Exploits / Vulnerability Discovered : 2018-11-30 |
Type : dos |
Platform : windows
This exploit / vulnerability Vbscript rtfilter outofbounds read is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
<!--
There is an out-of-bounds vulnerability in Microsoft VBScript. The vulnerability has been confirmed in Internet Explorer on Windows 7 with the latest patches applied.
PoC:
(Note that Page Heap might need to be enabled to observe the crash)
The rtFilter function is called from VbsFilter when a Filter() function is invoked. The Filter() function takes an array of strings and a string as params and returns another array containing just those elements from the original array that contain the specified (sub)string.
The issue is that the input array can be resized during the rtFilter call (by invoking a default getter on one of the input array members) and rtFilter fails to handle this case correctly. While rtFilter does implement some logic to determine if the input array has been resized, this logic fails to take into account elements of the input array that *do not match* the input string (Notice the "b" strings in the PoC and how the PoC would stop to work if those are all changed to "a").
(a04.604): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000002 ecx=0d9d6fe0 edx=0d9cf000 esi=0d9cf000 edi=0d924ff6
eip=767d497b esp=09d2bcbc ebp=09d2bcc8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
OLEAUT32!VariantCopy+0xb:
767d497b 0fb73e movzx edi,word ptr [esi] ds:002b:0d9cf000=????
0:007> r
eax=00000000 ebx=00000002 ecx=0d9d6fe0 edx=0d9cf000 esi=0d9cf000 edi=0d924ff6
eip=767d497b esp=09d2bcbc ebp=09d2bcc8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
OLEAUT32!VariantCopy+0xb:
767d497b 0fb73e movzx edi,word ptr [esi] ds:002b:0d9cf000=????