cbcvebase.
CVE-2009-0075
published 2009-02-10

CVE-2009-0075: Microsoft Internet Explorer 7 does not properly handle errors during attempted access to deleted objects, which allows remote attackers to execute arbitrary…

PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
85.28%
99.7th percentile
Microsoft Internet Explorer 7 does not properly handle errors during attempted access to deleted objects, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to CFunctionPointer and the appending of document objects, aka "Uninitialized Memory Corruption Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

other0x0C0C0C0C
other0x0c0c0c0c
port28876
port5500
bytes
%u0c0c%u0c0c
bytes
%u0C0C%u0C0C
bytes
%u0c0c%u0c0c
bytes
%u0D0D%u0D0D
bytes
\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6f
bytes
%ud9db%u74d9%uf424%uc929%u51b1%u02bf%u6c21%u588e
bytes
%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef
bytes
%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178
  • Exploit delivers a crafted HTML page via HTTP containing heap spray using NOP sled value 0x0C0C0C0C (or 0x0D0D0D0D) and unescape() shellcode blobs; detect large repeated %u0c0c%u0c0c or %u0D0D%u0D0D patterns in HTTP responses targeting IE 7.
  • Exploit HTML pages contain a characteristic JavaScript heap-spray pattern: allocating a large Array, computing heap_chunk_size of 0x40000, and filling with unescape() NOP sleds followed by shellcode — look for this combination in HTTP response bodies.
  • Metasploit module randomizes JS variable names but uses a fixed redirect pattern with a random alpha query string (?<rand_alpha_key>) before delivering the exploit page; the redirect URI pattern can be used for detection.
  • Exploit targets CFunctionPointer uninitialized memory in IE 7 via crafted HTML; the vulnerability is triggered by appending document objects — monitor for exploitation of mshtml.dll CFunctionPointer code path in IE 7 process.
  • Bind-shell payload opens TCP port 5500 on the victim; monitor for unexpected listening services on port 5500 after IE 7 exploitation.
  • Bind-shell payload opens TCP port 28876 on the victim; monitor for unexpected listening services on port 28876 after IE 7 exploitation.
  • Metasploit module uses 'migrate -f' as InitialAutoRunScript post-exploitation; detect meterpreter process migration immediately after iexplore.exe exploitation.
  • ·Exploit is confirmed only against Internet Explorer 7 specific builds; the Metasploit module targets Windows XP SP2-SP3 and Windows Vista SP0 with IE 7 only.
  • ·The PoC exploit (8152) was tested specifically on Internet Explorer 7.0.5730.11 on Windows XP SP2; reliability on other patch levels is not confirmed.
  • ·Metasploit module notes there is no way to fingerprint the target before attempting exploitation (no vuln_test), meaning the exploit is fired blindly at any connecting client.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.