Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-0674 PoC — Microsoft Internet Explorer 资源管理错误漏洞

Source
https://github.com/maxpl0it/CVE-2020-0674-Exploit
Associated Vulnerability
Title:Microsoft Internet Explorer 资源管理错误漏洞 (CVE-2020-0674)
Description:A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767.
Description
This is an exploit for CVE-2020-0674 that runs on the x64 version of IE 8, 9, 10, and 11 on Windows 7.
Readme
# CVE-2020-0674
CVE-2020-0674 is a use-after-free vulnerability in the legacy jscript engine. It can be triggered in Internet Explorer. The exploit here is written by [maxpl0it](https://twitter.com/maxpl0it) but the vulnerability itself was discovered by [Qihoo 360](http://blogs.360.cn/) being used in the wild. This exploit simply pops calc.

[Exploit writeup can be found here](https://labs.f-secure.com/blog/internet-exploiter-understanding-vulnerabilities-in-internet-explorer/).

# Vulnerability Overview
- The vulnerability exists in the Array `sort` function when using a comparator function.
- The two supplied arguments for the comparator function are not tracked by the Garbage Collector and thus will point to freed memory after the GC is called.

# Exploit Notes
- The exploit was written for Windows 7 specifically, but could probably be ported without too much hassle.
- This exploit was written for x64 instances of IE, therefore will run on (and has been tested on) the following browser configurations:
  - IE 8 (x64 build)
  - IE 9 (x64 build)
  - IE 10 (Either with Enhanced Protected Mode enabled or TabProcGrowth enabled)
  - IE 11 (Either with Enhanced Protected Mode enabled or TabProcGrowth enabled)
- It's worth noting that Enhanced Protected Mode on Windows 7 simply enables the x64 version of the browser process so it's not a sandbox escape so much as there not being any additional sandbox. Ironically since this exploit is for x64, EPM actually allows it to work.
- The exploit isn't made to entirely bypass EMET (Only a stack pivot detection bypass has really been implemented), however the final version (5.52) doesn't seem to trigger EAF+ when the exploit is run whereas 5.5 does (at least, on Windows 7 x64). So IE 11 in Enhanced Protected Mode with maximum EMET settings enabled allows the exploit.
- The exploit is heavily commented but in order to get a better understanding of how the exploit works and what it's doing at each stage, change `var debug = false;` to `var debug = true;` and either open the developer console to view the log or keep it closed and view the `alert` popups instead (which might be a little annoying).
File Snapshot

 [4.0K]  /data/pocs/5b9a142cbccda090dc461fdbb7532dd23e71b0f3
├── [ 28K]  exploit.html
└── [2.1K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →