Recently Microsoft patched an Internet Explorer use-after-free bug (CVE-2014-1776) that was being exploited in the wild. Since then I’ve seen several reports of new variants based on the original exploit appearing ITW. Let’s look deep inside the exploitation mechanism to see how it works to make a use-after-free execute shellcode.
The whole exploit is made up of three parts. (Figure 1) The entry HTML is where the victim first visits when he receives a phishing email and clicks the link. The HTML loads a SWF file that performs a heap spraying operation. It calls back a Javascript function with de-obfuscated exploit Javascript code and the code manipulates the DOM structure of the main HTML file to trigger a use-after-free bug.
more here......http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/The-mechanism-behind-Internet-Explorer-CVE-2014-1776-exploits/ba-p/6476220#.U3SWxvldWSo
The whole exploit is made up of three parts. (Figure 1) The entry HTML is where the victim first visits when he receives a phishing email and clicks the link. The HTML loads a SWF file that performs a heap spraying operation. It calls back a Javascript function with de-obfuscated exploit Javascript code and the code manipulates the DOM structure of the main HTML file to trigger a use-after-free bug.
more here......http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/The-mechanism-behind-Internet-Explorer-CVE-2014-1776-exploits/ba-p/6476220#.U3SWxvldWSo