Dear SecurITeam BugTraq Monitoring, It could be perfectly easy to exploit this vulnerability with alphanumeric shellcode... There is a lot of appropriate addresses, for example with jmp esp in different libraries (NT4 + IE6): 0x636e6294 0x70286161 0x70286221, etc But _real_ problem is it also does toupper() for all characters. So, 0x63 0x70 etc cannot be used. It's still possible to create shellcode, but I see no way to get control, because we have no appropriate address to overwrite EBP/ESP... So, it's impossible to exploit it in usual way. It's possible to put huge (few megabytes of) shellcode on the heap (just to put it in the clipboard too) and try to get something like jmp 0x20XXXXXX or jmp 0x21XXXXXX in 0x20200000 - 0x60FFFFFF and 0x7B200000 - 0x7FFFFFFF because heap usually allocated somewhere in the end of 0x20XXXXXX it looks possible... That is we can put 8MB of jmp 0x21777777 + 8MB of NOOPs + shellcode into clipboard and overwrite EIP with something like 0x21212121.... But this exploit will work an hour with 100% CPU load because clipboard operations are slow :) Any suggestions? --Wednesday, June 25, 2003, 3:05:20 PM, you wrote to dotslashat_private: SBM> Hi, SBM> I can confirm it under Windows 2000 with IE 5.50.4807.2300 SBM> Full control over the EIP, but the shellcode cannot contain (as it currently SBM> appears) non Alpha Numeric characters, too bad I guess. SBM> Thanks SBM> Noam Rathaus SBM> CTO SBM> Beyond Security Ltd SBM> http://www.SecurITeam.com SBM> http://www.BeyondSecurity.com SBM> ----- Original Message ----- SBM> From: "KF" <dotslashat_private> SBM> To: "Digital Scream" <digitalscreamat_private> SBM> Sent: Monday, June 23, 2003 6:43 PM SBM> Subject: Re: Internet Explorer >=5.0 : Buffer overflow >> I can confirm this on Windows XP Professional >> >> version 6.0.2800.1106.xpsp2-030422-1633 >> >> 0x43534c41 refrenced mem at 0x43534c41 >> -KF >> >> >> Digital Scream wrote: >> >> ><script> >> > wnd=open("about:blank","",""); >> > wnd.moveTo(screen.Width,screen.Height); >> > WndDoc=wnd.document; >> > WndDoc.open(); >> > WndDoc.clear(); >> > buffer=""; >> > for(i=1;i<=127;i++)buffer+="X"; >> > buffer+="DigitalScream"; >> > WndDoc.write("<HR align='"+buffer+"'>"); >> > WndDoc.execCommand("SelectAll"); >> > WndDoc.execCommand("Copy"); >> > wnd.close(); >> ></script> >> > >> >Grtz: Nj3l, buggzy, 3APA3A, Void Team, X - Crew >> > >> > >> > >> >> >> SBM> _______________________________________________ SBM> Full-Disclosure - We believe in it. SBM> Charter: http://lists.netsys.com/full-disclosure-charter.html -- ~/ZARAZA Вечная память святому Патрику! (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 10:59:19 PDT