CVE-2006-4777

EXPLOITED

Internet Explorer 6.0 SP1 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2006-4777 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Metasploit, nop, Mario1234, including a Metasploit module exploits/windows/browser/ms06_067_keyframe.

AI-analyzed exploit summary This is a Metasploit module exploiting a heap overflow vulnerability in the KeyFrame method of the DirectAnimation.PathControl ActiveX control (CVE-2006-4777). It uses heap spraying and JavaScript obfuscation to achieve remote code execution on vulnerable Windows systems.

Description

Heap-based buffer overflow in the DirectAnimation Path Control (DirectAnimation.PathControl) COM object (daxctle.ocx) for Internet Explorer 6.0 SP1, on Chinese and possibly other Windows distributions, allows remote attackers to execute arbitrary code via unknown manipulations in arguments to the KeyFrame method, possibly related to an integer overflow, as demonstrated by daxctle2, and a different vulnerability than CVE-2006-4446.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16506

This is a Metasploit module exploiting a heap overflow vulnerability in the KeyFrame method of the DirectAnimation.PathControl ActiveX control (CVE-2006-4777). It uses heap spraying and JavaScript obfuscation to achieve remote code execution on vulnerable Windows systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Internet Explorer with DirectAnimation.PathControl ActiveX control
No auth needed
Prerequisites: Vulnerable version of Internet Explorer · ActiveX enabled · Target visits malicious webpage
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by nop · cremotewindows
https://www.exploit-db.com/exploits/2358

This exploit targets a heap overflow vulnerability in Internet Explorer's DirectAnimation.PathControl COM object (CVE-2006-4777). It generates an HTML file with malicious JavaScript that triggers the overflow and executes shellcode to download and run an arbitrary executable from a specified URL.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Internet Explorer 6.0 SP1 (Windows 2000 Server SP4, Windows XP SP2)
No auth needed
Prerequisites: Victim must visit the crafted HTML page using a vulnerable version of Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Mario1234 · client-side
https://github.com/Mario1234/js-driveby-download-CVE-2006-4777

This repository contains a functional JavaScript exploit for CVE-2006-4777, targeting Internet Explorer 6.0 SP1 on Windows XP SP2. The exploit leverages heap spraying and memory corruption to achieve fileless, drive-by RCE without user consent.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Internet Explorer 6.0 SP1 on Windows XP SP2
No auth needed
Prerequisites: Victim must be using Internet Explorer 6.0 SP1 on Windows XP SP2 · JavaScript must be enabled
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms06_067_keyframe.rb

This Metasploit module exploits a heap overflow vulnerability in the KeyFrame method of the DirectAnimation.PathControl ActiveX control (CVE-2006-4777). It uses heap spraying and JavaScript obfuscation to achieve remote code execution on vulnerable Windows systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Internet Explorer with DirectAnimation.PathControl ActiveX control (Daxctle.OCX)
No auth needed
Prerequisites: Vulnerable version of Internet Explorer · ActiveX controls enabled · Target visits malicious webpage
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (18)

Core 18
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016854
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21910
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/1577
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA06-318A.html
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/3593
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/28842
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/446246/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/446084/100/0/threaded
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/377369
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/28942
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/20047
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/446065/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1103
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/445898/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/446085/100/0/threaded

Scores

EPSS 0.8757
EPSS Percentile 99.5%

Details

VulnCheck KEV 2006-11-14
CWE
CWE-119
Status published
Products (1)
microsoft/ie 6.0 sp1
Published Sep 14, 2006
Tracked Since Feb 18, 2026