cbcvebase.
CVE-2016-3210
published 2016-06-16

CVE-2016-3210: The Microsoft (1) JScript and (2) VBScript engines, as used in Internet Explorer 11, allow remote attackers to execute arbitrary code or cause a denial of…

PriorityP276high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
21.86%
97.3th percentile
The Microsoft (1) JScript and (2) VBScript engines, as used in Internet Explorer 11, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability."

Affected

12 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
msrcinternet_explorer_11_on_windows_10_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_x64-based_systems
msrcinternet_explorer_11_on_windows_7_for_32-bit_systems_service_pack_1
msrcinternet_explorer_11_on_windows_7_for_x64-based_systems_service_pack_1
msrcinternet_explorer_11_on_windows_8.1_for_32-bit_systems
msrcinternet_explorer_11_on_windows_8.1_for_x64-based_systems
msrcinternet_explorer_11_on_windows_rt_8.1
msrcinternet_explorer_11_on_windows_server_2008_r2_for_x64-based_systems_service_pac
msrcinternet_explorer_11_on_windows_server_2012_r2

Detection & IOCsextracted from sources · hover to see the quote

path%windir%\system32\vbscript.dll
path%windir%\system32\jscript.dll
path%windir%\syswow64\vbscript.dll
path%windir%\syswow64\jscript.dll
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,to_client; file.data; content:"|77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|"; classtype:attempted-admin; sid:2023569; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, cve CVE_2016_3210, deployment Perimeter, confidence High, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2024_03_14;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,to_client; file.data; content:"|43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65|"; nocase; content:"|73 70 72 61 79 48 65 61 70|"; nocase; content:"|73 65 74 41 64 64 72 65 73 73|"; nocase; content:"|30 78 63 36 62 65 63|"; nocase; content:"|30 78 46 46 46 46 30 30 30 30|"; nocase; classtype:attempted-admin; sid:2023568; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, cve CVE_2016_3210, deployment Perimeter, confidence High, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2024_03_14;)
bytes
|77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|
bytes
|43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65|
bytes
|73 70 72 61 79 48 65 61 70|
bytes
|73 65 74 41 64 64 72 65 73 73|
bytes
|30 78 63 36 62 65 63|
bytes
|30 78 46 46 46 46 30 30 30 30|
  • Exploit is associated with the Sundown Exploit Kit (tag: Exploit_Kit_Sundown); network traffic should be inspected on HTTP responses from external hosts to client endpoints for the characteristic byte patterns.
  • Exploit payload contains the string 'writeN(ropaddr + i * 4, rop[i], 4);' (decoded from |77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|), indicating ROP chain construction targeting the scripting engine heap.
  • Exploit payload (sid:2023568) contains multiple co-occurring strings decoded as 'CollectGarbage', 'sprayHeap', 'setAddress', '0xc6bec', and '0xFFFF0000', indicating heap spray and memory manipulation primitives in the exploit script.
  • Detection should focus on HTTP responses (flow:established,to_client) carrying exploit content, consistent with a drive-by download delivery model.
  • Microsoft rates exploitation as 'More Likely' for both latest and older software releases; prioritize detection on Internet Explorer 11 endpoints running JScript/VBScript.
  • ·The Snort rules (sid:2023568, sid:2023569) use 'file.data' sticky buffer, which requires a Snort/Suricata version that supports this buffer for HTTP response body inspection; ensure your sensor supports this keyword.
  • ·The workaround of restricting access to vbscript.dll and jscript.dll will break websites that rely on VBScript or JScript, and must be carefully evaluated before deployment.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
vendor_msrc8.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.