253Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-069https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18696http://www.us-cert.gov/ncas/alerts/TA13-253Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-069https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18696
2013-09-11
Published