This Metasploit module exploits a use-after-free vulnerability within the DTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the "iepeers" vulnerability. The name comes from Microsoft's suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, "The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorythm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which decref the reference and clean the object." NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
2050b221f455e1fa58a8d196ecf708064b18b0b04314d24c17d3d8356494d06eWhen Windows Explorer (explorer.exe) parses a malformed .url file it is susceptible to a denial of service.
c3856e94dae33fcecb3dd9550d99ff03a19ebbd7adf295e105b72716f12a1615Excel 2000/XP/2003 suffers from a vulnerability in repair mode.
cd59caca350390059cebc85f53cc911f37183dc30a7fcad05e9b5ef91c9b59e0Proof of concept Excel 2000/XP/2003 exploit.
b4994db39df4f6c26fbf9f58890ffcbc1fffdb06e037a36c4f5ac527f24b8885This is a slightly modified version of Stuart Pearson's original exploit for the malformed MDB parsing vulnerabilities in Microsoft Access.
21907bea8baebb0eabf8d5cb55470e6622f00c5110265a1be7900b93ce98dd5a
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed