CVE-2020-0674

This is a 32-bit re-creation of a Use-After-Free heap corruption exploit in the Windows legacy JavaScript engine. It dynamically generates a SYSCALL ROP chain in order to bypass DEP, StackPivot protection, SimExec, CallerCheck, EAF and EAF+ exploit mitigations. ASLR is bypassed through use of a memory leak.

 

It works on IE8-11 32-bit for RCE and is primarily tested on Windows 7 x64 and x86 editions. It also works on Windows 8.1 up until the EIP hijack, which is mitigated by Control Flow Guard. While its most intuitive use may appear to be as an RCE for Internet Explorer, this exploit can compromise any process which attempts to execute its JavaScript using the legacy jscript.dll engine, and there are many such applications.
 

MS12-037

This is a re-creation of a classic Internet Explorer heap overflow exploit from an older era, when exploitation techniques were far simpler and contained tricks like heap sprays and BSTR length overflows (often infeasible today).

 

While initially experimenting with this genre of old classics I studied quite a few of the Metasploit modules and found some very unsatisfactory. MS12-037 in particular, I felt was lacking enough in its Metasploit rendition to merit a re-creation. My variation of the exploit contains bug fixes, as well a memory leak for ASLR bypass and pseudo-dynamic ROP chain creation.

 

MS13-008

This is a re-creation of a classic Internet Explorer Use-After-Free vulnerability and was the first (and simplest) exploit I've ever written. It relies on a hardcoded ROP chain built from gadgets within the non-ASLR CRT DLL shipped with old versions of the Java Runtime Environment.

The UAF itself is so basic that all it allows for is a EIP hijack, hence why I did not make any upgrades to it. I highly suggest mastering this exploit to any beginner in memory corruption exploits, particularly heap corruption/UAF. Its simplicity lends itself well to analysis and understanding, and there are several good analysis of it already in existence.