cbcvebase.
CVE-2012-0266
published 2012-01-15

CVE-2012-0266: Multiple stack-based buffer overflows in the NTR ActiveX control before 2.0.4.8 allow remote attackers to execute arbitrary code via (1) a long bstrUrl…

PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
42.09%
98.5th percentile
Multiple stack-based buffer overflows in the NTR ActiveX control before 2.0.4.8 allow remote attackers to execute arbitrary code via (1) a long bstrUrl parameter to the StartModule method, (2) a long bstrParams parameter to the Check method, a long bstrUrl parameter to the (3) Download or (4) DownloadModule method during construction of a .ntr pathname, or a long bstrUrl parameter to the (5) Download or (6) DownloadModule method during construction of a URL.

Affected

1 ranges
VendorProductVersion rangeFixed in
ntrglobalntr_activex_control<= 1.1.8

Detection & IOCsextracted from sources · hover to see the quote

other{E6ACF817-0A85-4EBE-9F0A-096C6488CFEA}
other0x0c0c0c0c
other0x77c15ed5
other0x7c348b05
bytes
\x81\xc4\x54\xf2\xff\xff
  • Monitor for instantiation of the NTR ActiveX control by its CLSID {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} in browser processes (e.g., iexplore.exe).
  • Detect calls to the Check() method on the NTR ActiveX control with an abnormally long bstrParams argument, which triggers the strcat-based stack buffer overflow.
  • Look for the heap-spray NOP sled value 0x0c0c0c0c in browser memory or network-delivered JavaScript, indicative of exploitation targeting IE 6/7 on XP/Vista without ROP.
  • Detect the stack-adjustment prepend encoder bytes \x81\xc4\x54\xf2\xff\xff (add esp, -3500) in shellcode delivered via this exploit.
  • Flag use of ROP gadget at 0x77c15ed5 (xchg eax, esp; ret from msvcrt) or 0x7c348b05 (xchg eax, esp; ret from msvcrt71/Java 6) as indicators of DEP/ASLR bypass attempts for this CVE.
  • The exploit URI path is randomized but always ends with 'xp' appended; the URIPATH cannot be modified by the attacker due to the strcat URL construction — use this constraint for network detection.
  • Detect the constructed URL pattern matching ?a=0&d= with a long value in HTTP requests to the exploit server, as this reflects the vulnerable strcat URL format.
  • ·The Metasploit module targets NTR ActiveX version 1.1.8.0 specifically; the CVE affects versions before 2.0.4.8, so the ROP offsets and ret addresses listed apply only to 1.1.8.0.
  • ·DEP/ASLR bypass via JRE ROP (ret 0x7c348b05 from msvcrt71) requires Java 6 to be installed on the victim; without it, exploitation of Vista/Win7 targets will fail.
  • ·The exploit targets Internet Explorer versions 6.0 through 9.0 only; other browsers are explicitly rejected by the module's user-agent check.
  • ·The payload offset differs between IE 6–8 (0x5f4) and IE 9 (0x5fe); incorrect target selection will result in failed exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.