module

MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free

Try Surface Command
Back to search
Disclosed
2010-03-09
Created
2018-05-30

Description

This module exploits a use-after-free vulnerability within the DHTML behaviors
functionality of Microsoft Internet Explorer versions 6 and 7. This bug was
discovered being used in-the-wild and was previously known as the "iepeers"
vulnerability. The name comes from Microsoft's suggested workaround to block
access to the iepeers.dll file.

According to Nico Waisman, "The bug itself is when trying to persist an object
using the setAttribute, which end up calling VariantChangeTypeEx with both the
source and the destination being the same variant. So if you send as a variant
an IDISPATCH the algorithm will try to do a VariantClear of the destination before
using it. This will end up on a call to PlainRelease which deref the reference
and clean the object."

NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.

Authors

unknown
Trancer mtrancer@gmail.com
Nanika
jduck jduck@metasploit.com

Platform

Windows

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/windows/browser/ms10_018_ie_behaviors
    msf exploit(ms10_018_ie_behaviors) > show targets
        ...targets...
    msf exploit(ms10_018_ie_behaviors) > set TARGET < target-id >
    msf exploit(ms10_018_ie_behaviors) > show options
        ...show and set options...
    msf exploit(ms10_018_ie_behaviors) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today