Monday, July 9, 2012

IE Col Element Heap Overflow Vulnerability (CVE-2012-1876) PoC

IE Col Element Heap Overflow Vulnerability (CVE-2012-1876) PoC 
write up soon..
UPDATE: VUPEN (author of this vulnerability) released detailed blog post about this vulnerability.

http://pastebin.com/9L5p7eBP

CVE-2012-1876 IE col element heap overflow PoC
Canberk Bolat - cbolat.blogspot.com

cg's width = 2021161 (2021161 * 100 = 0c0c0c04) (Blink->Flink = cg's width)

(1014.1158): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0c0c04 ebx=02e2bae8 ecx=008cdf88 edx=0c0c0c0c esi=008de480 edi=008983e0
eip=0c0c0c0c esp=02e2b9fc ebp=02e2ba9c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
0c0c0c0c 0c0c            or      al,0Ch

1:019> !heap -x 0c0c0c0c
List corrupted: (Flink->Blink = 0c0c0c04) != (Block = 00890850)
HEAP 00830000 (Seg 00830000) At 00890848 Error: block list entry corrupted

List corrupted: (Blink->Flink = 0c0c0c04) != (Block = 0089d458)
HEAP 00830000 (Seg 00830000) At 0089d450 Error: block list entry corrupted

List corrupted: (Blink->Flink = 0c0c0c04) != (Block = 008a2f38)
HEAP 00830000 (Seg 00830000) At 008a2f30 Error: block list entry corrupted

ERROR: Block 008ccf90 previous size 36d3 does not match previous block size 12
HEAP 00830000 (Seg 00830000) At 008ccf90 Error: invalid block Previous
Gönderen zaman:
Etiketler: , , , , , ,

2 comments:

  1. micheeFebruary 18, 2014 at 1:17 AM

    who/ what is "cg's"?

    Thanks!

    ReplyDelete
    Replies
    1. Canberk BolatApril 22, 2014 at 3:29 PM

      hi @michee,

      cg is id of the colspan tag in my PoC

      colgroup id="cg" width="2021161"

      Delete

Subscribe to: Post Comments (Atom)