cbcvebase.
CVE-2008-4844
published 2008-12-11

CVE-2008-4844: Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows…

PriorityP277critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
66.51%
99.2th percentile
Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via DSO bindings involving (1) an XML Island, (2) XML DSOs, or (3) Tabular Data Control (TDC) in a crafted HTML or XML document, as demonstrated by nested SPAN or MARQUEE elements, and exploited in the wild in December 2008.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

domaincount.realuu.com
domainwww-17173.com
domainu3.www-pconline.com
domainloader.51edm.net
domainlogin.webbrowser.51edm.net
filenameexplore.exe
filenameappmgmts.dll
filenameappwinproc.dll
filenamewebbrowser_2234.dll
filenameJetnNt64.987
pathC:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_2234.dll
pathC:\Program Files\Internet Explorer\JetnNt64.987
registryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NsPsDk00
registryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run\HBService32\\System.exe
registryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72C7B634-DEB3-48BD-90C1-6BBBFE171C75}
registryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}
registryHKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/7403.zip
bytes
%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100
  • Exploit triggers use-after-free in mshtml.dll via malformed XML DSO bindings; look for crafted HTML/XML documents using nested SPAN or MARQUEE elements combined with XML Island, XML DSO, or Tabular Data Control (TDC) tags targeting Internet Explorer.
  • Payload explore.exe is packed with UPX; detect UPX-packed PE files dropped to disk as an initial triage indicator for this campaign.
  • Monitor for creation of rootkit driver files NsPsDk01.sys through NsPsDk04.sys in %SystemRoot%\System32; these are dropped by explore.exe and registered as services.
  • Snort rules for CVE-2008-4844 were released; reference VRT advisory at http://www.snort.org/vrt/advisories/vrt-rules-2008-12-11.html for rule details.
  • Exploit uses heap spray with NOP sled pattern %u9090%u9090 and repeated block %u0c0c%u0c0c to position shellcode; detect this pattern in HTTP responses to IE clients.
  • The Metasploit module ms08_078_xml_corruption uses .NET DLL memory technique to create a fake vtable at a known location; detect browser exploitation attempts leveraging .NET DLL memory spraying in conjunction with XML data binding requests.
  • BHO CLSID {AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8} and {72C7B634-DEB3-48BD-90C1-6BBBFE171C75} are malicious; alert on registration of these CLSIDs in the Browser Helper Objects registry key.
  • ·The exploit URL http://wieyou.com and payload-hosting domains had very short TTLs (under 3 hours); these IOCs are historical and likely no longer active, but are useful for retrospective log analysis.
  • ·The shellcode in the Vista PoC (EDB-7410) executes calc.exe (CMD=C:\WINDOWS\system32\calc.exe) and is a proof-of-concept payload; real-world payloads differ and the byte signature should be used for PoC/scanner detection only.
  • ·Over 40 files were downloaded and executed during the observed campaign; the listed filenames and domains represent a subset of observed payloads and C2 infrastructure, not an exhaustive list.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.