CVE-2010-3973

Exploitation Summary

EIP tracks 3 public exploits for CVE-2010-3973. PoCs published by Metasploit, WooYun, WooYun, MC, jduck, including Metasploit module exploits/windows/browser/wmi_admintools.

AI-analyzed exploit summary This Metasploit module exploits a buffer overflow in the Microsoft WMI Administration Tools ActiveX control (WEBSingleView.ocx) via a trusted pointer dereference in 'AddContextRef' and 'ReleaseContext' methods. It uses heap spraying and ROP with mscorie.dll to bypass DEP/ASLR, achieving arbitrary code execution.

Description

The WMITools ActiveX control in WBEMSingleView.ocx 1.50.1131.0 in Microsoft WMI Administrative Tools 1.1 and earlier in Microsoft Windows XP SP2 and SP3 allows remote attackers to execute arbitrary code via a crafted argument to the AddContextRef method, possibly an untrusted pointer dereference, aka "Microsoft WMITools ActiveX Control Vulnerability."

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/16516

View Code ZIP pw:eip

This Metasploit module exploits a buffer overflow in the Microsoft WMI Administration Tools ActiveX control (WEBSingleView.ocx) via a trusted pointer dereference in 'AddContextRef' and 'ReleaseContext' methods. It uses heap spraying and ROP with mscorie.dll to bypass DEP/ASLR, achieving arbitrary code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft WMI Administration Tools ActiveX Control (1.50.1131.0)

No auth needed

Prerequisites: Victim must visit a malicious webpage · Target must have the vulnerable ActiveX control installed · Target must use a vulnerable version of Internet Explorer (6.0, 7.0, or 8.0)

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by WooYun · htmlremotewindows

https://www.exploit-db.com/exploits/15809

View Code ZIP pw:eip

This exploit leverages a heap spray technique to trigger a use-after-free vulnerability in the Adobe Flash Player ActiveX control (CVE-2010-4588), executing arbitrary shellcode (calc.exe in this case) via a crafted HTML file.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Adobe Flash Player ActiveX (likely versions prior to 10.1.102.64)

No auth needed

Prerequisites: Victim must visit a malicious webpage with the exploit · Adobe Flash Player ActiveX control must be installed and vulnerable

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GREAT

by WooYun, MC, jduck · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/wmi_admintools.rb

View Code ZIP pw:eip

This Metasploit module exploits a buffer overflow in the Microsoft WMI Administration Tools ActiveX control (WEBSingleView.ocx) by treating the 'lCtxHandle' parameter as a trusted pointer, leading to arbitrary code execution. It uses heap spraying and .NET 2.0 'mscorie.dll' to bypass DEP and ASLR.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft WMI Administration Tools ActiveX Control (1.50.1131.0)

No auth needed

Prerequisites: Victim must visit a malicious webpage · ActiveX control must be installed and enabled

MITRE ATT&CK