This Metasploit module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the "DataURL" parameter to this control, it is possible to write a NUL byte outside the bounds of an array. By targeting control flow data on the stack, an attacker can execute arbitrary code.
f289814b228dcb38a6cb14ec1a0f1b164ee34f9990d3cdfec8eb912f49211937
Zero Day Initiative Advisory 10-034 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer 6. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the Tabular Data Control ActiveX module. Specifically, if provided a malicious DataURL parameter a stack corruption may occur in the function CTDCCtl::SecurityCHeckDataURL. This can be leveraged to execute arbitrary code under the context of the current user.
81795a5d66d21f51c9a05af7acc4fa4ba9b87a98f8e8c5dec3ab5d203a2650cf