Published: 30/12/2012 Updated: 26/02/2019
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
VMScore: 982
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote malicious users to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.

Vulnerability Trend

Affected Products

Vendor Product Versions
MicrosoftInternet Explorer6, 7, 8


## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking inc ...
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking inc ...

Metasploit Modules

MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability

This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.

msf > use exploit/windows/browser/ie_cbutton_uaf
      msf exploit(ie_cbutton_uaf) > show targets
      msf exploit(ie_cbutton_uaf) > set TARGET <target-id>
      msf exploit(ie_cbutton_uaf) > show options
            ...show and set options...
      msf exploit(ie_cbutton_uaf) > exploit

Github Repositories

CVE-2012-4792 CVE-2012-4792 simple calc exploitation

Exploit Development: Case Studies This repository is intended as a personal list of exploit development case studies I stumble upon during my work My categorization is not very granular — I'm skipping differentiation between user-mode and kernel-mode, as well as type of the software being exploited Exploit primitives are what's really important, therefore the

Case Study of Browser DOM Vulnerabilities Inspired by js-vuln-db Chrome CVE Number / ID Module Label Credit CVE-2018-6073 WebGL Heap Overflow om@krashin CVE-2018-16082 sw::Surface Stack Overflow om@krashin CR-666246 HTMLSelectElement UAF ifratric Firefox CVE Number Module Label Credit CVE-2016-9079 nsSMILTimeContainer UAF Daniel Veditz CVE-2017-

MicroSoft Office RCEs A collection of MicroSoft Office vulnerabilities that could end up remote command execution CVE-2012-0158 CVE-2015-1641(customXML type confusion) CVE-2016-7193(dfrxst) CVE-2017-0199 CVE-2017-8570 CVE-2017-8759(NET Framework) CVE-2017-11182 CVE-2017-11826(EQNEDT32EXE) CVE-2018-0802(EQNEDT32EXE again) CVE-2018-0797(RTF UAF) CVE-2018-8597(Excel) CVE-2018

Recent Articles

US Arrests Chinese Man Involved With Sakula Malware Used in OPM and Anthem Hacks
BleepingComputer • Catalin Cimpanu • 26 Aug 2017

The FBI has arrested a Chinese national on accusations of distributing and infecting US companies with the Sakula malware, the same malware used in the OPM and Anthem hacks.
The suspect's name is Yu Pingan, 26, of Shanghai. US authorities arrested Yu on Monday, August 21, at the Los Angeles airport, as the suspect entered the US to attend a security conference.
According to an official indictment, authorities accused Yu and two other unnamed co-conspirators of infecting four US compa...

Researchers say Anthem health hack has Beijing's fingerprints
The Register • Darren Pauli • 29 Jul 2015

'Black Vine' gang, late of China, fingered as source of heist that lifted 70 million records

The case for a Beijing-orchestrated hack of health insurer Anthem has firmed up with new details suggesting that the sophisticated hacking group responsible for the heist shared zero days with rival outfits.
Symantec has overnight dubbed the perps "Black Vine", suggesting the group was responsible for goring more than 70 million personal records from the US company in February.
The security firm paints the group as ultra-sophisticated and unusually keen to share its precious trove of...

IE 8 Zero Day Found as DoL Watering Hole Attack Spreads to Nine Other Sites
Threatpost • Michael Mimoso • 06 May 2013

The scope of a watering hole attack targeting the U.S. Department of Labor website widened significantly over the weekend. Researchers are reporting that as many as nine websites, including a European aerospace, defense and security manufacturer as well as a number of non-profit organizations have also been compromised and are redirecting visitors to a website hosting malware.
Microsoft, meanwhile, released an advisory warning Internet Explorer 8 users that the attackers are exploiting a z...

Watering Hole Attack Claims US Department of Labor Website
Threatpost • Michael Mimoso • 01 May 2013

The United States Department of Labor website is the latest high-profile government site to fall victim to a watering hole attack. Researchers at a number of security companies reported today that the site was hosting malware and redirecting visitors to a site hosting the Poison Ivy remote access Trojan.
The malware has since been removed and law enforcement is investigating.
The attackers inserted javascript onto the DoL’s Site Exposure Matrices (SEM) website that sent visitors to...

New Web-Based MiniDuke Components Discovered
Threatpost • Michael Mimoso • 11 Mar 2013

Researchers at Kaspersky Lab and CrySys Lab have discovered files buried inside a MiniDuke command and control server that indicate the presence of a Web-based facet of the campaign that initially targeted government agencies, primarily in Europe.
Users are likely lured to the malicious webpages via spear phishing messages containing a link to the attack site. The site, which remains active, is serving exploits for patched vulnerabilities in Java and Internet Explorer, research...

Attackers Exploit Java, Compromise Reporters Without Borders Site
Threatpost • Brian Donohue • 23 Jan 2013

The Java saga continued when unknown, and apparently well concealed goons exploited recent Java and Internet Explorer zero-days to compromise the website of the French-based, free-press advocacy group, Reporters Without Borders. The attack, which attempted to take advantage of the time-gulf that separates Oracle’s patch release from their users’ application of it, is part of a watering hole campaign also targeting Tibetan and Uygur human rights groups as well as Hong Kong and Taiwanese polit...

Out-of-Band IE Patch Released as More Sites Attacked
Threatpost • Michael Mimoso • 14 Jan 2013

Internet Explorer users, exposed to a zero-day vulnerability in the browser and a faulty temporary Fix It from Microsoft, finally got some relief today when the company, as promised, released an out-of-band patch.
Meanwhile, a handful of new telco, manufacturing and human rights sites have been infected and have been serving exploits since the public release of the zero-day, a researcher told Threatpost.
The IE security update repairs previously unreported flaws in IE 6-8...

Security bods rip off Microsoft's 'sticking plaster' IE bug fix
The Register • John Leyden • 07 Jan 2013

Took them under 24 hours

A security researcher has developed a method to circumvent Microsoft's temporary fix for a zero-day Internet Explorer browser vulnerability.
Redmond release a temporary Fix It to defend against the flaw last week, pending the development of a more complete patch which it later emerged would not arrive with updates due to be delivered on Patch Tuesday tomorrow. However, Peter Vreugdenhil, of the vulnerability analysis firm Exodus Intelligence was able to sidestep that protection with a va...

Researchers Bypass Microsoft Fix It for IE Zero Day
Threatpost • Michael Mimoso • 04 Jan 2013

Expect amped up pressure aimed in Microsoft’s direction for a patch for the Internet Explorer zero day that surfaced last week, now that researchers at Exodus Intelligence reported today they have developed a bypass for the Fix It that Microsoft released as a temporary mitigation.
Their new exploit beat a fully patched Windows system running IE 8, the same version of the browser exploited by malware used in watering hole attacks against a number of political and manufacturing...

Microsoft scrambles to thwart new Internet Explorer 0-day attack
The Register • John Leyden • 02 Jan 2013

Patch Tuesday can't come soon enough

Microsoft has pushed out a temporary fix to defend against a zero-day vulnerability that surfaced in attacks launched last week.
The security flaw (CVE-2012-4792) - which affects IE 6, 7 and 8 but not the latest versions of Microsoft's web browser software - allows malware to be dropped onto Windows PCs running the vulnerable software, providing, of course, that users can be tricked into visiting booby-trapped websites.
Redmond has released a temporary Fix It (easy-to-apply workaroun...