Vulnerability Development mailing list archives
Re: ESI Manipulation?
From: Felix Lindner <felix.lindner () nruns com>
Date: Sun, 11 Dec 2005 14:19:50 +0100
Hi, On Fri, 9 Dec 2005 13:51:52 +0000 Disco Jonny <discojonny () gmail com> wrote:
Now is there anything that I can do with this? I have tried to get it to overwrite with different values but I cant. This is probably nothing, but hey I thought I would ask. I don't know if this is of any use to anyone, but here is some info from ollydb. 636B43AE 8B32 MOV ESI,DWORD PTR DS:[EDX] 636B43B0 8942 14 MOV DWORD PTR DS:[EDX+14],EAX 636B43B3 FF36 PUSH DWORD PTR DS:[ESI] <-- throws exception 636B43B5 8D4A 04 LEA ECX,DWORD PTR DS:[EDX+4] 636B43B8 50 PUSH EAX EAX 00000000 ECX 0637EE60 EDX 0637EE60 EBX FFFFFFFF ESP 0637EE44 EBP 0637EE7C ESI 00000000 EDI 0637EEF4 EIP 636B43B3 mshtml.636B43B3
It looks like a NULL pointer reference to me. Since ECX (which I assume holds the "this" pointer) and EDX, from where your ESI value is taken at 636B43AE, are the same, I would assume boldly that the first member of the class instance pointed to by ECX is in fact NULL, while the following code assumes it is not. Understandibly, you didn't post the JavaScript code that caused it, but if the code is considered invalid by FireFox because "something" is missing, it would support my shot-in-the-dark theory. If that's the case, I don't see an obvious way to exploit it from the details given. cheers Felix -- Felix Lindner, CISSP | Senior Security Consultant, n.runs GmbH fx () nruns com | +49 (0)171 740 20 62 People demand freedom of speech to make up for the freedom of thought which they avoid. - Soren Kierkegaard
Current thread:
- ESI Manipulation? Disco Jonny (Dec 10)
- Re: ESI Manipulation? Felix Lindner (Dec 13)
- Re: ESI Manipulation? 3APA3A (Dec 13)