Rapid7 Vulnerability & Exploit Database

MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free

Back to Search

MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free



This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the "iepeers" vulnerability. The name comes from Microsoft's suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, "The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorithm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which deref the reference and clean the object." NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.


  • unknown
  • Trancer <mtrancer@gmail.com>
  • Nanika
  • jduck <jduck@metasploit.com>




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/ms10_018_ie_behaviors
msf exploit(ms10_018_ie_behaviors) > show targets
msf exploit(ms10_018_ie_behaviors) > set TARGET < target-id >
msf exploit(ms10_018_ie_behaviors) > show options
    ...show and set options...
msf exploit(ms10_018_ie_behaviors) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security