“Double Kill” is an Internet Explorer(IE) Zero-Day exploit which was discovered in the wild and fixed in the Microsoft May Patch. It exploits a use-after-free vulnerability of vbscript.dll to execute arbitrary code when a vulnerable system browses a malicious web page via IE. Multiple exploit kits have already added this exploit, and it is still active in the wild.
This use-after-free bug causes a type confusion in vbscript.dll, which allows the attacker to access and overwrite the whole user space memory address. However, before the shellcode can be finally executed, the attacker has to get the address of multiple system DLL addresses to locate the addresses of the functions “ntdll!NtContinue” and “ntdll!VirtualProtect”, which are popularly used to bypass the Windows system data execution prevention(DEP) and render heap code execution. In this post, the team at FortiGuard Labs looks deeply into the VBScript codes to expose the DLL address leaking trick used by this exploit.
The following public published exploit is used in our analysis (Comments added by me have been highlighted).
Part of the Exploit: