cbcvebase.
CVE-2015-1730
published 2015-06-10

CVE-2015-1730: Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka…

PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
29.39%
97.9th percentile
Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

other0x28000201
other0x28000300
other0x09000000
commandstackOverflowHighOnStack.apply(0, new Array(0x2000))
bytes
0xCCCCCCCC
  • Detect recursive JavaScript stack exhaustion via Function.apply() with extremely large argument arrays (0x2000 / 0x200 elements) in IE9 jscript9.dll — indicative of CVE-2015-1730 exploitation.
  • Detect creation of a URIError object whose 'name' property is set to itself (circular reference) followed by string coercion attempts — the minimal trigger pattern for this vulnerability.
  • Detect heap spray targeting address range around 0x09000000 with repeated DWORD patterns including fake vftable pointer 0x28000201 and shellcode stub at 0x28000300 (int3 sled: 0xCCCCCCCC).
  • Detect use of window.open('about:blank') followed by execScript() cross-window to set up the vulnerable URIError circular reference — a two-window setup is characteristic of this exploit.
  • The vulnerability resides in the JavaScriptStackWalker class in jscript9.dll (Internet Explorer 9); monitor for crashes or AV hits in jscript9.dll during double stack-exhaustion exception sequences.
  • ·The exploit is specific to Internet Explorer 9 and the jscript9.dll engine; other IE versions or browsers are not affected by this particular JavaScriptStackWalker pointer reuse bug.
  • ·The heap spray and stack spray are probabilistic, not deterministic — the exploit relies on statistical likelihood of controlling the vulnerable pointer's target, so reliability may vary across system configurations.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.