Skip to content
PoC for CVE-2015-6086
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
BreakPoints.txt
Challenge-1-HeapAlignment.html
DisableMemoryProtector.reg
EnableMemoryProtector.reg
ExploitationChallengesAnalysis.txt
InitFromString.cpp
LFH-MemoryProtectorDisabled.html
LFH-MemoryProtectorDisabledAnalysis.txt
LFH-MemoryProtectorEnabled.html
LFH-MemoryProtectorEnabledAnalysis.txt
LICENSE
OOB_Read_IE10_IE11_ASLR_Bypass.html
README.md
ReadRequiredFeaturesAttribute-1.html
ReadRequiredFeaturesAttribute-2.html
Trigger.html
TriggerAnalysis.txt

README.md

From Crash to Exploit: CVE-2015-6086 - Out of Bound Read/ASLR Bypass

 $$$$$$\  $$\    $$\ $$$$$$$$\       $$$$$$\   $$$$$$\    $$\  $$$$$$$\          $$$$$$\   $$$$$$\   $$$$$$\
$$  __$$\ $$ |   $$ |$$  _____|     $$  __$$\ $$$ __$$\ $$$$ | $$  ____|        $$  __$$\ $$$ __$$\ $$  __$$\
$$ /  \__|$$ |   $$ |$$ |           \__/  $$ |$$$$\ $$ |\_$$ | $$ |             $$ /  \__|$$$$\ $$ |$$ /  $$ |
$$ |      \$$\  $$  |$$$$$\ $$$$$$\  $$$$$$  |$$\$$\$$ |  $$ | $$$$$$$\ $$$$$$\ $$$$$$$\  $$\$$\$$ | $$$$$$  |
$$ |       \$$\$$  / $$  __|\______|$$  ____/ $$ \$$$$ |  $$ | \_____$$\\______|$$  __$$\ $$ \$$$$ |$$  __$$<
$$ |  $$\   \$$$  /  $$ |           $$ |      $$ |\$$$ |  $$ | $$\   $$ |       $$ /  $$ |$$ |\$$$ |$$ /  $$ |
\$$$$$$  |   \$  /   $$$$$$$$\      $$$$$$$$\ \$$$$$$  /$$$$$$\\$$$$$$  |        $$$$$$  |\$$$$$$  /\$$$$$$  |
 \______/     \_/    \________|     \________| \______/ \______|\______/         \______/  \______/  \______/

Copyright 2016 © Payatu Technologies Pvt. Ltd.

Improper handling of new line and white space character caused Out of Bound Read in CDOMStringDataList::InitFromString. This flaw can be used to leak the base address of MSHTML.DLL and effectively bypass Address Space Layout Randomization.

Affected Version

  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11

Test Bed

  • IE: 10 & 11
  • KB: KB3087038
  • OS: Windows 7 SP1 x86

Advisory

Blog Post

http://www.payatu.com/from-crash-to-exploit/

Author

Ashfaq Ansari

ashfaq[at]payatu[dot]com

@HackSysTeam | Blog | null

Payatu Technologies

http://www.payatu.com/

Workshop Conducted


http://hacksys.vfreaks.com

HackSys Team

You can’t perform that action at this time.