CVE-2012-0266

NTR ActiveX Control < 2.0.4.8 - Remote Code Execution via Long bstrUrl or bstrParams

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2012-0266. PoCs published by Metasploit, Carsten Eiram, juan vazquez, including Metasploit module exploits/windows/browser/ntr_activex_check_bof.

AI-analyzed exploit summary This Metasploit module exploits a buffer overflow in the NTR ActiveX Control's Check() method via a malicious web page, achieving remote code execution. It uses heap spraying and ROP chains to bypass DEP/ASLR on various Windows and IE versions.

Description

Multiple stack-based buffer overflows in the NTR ActiveX control before 2.0.4.8 allow remote attackers to execute arbitrary code via (1) a long bstrUrl parameter to the StartModule method, (2) a long bstrParams parameter to the Check method, a long bstrUrl parameter to the (3) Download or (4) DownloadModule method during construction of a .ntr pathname, or a long bstrUrl parameter to the (5) Download or (6) DownloadModule method during construction of a URL.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/21841

This Metasploit module exploits a buffer overflow in the NTR ActiveX Control's Check() method via a malicious web page, achieving remote code execution. It uses heap spraying and ROP chains to bypass DEP/ASLR on various Windows and IE versions.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: NTR ActiveX Control 1.1.8.0
No auth needed
Prerequisites: Victim must visit a malicious web page · NTR ActiveX Control installed · Java Runtime Environment 6 for DEP/ASLR bypass on Vista/7
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Carsten Eiram, juan vazquez · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ntr_activex_check_bof.rb

This Metasploit module exploits a buffer overflow vulnerability in the NTR ActiveX Control's Check() method via insecure usage of strcat, leading to remote code execution. It includes heap spraying techniques and ROP chains to bypass DEP/ASLR on various Windows versions.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: NTR ActiveX Control 1.1.8.0
No auth needed
Prerequisites: Victim must visit a malicious web page · Java Runtime Environment 6 for DEP/ASLR bypass on Vista/7
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (8)

Core 8
Core References
Vendor Advisory x_refsource_misc
http://secunia.com/secunia_research/2012-1/
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-01/0074.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/21841
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/45166
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/72293
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/72292
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/78252
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/72291

Scores

EPSS 0.7366
EPSS Percentile 98.8%

Details

CWE
CWE-119
Status published
Products (1)
ntrglobal/ntr_activex_control < 1.1.8
Published Jan 15, 2012
Tracked Since Feb 18, 2026