cbcvebase.
CVE-2009-0076
published 2009-02-10

CVE-2009-0076: Microsoft Internet Explorer 7, when XHTML strict mode is used, allows remote attackers to execute arbitrary code via the zoom style directive in conjunction…

PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
33.54%
98.2th percentile
Microsoft Internet Explorer 7, when XHTML strict mode is used, allows remote attackers to execute arbitrary code via the zoom style directive in conjunction with unspecified other directives in a malformed Cascading Style Sheets (CSS) stylesheet in a crafted HTML document, aka "CSS Memory Corruption Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

port28876
port5500
bytes
\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6f\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4
bytes
%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0
bytes
%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304
bytes
%ud9db%u74d9%uf424%uc929%u51b1%u02bf%u6c21%u588e%u7831%u8317%u04c0%u7a03%u8e32%u867b%ua55e%u9ec9%uc666%ua12d%ub2f9%u79be%u4fde%ubd7b%u2c95%uc581%u23a8%u7a02%u30b3%ua44a%uadc2%u2f3c%ubaf0%uc1be%u7cc8%ub159%ubdaf%uce2e%uf76e
bytes
%u0c0c%u0c0c
bytes
%u0D0D%u0D0D
bytes
%u0c0c%u0c0c
bytes
%u0C0C%u0C0C
  • Exploit delivers a crafted HTML page containing JavaScript heap spray using NOP sled value 0x0c0c0c0c; detect large repeated allocations of %u0c0c%u0c0c or %u0D0D%u0D0D in JavaScript on IE7 page loads.
  • Exploit is served over HTTP on port 80 by a rogue Python HTTPServer; the server header is set to 'myRequestHandler' which can be used as a network detection indicator.
  • Exploit targets Internet Explorer 7.0.5730.11 on Windows XP SP2 and Windows 2003 SP2; scope detection to those specific UA strings combined with CSS containing the zoom directive.
  • The vulnerability is triggered by the CSS 'zoom' style directive in XHTML strict mode; inspect CSS content in HTTP responses for 'zoom' combined with other directives in malformed stylesheets delivered to IE7 clients.
  • Post-exploitation bind shell listens on TCP/28876; monitor for unexpected inbound connections to this port on Windows XP/2003 hosts after IE7 exploitation.
  • Post-exploitation bind shell listens on TCP/5500 (ShikataGaNai-encoded payload); monitor for unexpected inbound connections to port 5500 on Windows 2003 SP2 hosts after IE7 exploitation.
  • Heap spray block size of 0x40000 (262144 bytes) with repeated 0x0c0c0c0c pattern is characteristic of this exploit; memory forensics or heap inspection can identify this pattern.
  • ·Exploit (8152) uses a calc.exe payload (win32_exec) for PoC; real-world attacks would substitute a different shellcode — the heap spray NOP sled and 0x0c0c0c0c return address are the stable detection anchors, not the specific payload bytes.
  • ·Exploit (8080) shellcode is encoded with ShikataGaNai; raw byte signatures will not match after re-encoding. Detect via heap spray pattern and bind port rather than static shellcode bytes.
  • ·Exploit (8079) shellcode opens a bind shell on port 28876/tcp; the port is hardcoded in the shellcode and may differ in modified variants.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.