CVE-2012-0267
published 2012-01-15CVE-2012-0267: The StopModule method in the NTR ActiveX control before 2.0.4.8 allows remote attackers to execute arbitrary code via a crafted lModule parameter that triggers…
PriorityP263critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
38.98%
98.4th percentile
The StopModule method in the NTR ActiveX control before 2.0.4.8 allows remote attackers to execute arbitrary code via a crafted lModule parameter that triggers use of an arbitrary memory address as a function pointer.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ntrglobal | ntr_activex_control | <= 1.1.8 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the NTR ActiveX control by its CLSID {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} in HTML/script content or registry; any call to StopModule() on this object is the exploit trigger. ↗
- →The exploit uses a heap-spray targeting address 0x0c0c0c0c; detect large JavaScript heap allocations combined with the NTR ActiveX CLSID in the same page. ↗
- →The lModule parameter passed to StopModule() is used to dereference memory as a function pointer (call eax at .text:10004475); monitor for calls to StopModule() with non-zero/unusual integer arguments from browser processes. ↗
- →The Metasploit module targets IE 6 and IE 7 on Windows XP SP3 and Vista; alert on ntractivex118 DLL loaded inside iexplore.exe followed by process migration (migrate -f). ↗
- →The vulnerable module is ntractivex118 (NTR ActiveX 1.1.8.0); presence of this DLL in a browser process combined with a StopModule call should be treated as high-confidence exploitation attempt. ↗
- ·The Metasploit module only targets IE 6.0–7.0 (ua_minver/ua_maxver); exploitation via other browsers or IE versions is not covered by this module and may behave differently. ↗
- ·The module includes an optional JavaScript obfuscation flag (OBFUSCATE); obfuscated variants of the exploit will evade signature-based JS detection but the CLSID and StopModule method name remain constant. ↗
- ·The heap address used (0x0c0c0c0c) and the stride multiplier (0x134) are fixed in this module version; variants may alter these values to evade numeric-pattern detection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NTR - ActiveX Control 'StopModule()' Remote Code Execution (Metasploit)
exploitdb·2012-10-10
CVE-2012-0267 NTR - ActiveX Control 'StopModule()' Remote Code Execution (Metasploit)
NTR - ActiveX Control 'StopModule()' Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "7.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:classid => "{E6ACF817-0A85-4EBE-9F0A-096C6488CFEA}",
:method => "StopModule",
:rank => NormalRanking
})
def initialize(info = {})
super(update_info(info,
'Name' => 'NTR ActiveX Control StopModule() Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability found in the NTR ActiveX 1.1.8. The
vulnerabi
Metasploit
NTR ActiveX Control StopModule() Remote Code Execution
metasploit
NTR ActiveX Control StopModule() Remote Code Execution
NTR ActiveX Control StopModule() Remote Code Execution
This module exploits a vulnerability found in the NTR ActiveX 1.1.8. The vulnerability exists in the StopModule() method, where the lModule parameter is used to dereference memory to get a function pointer, which leads to code execution under the context of the user visiting a malicious web page.
No writeups or analysis indexed.
http://secunia.com/advisories/45166http://secunia.com/secunia_research/2012-2/http://www.exploit-db.com/exploits/21839https://exchange.xforce.ibmcloud.com/vulnerabilities/72295http://secunia.com/advisories/45166http://secunia.com/secunia_research/2012-2/http://www.exploit-db.com/exploits/21839https://exchange.xforce.ibmcloud.com/vulnerabilities/72295
2012-01-15
Published