Re: ESI Manipulation?

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Disco Jonny,

It  looks  like classical NULL-pointer dereference, probably there is no
way to get code execution.

-- 
~/ZARAZA
http://www.security.nnov.ru


--Friday, December 9, 2005, 4:51:52 PM, you wrote to vuln-dev () securityfocus com:

DJ> Hi,

DJ> I have been looking at stack stuff for a month or two now, so please
DJ> forgive my ignorance.

DJ> Anyways,  I was idly writing some JavaScript last night, when a badly
DJ> formed statement crashed my IE (Firefox recognises the bad script and
DJ> wont attempt to run it)

DJ> I fired up ollydb to take a look at it, and it would appear that I am
DJ> somehow overwriting the ESI  or EAX with 00000000.

DJ> Now is there anything that I can do with this?  I have tried to get it
DJ> to overwrite with different values but I cant.  This is probably
DJ> nothing, but hey I thought I would ask.  I don't know if this is of
DJ> any use to anyone, but here is some info from ollydb.

DJ> 636B43AE   8B32             MOV ESI,DWORD PTR DS:[EDX]
DJ> 636B43B0   8942 14          MOV DWORD PTR DS:[EDX+14],EAX
DJ> 636B43B3   FF36             PUSH DWORD PTR DS:[ESI] <--  throws exception here
DJ> 636B43B5   8D4A 04          LEA ECX,DWORD PTR DS:[EDX+4]
DJ> 636B43B8   50               PUSH EAX

DJ> EAX 00000000
DJ> ECX 0637EE60
DJ> EDX 0637EE60
DJ> EBX FFFFFFFF
DJ> ESP 0637EE44
DJ> EBP 0637EE7C
DJ> ESI 00000000
DJ> EDI 0637EEF4
DJ> EIP 636B43B3 mshtml.636B43B3

DJ> 0637EE44   00000000
DJ> 0637EE48   637514E4  RETURN to mshtml.637514E4 from mshtml.636B4396

DJ> I have been doing a bit of googling, and I came across an article that
DJ> seemed to suggest that setting the ESI to 000000000 is a security
DJ> thing implemented by microsoft? This article was more confusing than
DJ> helpful - although I think that is becuase the authour was assuming a
DJ> level of skill that I don't currently posses.

DJ> Any advice anyone?

DJ> I am running a fully patched W2K box.

DJ> Thanks,

DJ> S.