Name | ie_setuserclip |
---|---|
CVE | CVE-2010-3962 Exploit Pack |
Notes: | |
This bug was discovered in the wild. | |
IE6, 7 and 8 are vulnerable to this bug, but because of its behaviour some versions will not be exploitable. | |
The only full patched IE that i found vulnerable was IE6, but diserves more research on other ways to trigger it. |
The behaviour of this bug is:
object[0] |= 0x1
So this way we OR the vtable and as it is aligned, it has the effect of vtable = vtable+1.
Then when we call any function of the vtable it is defaced by one, so we just call different regions
of memory depending on the version of mshtml.
VersionsAffected: IE 6, 7, 8
VENDOR: Microsoft
CVE Name: CVE-2010-3962