Re: ESI Manipulation?

[Felix Lindner <felix.lindner () nruns com>]

Hi,

On Fri, 9 Dec 2005 13:51:52 +0000
Disco Jonny <discojonny () gmail com> wrote:
> Now is there anything that I can do with this?  I have tried to get it
> to overwrite with different values but I cant.  This is probably
> nothing, but hey I thought I would ask.  I don't know if this is of
> any use to anyone, but here is some info from ollydb.
>
> 636B43AE   8B32             MOV ESI,DWORD PTR DS:[EDX]
> 636B43B0   8942 14          MOV DWORD PTR DS:[EDX+14],EAX
> 636B43B3   FF36             PUSH DWORD PTR DS:[ESI] <--  throws exception
> 636B43B5   8D4A 04          LEA ECX,DWORD PTR DS:[EDX+4]
> 636B43B8   50               PUSH EAX
>
> EAX 00000000
> ECX 0637EE60
> EDX 0637EE60
> EBX FFFFFFFF
> ESP 0637EE44
> EBP 0637EE7C
> ESI 00000000
> EDI 0637EEF4
> EIP 636B43B3 mshtml.636B43B3

It looks like a NULL pointer reference to me. Since ECX (which I assume holds
the "this" pointer) and EDX, from where your ESI value is taken at 636B43AE,
are the same, I would assume boldly that the first member of the class
instance pointed to by ECX is in fact NULL, while the following code assumes
it is not. 

Understandibly, you didn't post the JavaScript code that caused it, but if the
code is considered invalid by FireFox because "something" is missing, it would
support my shot-in-the-dark theory. If that's the case, I don't see an obvious
way to exploit it from the details given.

cheers
Felix

-- 
 Felix Lindner, CISSP | Senior Security Consultant, n.runs GmbH
         fx () nruns com | +49 (0)171 740 20 62
People demand freedom of speech to make up for the freedom of thought
which they avoid. - Soren Kierkegaard