Rapid7 Vulnerability & Exploit Database

MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution

Back to Search

MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution



This bug is triggered when the browser handles a JavaScript 'onLoad' handler in conjunction with an improperly initialized 'window()' JavaScript function. This exploit results in a call to an address lower than the heap. The javascript prompt() places our shellcode near where the call operand points to. We call prompt() multiple times in separate iframes to place our return address. We hide the prompts in a popup window behind the main window. We spray the heap a second time with our shellcode and point the return address to the heap. I use a fairly high address to make this exploit more reliable. IE will crash when the exploit completes. Also, please note that Internet Explorer must allow popups in order to continue exploitation.


  • Benjamin Tobias Franz
  • Stuart Pearson
  • Sam Sharps




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/ms05_054_onload
msf exploit(ms05_054_onload) > show targets
msf exploit(ms05_054_onload) > set TARGET < target-id >
msf exploit(ms05_054_onload) > show options
    ...show and set options...
msf exploit(ms05_054_onload) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security