cbcvebase.
CVE-2012-0267
published 2012-01-15

CVE-2012-0267: The StopModule method in the NTR ActiveX control before 2.0.4.8 allows remote attackers to execute arbitrary code via a crafted lModule parameter that triggers…

PriorityP263critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
38.98%
98.4th percentile
The StopModule method in the NTR ActiveX control before 2.0.4.8 allows remote attackers to execute arbitrary code via a crafted lModule parameter that triggers use of an arbitrary memory address as a function pointer.

Affected

1 ranges
VendorProductVersion rangeFixed in
ntrglobalntr_activex_control<= 1.1.8

Detection & IOCsextracted from sources · hover to see the quote

other{E6ACF817-0A85-4EBE-9F0A-096C6488CFEA}
commandStopModule
commandtest.StopModule(#{address});
  • Detect instantiation of the NTR ActiveX control by its CLSID {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} in HTML/script content or registry; any call to StopModule() on this object is the exploit trigger.
  • The exploit uses a heap-spray targeting address 0x0c0c0c0c; detect large JavaScript heap allocations combined with the NTR ActiveX CLSID in the same page.
  • The lModule parameter passed to StopModule() is used to dereference memory as a function pointer (call eax at .text:10004475); monitor for calls to StopModule() with non-zero/unusual integer arguments from browser processes.
  • The Metasploit module targets IE 6 and IE 7 on Windows XP SP3 and Vista; alert on ntractivex118 DLL loaded inside iexplore.exe followed by process migration (migrate -f).
  • The vulnerable module is ntractivex118 (NTR ActiveX 1.1.8.0); presence of this DLL in a browser process combined with a StopModule call should be treated as high-confidence exploitation attempt.
  • ·The Metasploit module only targets IE 6.0–7.0 (ua_minver/ua_maxver); exploitation via other browsers or IE versions is not covered by this module and may behave differently.
  • ·The module includes an optional JavaScript obfuscation flag (OBFUSCATE); obfuscated variants of the exploit will evade signature-based JS detection but the CLSID and StopModule method name remain constant.
  • ·The heap address used (0x0c0c0c0c) and the stride multiplier (0x134) are fixed in this module version; variants may alter these values to evade numeric-pattern detection.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.