CVE-2012-4969
published 2012-09-18CVE-2012-4969: Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute…
PriorityP187high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
81.72%
99.6th percentile
Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in September 2012.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit 2"; flow:established,to_client; file.data; content:"execCommand"; nocase; content:"YMjf"; content:"u0c08"; distance:1; within:6; content:"u0c0cKDog"; distance:1; within:10; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2020099; rev:10; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2015_01_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, confidence Low, signature_severity Major, tag Web_Client_Attacks, tag Metasploit, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1189, mitre_technique_name Drive_by_Compromise; target:dest_ip;)
bytes↗
\x81\xc4\x54\xf2\xff\xff
- →The exploit triggers the UAF via JavaScript calling document.execCommand('selectAll') inside an iframe, combined with a heap spray using the distinctive string 'YMjf\u0c08\u0c0cKDog' as the img src value. Network detection should look for this string pattern in HTTP responses.
- →The crash/exploitation point is mshtml!CMshtmlEd::Exec+0x134 at address 637d464e, where EDI is controlled (0x0c0c0c08) — indicative of heap spray with 0x0c0c0c0c pattern. Monitor for heap spray patterns targeting this address range. ↗
- →For WinXP SP3 with IE8, the ROP chain uses msvcrt ROP gadgets at hardcoded addresses (0x77c4e393, 0x77c4e392, 0x77c15ed5). For Vista/Win7 with IE8/IE9, JRE ROP gadgets at 0x7c347f98, 0x7c347f97, 0x7c348b05 are used. Presence of these ROP gadget addresses in memory or network payload is a strong indicator. ↗
- →The Metasploit module uses 'migrate -f' as InitialAutoRunScript, meaning post-exploitation process migration occurs immediately. Analysts should look for iexplore.exe spawning unexpected child processes shortly after exploitation. ↗
- →The exploit is delivered via a browser-based HTTP server; the module generates two random-named HTML files (5 and 6 alpha chars, e.g. 'xxxxx.html' and 'xxxxxx.html'). The initial request is redirected to the first HTML, which loads the second via an iframe. Detecting sequential requests to two random short .html paths from the same client is a behavioral indicator. ↗
- →The exploit targets IE 7–9 specifically. User-Agent strings with MSIE versions 7.0 through 9.0 are required; the module rejects other browsers with a 404. Correlate IE 7/8/9 User-Agent requests to suspicious or newly-seen domains with this exploit pattern. ↗
- ·ROP chain validity depends on target OS and installed software. For WinXP SP3 with IE8, msvcrt must be present. For Vista or Win7 with IE8/IE9, JRE 1.6.x or below must be installed. Exploitation will fail if these dependencies are not met. ↗
- ·The Metasploit module supports an optional OBFUSCATE option to enable JavaScript obfuscation, which may evade content-based signatures looking for plaintext JavaScript patterns. ↗
- ·Exploitation was observed in the wild starting September 14, 2012, before a patch was available. Public Metasploit module availability broadened the threat beyond targeted attacks. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.1HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xvh2-pw6x-f8hh: Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml
ghsa_unreviewed·2022-05-17
CVE-2012-4969 [HIGH] CWE-416 GHSA-xvh2-pw6x-f8hh: Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml
Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in September 2012.
VulnCheck
Microsoft Internet Explorer Use-After-Free Vulnerability
vulncheck·2012·CVSS 8.1
CVE-2012-4969 [HIGH] Microsoft Internet Explorer Use-After-Free Vulnerability
Microsoft Internet Explorer Use-After-Free Vulnerability
Microsoft Internet Explorer contains a use-after-free vulnerability that allows remote attackers to execute code via a crafted web site.
Affected: Microsoft Internet Explorer
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2012-4969; https://cybersecurity.att.com/blogs/labs-research/new-sykipot-developments; https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/; https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-06-22
CISA
Microsoft Internet Explorer Use-After-Free Vulnerability
cisa·2022-06-08·CVSS 8.1
CVE-2012-4969 [HIGH] Microsoft Internet Explorer Use-After-Free Vulnerability
Vulnerability: Microsoft Internet Explorer Use-After-Free Vulnerability
Affected: Microsoft Internet Explorer
Microsoft Internet Explorer contains a use-after-free vulnerability that allows remote attackers to execute code via a crafted web site.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2012-4969
Remediation Due Date: 2022-06-22
Suricata
ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit 2
suricata·2015-01-06·CVSS 8.1
CVE-2012-4969 [HIGH] ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit 2
ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit 2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit 2"; flow:established,to_client; file.data; content:"execCommand"; nocase; content:"YMjf"; content:"u0c08"; distance:1; within:6; content:"u0c0cKDog"; distance:1; within:10; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2020099; rev:10; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2015_01_06, deployment Perimeter, deployment Interne
Exploit-DB
Microsoft Internet Explorer - execCommand Use-After-Free (MS12-063) (Metasploit)
exploitdb·2012-10-10
CVE-2012-4969 Microsoft Internet Explorer - execCommand Use-After-Free (MS12-063) (Metasploit)
Microsoft Internet Explorer - execCommand Use-After-Free (MS12-063) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "7.0",
:ua_maxver => "9.0",
:javascript => true,
:rank => GoodRanking
})
def initialize(info={})
super(update_info(info,
'Name' => "MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability ",
'Description' => %q{
This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When
rendering an HTML page, the CMshtmlEd object gets deleted in an u
Metasploit
MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability
metasploit
MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability
MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability
This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012. Also note that presently, this module has some target dependencies for the ROP chain to be valid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default). For Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which is often the case).
