Skip to content

Latest commit

 

History

History
71 lines (45 loc) · 2.99 KB

README.md

File metadata and controls

71 lines (45 loc) · 2.99 KB

From Crash to Exploit: CVE-2015-6086 - Out of Bound Read/ASLR Bypass

 $$$$$$\  $$\    $$\ $$$$$$$$\       $$$$$$\   $$$$$$\    $$\  $$$$$$$\          $$$$$$\   $$$$$$\   $$$$$$\
$$  __$$\ $$ |   $$ |$$  _____|     $$  __$$\ $$$ __$$\ $$$$ | $$  ____|        $$  __$$\ $$$ __$$\ $$  __$$\
$$ /  \__|$$ |   $$ |$$ |           \__/  $$ |$$$$\ $$ |\_$$ | $$ |             $$ /  \__|$$$$\ $$ |$$ /  $$ |
$$ |      \$$\  $$  |$$$$$\ $$$$$$\  $$$$$$  |$$\$$\$$ |  $$ | $$$$$$$\ $$$$$$\ $$$$$$$\  $$\$$\$$ | $$$$$$  |
$$ |       \$$\$$  / $$  __|\______|$$  ____/ $$ \$$$$ |  $$ | \_____$$\\______|$$  __$$\ $$ \$$$$ |$$  __$$<
$$ |  $$\   \$$$  /  $$ |           $$ |      $$ |\$$$ |  $$ | $$\   $$ |       $$ /  $$ |$$ |\$$$ |$$ /  $$ |
\$$$$$$  |   \$  /   $$$$$$$$\      $$$$$$$$\ \$$$$$$  /$$$$$$\\$$$$$$  |        $$$$$$  |\$$$$$$  /\$$$$$$  |
 \______/     \_/    \________|     \________| \______/ \______|\______/         \______/  \______/  \______/

Copyright 2016 © Payatu Technologies Pvt. Ltd.

Improper handling of new line and white space character caused Out of Bound Read in CDOMStringDataList::InitFromString. This flaw can be used to leak the base address of MSHTML.DLL and effectively bypass Address Space Layout Randomization.

Affected Version

  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11

Test Bed

  • IE: 10 & 11
  • KB: KB3087038
  • OS: Windows 7 SP1 x86

Advisory

Blog Post

http://www.payatu.com/from-crash-to-exploit/

Author

Ashfaq Ansari

ashfaq[at]payatu[dot]com

@HackSysTeam | Blog | null

Payatu Technologies

http://www.payatu.com/

Workshop Conducted


http://hacksys.vfreaks.com

HackSys Team