File tree Expand file tree Collapse file tree 1 file changed +2
-2
lines changed
modules/exploits/windows/browser Expand file tree Collapse file tree 1 file changed +2
-2
lines changed Original file line number Diff line number Diff line change @@ -29,13 +29,13 @@ def initialize(info={})
2929 event will be run twice before the crash. The first time is due to the position
3030 change of the body element, which is also when a MSHTML!CFlatMarkupPointer::`vftable'
3131 object is created during a "SelectAll" command, and this object will be used later
32- on in the crash. The second onmove event seems to be triggered by a InsertButton
32+ on for the crash. The second onmove event seems to be triggered by a InsertButton
3333 (or Insert-whatever) command, which is also responsible for the free of object
3434 CFlatMarkupPointer during page rendering. The EnsureRecalcNotify() function will
3535 then still return an invalid reference to CFlatMarkupPointer (stored in EBX), and
3636 then passes this on to the next functions (GetLineInfo -> QIClassID). When this
3737 reference arrives in function QIClassID, an access violation finally occurs when
38- the function is trying to call QueryInterface() with the bad eference, an this
38+ the function is trying to call QueryInterface() with the bad reference, and this
3939 results a crash. Successful control of the freed memory may leverage arbitrary code
4040 execution under the context of the user.
4141
You can’t perform that action at this time.
0 commit comments