Re: Internet Explorer >=5.0 : Buffer overflow

From: xenophi1e (oliver.laveryat_private)
Date: Thu Jun 26 2003 - 10:31:01 PDT

Next message: Brett Moore: "Windows Media Services Remote Command Execution #2"

Previous message: François SORIN: "[VulnWatch] [KSA-002] Multiple Vulnerabilities In Moregroupware"
Maybe in reply to: Digital Scream: "Internet Explorer >=5.0 : Buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <20030622005821.17280.qmailat_private> ><script> > wnd=open("about:blank","",""); > wnd.moveTo(screen.Width,screen.Height); > WndDoc=wnd.document; > WndDoc.open(); This is a good one. Works for me on IE 6.0.2800.1106.xpsp2. It's a stack based buffer overflow in HTML32.cnv which is a HTML converter .DLL with a funny extension (it's in \Program Files\Common Files\Microsoft Shared\TextConv). You can control EBP, EIP, and some regs. The only twist is that the buffer is encoded before the overflow occurs. The encoding appears to be something like UTF-8; high ASCII is transformed into multi-byte sequences, low ASCII is truncated (?!). This is only a problem for getting a useful EIP in there, and not a very big one by any means. I'm no unicode guru, so maybe someone else knows if this is consistent with UTF-8: buffer += "\xcc\x59\xfb\x77"; // becomes \xc3\x8c\x59\xc3\xbb\x57 As surreal side note, this DLL contains a strange easter egg: .data:02344C94 aPresenting db 'Presenting',0 ; DATA XREF: _EnsureDocClosure+2FCo .data:02344C94 ; _EnsureDocClosure+308o .data:02344C9F align 4 .data:02344CA0 aTheAnansi db 'The Anansi',0 ; DATA XREF: _EnsureDocClosure+3C9o .data:02344CA0 ; _EnsureDocClosure+3D5o .data:02344CAB align 4 .data:02344CAC aAnansi db 'Anansi',0 ; DATA XREF: _EnsureDocClosure+468o .data:02344CB3 align 4 .data:02344CB4 aAnansiTheSpide db 'Anansi, the spider, is the chief character in most Ghanaian ' .data:02344CB4 ; DATA XREF: _EnsureDocClosure+4FFo .data:02344CB4 ; _EnsureDocClosure+50Bo .data:02344CB4 db 'folk tales.',0 .data:02344CFC aGenerallyRegar db ' Generally regarded as crafty and wise, he is often a maker ' .data:02344CFC ; DATA XREF: _EnsureDocClosure+520o .data:02344CFC ; _EnsureDocClosure+52Co .data:02344CFC db 'of mischief.',0 .data:02344D45 align 4 .data:02344D48 aHeSeeksToSweep db ' He seeks to sweep up all the wisdom of the world in order t' .data:02344D48 ; DATA XREF: _EnsureDocClosure+541o .data:02344D48 ; _EnsureDocClosure+54Do .data:02344D48 db 'o be the wisest of all.',0 .data:02344D9C aDevelopmentTea db ' Development Team',0 ; DATA XREF: _EnsureDocClosure+5A9o .data:02344D9C ; _EnsureDocClosure+5B5o Haven't figured out how to trigger it yet (just managed to find working debug symbols for this DLL): .text:02315420 _EnsureDocClosure proc near ; CODE XREF: _ConvertForeignToRtf+E5p .text:0231567D EasterEgg: ; CODE XREF: _EnsureDocClosure+1FCj Cheers, ~ol

Next message: Brett Moore: "Windows Media Services Remote Command Execution #2"
Previous message: François SORIN: "[VulnWatch] [KSA-002] Multiple Vulnerabilities In Moregroupware"
Maybe in reply to: Digital Scream: "Internet Explorer >=5.0 : Buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 26 2003 - 10:56:44 PDT