This bug is triggered when the browser handles a JavaScript 'onLoad' handler in conjunction with an improperly initialized 'window()' JavaScript function. This exploit results in a call to an address lower than the heap. The javascript prompt() places the shellcode near where the call operand points to. The module calls prompt() multiple times in separate iframes to place our return address. The module hides the prompts in a popup window behind the main window and then it will spray the heap a second time with the shellcode and point the return address to the heap. It then uses a fairly high address to make this exploit more reliable. IE will crash when the exploit completes. Also, please note that Internet Explorer must allow popups in order to continue exploitation.
dfbe6b34adf9a6a1783c641f7329756e98c1bb69d235bba9e36f55dd9ec0f6b0
Technical Cyber Security Alert TA05-347A - Microsoft has released updates that address critical vulnerabilities in Internet Explorer (IE). A remote, unauthenticated attacker could exploit these vulnerabilities to execute arbitrary code or cause a denial of service on an affected system.
a14e4fd409749b1dcb627c71f7d1b18af314e447dde07afe0d11e981090d7f79
Proof of concept html that demonstrates the code execution flaw in the Microsoft Internet Explorer JavaScript Window() vulnerability previously considered to be simply a denial of service flaw.
617a8516e87cb9951f301659df5d7232892ba0344c9836a98fce3a000bf703ef
This document serves as a reclassification advisory for the Microsoft Internet Explorer JavaScript Window() DoS vulnerability, originally reported on 31/05/2005. Contrary to popular belief, the aforementioned security issue is susceptible to remote arbitrary code execution, yielding full system access with the privileges of the underlying user.
2a70181bd083f6d889bbc3c19896a4b44f70d1e8ca2d53355313efbe522d8d67