Created
June 22, 2015 18:35
-
-
Save h0wl/3069bf4fca8bce27851d to your computer and use it in GitHub Desktop.
IE 11 jsonp crash log
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (c14.12b0): Access violation - code c0000005 (!!! second chance !!!) | |
| *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\SYSTEM32\ntdll.dll - | |
| *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\jscript9.dll - | |
| eax=0dcede18 ebx=1762ef78 ecx=0dcede88 edx=1767cff0 esi=1759e980 edi=1759e980 | |
| eip=6a291314 esp=0b0dc5a8 ebp=0b0dc5d0 iopl=0 nv up ei pl nz na pe nc | |
| cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 | |
| jscript9!DllCanUnloadNow+0xb5d24: | |
| 6a291314 8b4a04 mov ecx,dword ptr [edx+4] ds:002b:1767cff4=???????? | |
| 0:006> .symfix | |
| 0:006> .reload | |
| Reloading current modules | |
| ................................................................ | |
| ....................... | |
| 0:006> r | |
| eax=0dcede18 ebx=1762ef78 ecx=0dcede88 edx=1767cff0 esi=1759e980 edi=1759e980 | |
| eip=6a291314 esp=0b0dc5a8 ebp=0b0dc5d0 iopl=0 nv up ei pl nz na pe nc | |
| cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 | |
| jscript9!Js::TempArenaAllocatorWrapper<1>::Dispose+0x14: | |
| 6a291314 8b4a04 mov ecx,dword ptr [edx+4] ds:002b:1767cff4=???????? | |
| 0:006> kb | |
| ChildEBP RetAddr Args to Child | |
| 0b0dc5ac 6a10d794 00000000 0dd00d8c 1762ef78 jscript9!Js::TempArenaAllocatorWrapper<1>::Dispose+0x14 | |
| 0b0dc5d0 6a10d9af 00000800 0dd04340 0dcfc9f0 jscript9!SmallFinalizableHeapBlock::DisposeObjects+0x92 | |
| 0b0dc5f4 6a10d87f 0957edc8 00000800 0dcfc9f0 jscript9!HeapInfo::DisposeObjects+0xb0 | |
| 0b0dc624 6a10d82d 6a10ff8b 0dcfc9f0 0dceef68 jscript9!Recycler::DisposeObjects+0x4a | |
| 0b0dc628 6a10ff8b 0dcfc9f0 0dceef68 0b0dc650 jscript9!Recycler::FinishDisposeObjects+0x1a | |
| 0b0dc644 6a109ea6 11080000 0dcfc9f0 0dceddc0 jscript9!Recycler::FinishConcurrentCollect+0x196 | |
| 0b0dc658 6a109e5b 0dcfc9f0 6a10e860 11080000 jscript9!DefaultRecyclerCollectionWrapper::ExecuteRecyclerCollectionFunction+0x26 | |
| 0b0dc690 6a109f3b 0dcfc9f0 6a10e860 11080000 jscript9!ThreadContext::ExecuteRecyclerCollectionFunctionCommon+0x3b | |
| 0b0dc6dc 6a10e83b 0dcfc9f0 6a10e860 11080000 jscript9!ThreadContext::ExecuteRecyclerCollectionFunction+0xfc | |
| 0b0dc714 6a16faad 11080000 0e9faff0 6a16fa4b jscript9!Recycler::FinishConcurrentCollectWrapped+0x55 | |
| 0b0dc720 6a16fa4b 6a2d4610 0b0df8fc 6d0ff57c jscript9!Recycler::FinishConcurrent<285736960>+0x3c | |
| 0b0dc72c 6d0ff57c 0e9faff0 080b4e48 0b0e4fe0 jscript9!RecyclerFinishConcurrentIdleTask::RunIdleTask+0x25 | |
| 0b0df8fc 6d24f738 0b0df9c8 6d24f3b0 080b6ff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x582 | |
| 0b0df9bc 6e21e61c 080b4e48 0b0df9e0 6d2530d0 IEFRAME!LCIETab_ThreadProc+0x37b | |
| 0b0df9d4 6cf93991 080b6ff0 6cf93900 6cf93900 iertutil!CMemBlockRegistrar::_LoadProcs+0x67 | |
| 0b0dfa0c 74957c04 0a49efe8 74957be0 17b0aa1a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94 | |
| 0b0dfa20 7705ad1f 0a49efe8 140487b2 00000000 KERNEL32!BaseThreadInitThunk+0x24 | |
| 0b0dfa68 7705acea ffffffff 7704023e 00000000 ntdll!__RtlUserThreadStart+0x2f | |
| 0b0dfa78 00000000 6cf93900 0a49efe8 00000000 ntdll!_RtlUserThreadStart+0x1b | |
| 0:006> .load winext/msec.dll | |
| 0:006> !exploitable | |
| Exploitability Classification: PROBABLY_EXPLOITABLE | |
| Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls subsequent Write Address starting at jscript9!Js::TempArenaAllocatorWrapper<1>::Dispose+0x0000000000000014 (Hash=0x6561665f.0x374b4e14) | |
| The data from the faulting address is later used as the target for a later write. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment