Vulnerability Development mailing list archives
Re: ESI Manipulation?
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Sun, 11 Dec 2005 17:47:01 +0300
Dear Disco Jonny, It looks like classical NULL-pointer dereference, probably there is no way to get code execution. -- ~/ZARAZA http://www.security.nnov.ru --Friday, December 9, 2005, 4:51:52 PM, you wrote to vuln-dev () securityfocus com: DJ> Hi, DJ> I have been looking at stack stuff for a month or two now, so please DJ> forgive my ignorance. DJ> Anyways, I was idly writing some JavaScript last night, when a badly DJ> formed statement crashed my IE (Firefox recognises the bad script and DJ> wont attempt to run it) DJ> I fired up ollydb to take a look at it, and it would appear that I am DJ> somehow overwriting the ESI or EAX with 00000000. DJ> Now is there anything that I can do with this? I have tried to get it DJ> to overwrite with different values but I cant. This is probably DJ> nothing, but hey I thought I would ask. I don't know if this is of DJ> any use to anyone, but here is some info from ollydb. DJ> 636B43AE 8B32 MOV ESI,DWORD PTR DS:[EDX] DJ> 636B43B0 8942 14 MOV DWORD PTR DS:[EDX+14],EAX DJ> 636B43B3 FF36 PUSH DWORD PTR DS:[ESI] <-- throws exception here DJ> 636B43B5 8D4A 04 LEA ECX,DWORD PTR DS:[EDX+4] DJ> 636B43B8 50 PUSH EAX DJ> EAX 00000000 DJ> ECX 0637EE60 DJ> EDX 0637EE60 DJ> EBX FFFFFFFF DJ> ESP 0637EE44 DJ> EBP 0637EE7C DJ> ESI 00000000 DJ> EDI 0637EEF4 DJ> EIP 636B43B3 mshtml.636B43B3 DJ> 0637EE44 00000000 DJ> 0637EE48 637514E4 RETURN to mshtml.637514E4 from mshtml.636B4396 DJ> I have been doing a bit of googling, and I came across an article that DJ> seemed to suggest that setting the ESI to 000000000 is a security DJ> thing implemented by microsoft? This article was more confusing than DJ> helpful - although I think that is becuase the authour was assuming a DJ> level of skill that I don't currently posses. DJ> Any advice anyone? DJ> I am running a fully patched W2K box. DJ> Thanks, DJ> S.
Current thread:
- ESI Manipulation? Disco Jonny (Dec 10)
- Re: ESI Manipulation? Felix Lindner (Dec 13)
- Re: ESI Manipulation? 3APA3A (Dec 13)