Unit42
Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
blogs_unit42·2016-01-24
Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
Threat Research Center
Threat Research
Malware
## Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
Robert Falcone
Jen Miller-Osborn
Published: January 24, 2016
Malware
Threat Research
Android
Apple
BrutishCommand
CallMe
Cyber espionage
Cyber Threat Alliance
Cybersecurity
Espionage
FakeM
Mac OS X
Microsoft
MobileOrder
Psylo
Scarlet Mimic
SkiBoot Loader
SubtractThis
Trojans
## Executive Summary
Over the past seven months, Unit 42 has been investigating a series of attacks we attribute to a group we have code named “Scarlet Mimic.” The attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to gather information about minority rights activists. We do not have evidence directly linking
Unit42
Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
blogs_unit42·2016-01-24
Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
## Executive Summary
Over the past seven months, Unit 42 has been investigating a series of attacks we attribute to a group we have code named “Scarlet Mimic.” The attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to gather information about minority rights activists. We do not have evidence directly linking these attacks to a government source, but the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved.
The goal of this report is to expose the tools, tactics and infrastructure deployed by Scarlet Mimic in order to increase awareness of this threat and decrease its operational
Krebs
In a Zero-Day World, It’s Active Attacks that Matter – Krebs on Security
blogs_krebs·2012-10-01
In a Zero-Day World, It’s Active Attacks that Matter – Krebs on Security
The recent zero-day vulnerability in Internet Explorer caused many (present company included) to urge Internet users to consider surfing the Web with a different browser until Microsoft issued a patch. Microsoft did so last month, but not before experts who ought to have known better began downplaying such advice, pointing out that other browser makers have more vulnerabilities and just as much exposure to zero-day flaws.
This post examines hard data that shows why such reasoning is more emotional than factual. Unlike Google Chrome and Mozilla Firefox users, IE users were exposed to active attacks against unpatched, critical vulnerabilities for months at a time over the past year and a half.
Attackers exploited zero-day holes in Internet Explorer for at least 89 days over the past 19 mon
Krebs
In a Zero-Day World, It’s Active Attacks that Matter
blogs_krebs·2012-10-01
In a Zero-Day World, It’s Active Attacks that Matter
The recent zero-day vulnerability in Internet Explorer caused many (present company included) to urge Internet users to consider surfing the Web with a different browser until Microsoft issued a patch. Microsoft did so last month, but not before experts who ought to have known better began downplaying such advice, pointing out that other browser makers have more vulnerabilities and just as much exposure to zero-day flaws.
This post examines hard data that shows why such reasoning is more emotional than factual. Unlike Google Chrome and Mozilla Firefox users, IE users were exposed to active attacks against unpatched, critical vulnerabilities for months at a time over the past year and a half.
Attackers exploited zero-day holes in Internet Explorer for at least 89 days over the past 19 mon
Zscaler
Zscaler found Multiple Security Vulnerabilities | 09-18-2012
blogs_zscaler
Zscaler found Multiple Security Vulnerabilities | 09-18-2012
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Zscaler Protects Against Microsoft’s Out-of-Band Security Update | Zscaler
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler Protects Against Microsoft’s Out-of-Band Security Update | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
CTF
17. Using the Metasploit-Framework / Using the Metasploit-Framework
ctf_writeups
17. Using the Metasploit-Framework / Using the Metasploit-Framework
# Using the Metasploit-Framework
Tags: #🧑🎓
Related to: [[metasploit framework]]
See also:
Previous: [[HTB Academy]]
![[logo_using_the_metasploit_framework.png]]
The Metasploit Framework is an open-source set of tools used for network enumeration, attacks, testing security vulnerabilities, evading detection, performing privilege escalation attacks, and performing post-exploitation.
### Cheatsheet
#### MSFconsole Commands
| **Command** | **Description** |
| :--------------- | :----------------------------------------------------------- |
| `show exploits` | Show all exploits within the Framework. |
| `show payloads` | Show all payloads within the Framework. |
| `show auxiliary` | Show all auxiliary modules within the Framework. |
| `search ` | Search for exploits or modules within the
http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ie_execcommand_uaf.rbhttp://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/http://technet.microsoft.com/security/advisory/2757760http://www.kb.cert.org/vuls/id/480095http://www.securitytracker.com/id?1027538http://www.securityweek.com/new-internet-explorer-zero-day-being-exploited-wildhttp://www.us-cert.gov/cas/techalerts/TA12-255A.htmlhttp://www.us-cert.gov/cas/techalerts/TA12-262A.htmlhttp://www.us-cert.gov/cas/techalerts/TA12-265A.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15729http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ie_execcommand_uaf.rbhttp://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/http://technet.microsoft.com/security/advisory/2757760http://www.kb.cert.org/vuls/id/480095http://www.securitytracker.com/id?1027538http://www.securityweek.com/new-internet-explorer-zero-day-being-exploited-wildhttp://www.us-cert.gov/cas/techalerts/TA12-255A.htmlhttp://www.us-cert.gov/cas/techalerts/TA12-262A.htmlhttp://www.us-cert.gov/cas/techalerts/TA12-265A.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15729https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-4969
2012-09-18
Published
2022-06-08
Added to CISA KEV
Exploited in the wild