cbcvebase.
CVE-2010-3973
published 2010-12-23

CVE-2010-3973: The WMITools ActiveX control in WBEMSingleView.ocx 1.50.1131.0 in Microsoft WMI Administrative Tools 1.1 and earlier in Microsoft Windows XP SP2 and SP3 allows…

PriorityP270critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
71.73%
99.3th percentile
The WMITools ActiveX control in WBEMSingleView.ocx 1.50.1131.0 in Microsoft WMI Administrative Tools 1.1 and earlier in Microsoft Windows XP SP2 and SP3 allows remote attackers to execute arbitrary code via a crafted argument to the AddContextRef method, possibly an untrusted pointer dereference, aka "Microsoft WMITools ActiveX Control Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwmi_administrative_tools<= 1.1

Detection & IOCsextracted from sources · hover to see the quote

filenameWBEMSingleView.ocx
versionWBEMSingleView.ocx 1.50.1131.0
commandAddContextRef
commandReleaseContext
  • Detect instantiation of the vulnerable WBEMSingleView.ocx ActiveX control (CLSID lookup) in browser context, particularly calls to AddContextRef or ReleaseContext methods with attacker-controlled lCtxHandle pointer values.
  • Look for heap spray patterns in browser memory combined with loading of mscorie.dll (version 2.0.50727.3053) from a web-browsing process — this DLL is used to bypass DEP and ASLR in the exploit.
  • The Metasploit module targets MSIE 6.0, 7.0, and 8.0 User-Agent strings; alert on HTTP responses serving .dll files (Content-Type: application/x-msdownload) to these User-Agents alongside pages referencing WBEMSingleView.ocx.
  • The exploit module uses 'migrate -f' as InitialAutoRunScript after payload execution — monitor for unexpected process migration activity (e.g., iexplore.exe spawning or injecting into other processes) following ActiveX control load.
  • ROP chain uses mscorie.dll RVA 0x237e ('call [ecx+4] / xor eax, eax / pop ebp / ret 8') as a gadget; memory forensics or crash dumps showing RIP/EIP at mscorie.dll+0x237e are indicative of exploitation.
  • ·The exploit module does not opt-in to ASLR and relies on mscorie.dll v2.0.50727.3053 at a fixed base address (0x63f00000); systems with a different .NET 2.0 patch level or without .NET 2.0 installed will not be exploitable via this specific ROP chain.
  • ·The vulnerable component (WBEMSingleView.ocx / WMI Administrative Tools) is a standalone download and install, not present by default on all Windows XP systems — exposure is limited to hosts where it has been explicitly installed.
  • ·Payload space is constrained to 512 bytes with null bytes disallowed; staged or large payloads may not function correctly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.