Delving deep into VBScript

Discussion in '0-day Release' started by RGiskardR, Jul 4, 2018.

  1. RGiskardR

    RGiskardR Malware Tester Silver Member

    Important fields in the CScriptRuntime class

    Analysis of CVE-2018-8174 exploitation

    In late April we found and wrote a description of CVE-2018-8174, a new zero-day vulnerability for Internet Explorer that was picked up by our sandbox. The vulnerability uses a well-known technique from the proof-of-concept exploit CVE-2014-6332 that essentially “corrupts” two memory objects and changes the type of one object to Array (for read/write access to the address space) and the other object to Integer to fetch the address of an arbitrary object.

    But whereas CVE-2014-6332 was aimed at integer overflow exploitation for writing to arbitrary memory locations, my interest lay in how this technique was adapted to exploit the use-after-free vulnerability. To answer this question, let’s consider the internal structure of the VBScript interpreter.

    Full reading:
    wwd, grr and silversurfer like this.
  2. Google Adsense

Share This Page