Awesome
From Crash to Exploit: CVE-2015-6086 - Out of Bound Read/ASLR Bypass
$$$$$$\ $$\ $$\ $$$$$$$$\ $$$$$$\ $$$$$$\ $$\ $$$$$$$\ $$$$$$\ $$$$$$\ $$$$$$\
$$ __$$\ $$ | $$ |$$ _____| $$ __$$\ $$$ __$$\ $$$$ | $$ ____| $$ __$$\ $$$ __$$\ $$ __$$\
$$ / \__|$$ | $$ |$$ | \__/ $$ |$$$$\ $$ |\_$$ | $$ | $$ / \__|$$$$\ $$ |$$ / $$ |
$$ | \$$\ $$ |$$$$$\ $$$$$$\ $$$$$$ |$$\$$\$$ | $$ | $$$$$$$\ $$$$$$\ $$$$$$$\ $$\$$\$$ | $$$$$$ |
$$ | \$$\$$ / $$ __|\______|$$ ____/ $$ \$$$$ | $$ | \_____$$\\______|$$ __$$\ $$ \$$$$ |$$ __$$<
$$ | $$\ \$$$ / $$ | $$ | $$ |\$$$ | $$ | $$\ $$ | $$ / $$ |$$ |\$$$ |$$ / $$ |
\$$$$$$ | \$ / $$$$$$$$\ $$$$$$$$\ \$$$$$$ /$$$$$$\\$$$$$$ | $$$$$$ |\$$$$$$ /\$$$$$$ |
\______/ \_/ \________| \________| \______/ \______|\______/ \______/ \______/ \______/
Copyright 2016 © Payatu Technologies Pvt. Ltd.
Improper handling of new line and white space character caused Out of Bound Read in CDOMStringDataList::InitFromString.
This flaw can be used to leak the base address of MSHTML.DLL and effectively bypass Address Space Layout Randomization.
Affected Version
- Internet Explorer 9
- Internet Explorer 10
- Internet Explorer 11
Test Bed
- IE: 10 & 11
- KB: KB3087038
- OS: Windows 7 SP1 x86
Advisory
- http://www.payatu.com/advisory-ie_cdomstringdatalist/
- https://technet.microsoft.com/library/security/MS15-112
- http://www.zerodayinitiative.com/advisories/ZDI-15-547/
Blog Post
http://www.payatu.com/from-crash-to-exploit/
Author
Ashfaq Ansari
ashfaq[at]payatu[dot]com
@HackSysTeam | Blog | null
Workshop Conducted
