Bugtraq mailing list archives
Re: Remote overflow in MSIE script action handlers (mshtml.dll)
From: <c0redump () ackers org uk>
Date: Sat, 18 Mar 2006 11:07:33 -0000
Just to add to this again before we get sick of going on about it.Some people have been reporting different things, namely that you must only have one IE window open so that the other buffers cannot "absorb" the attack. However,
Test 1:No IE windows open, clicked on exploit link, launches IE - sometimes just closes with no error, sometimes " The instruction at '0x7d525dcd' referenced memory at '0x00009506'. The memory could not be 'read' " came up.
Test 2:One IE window open already, opened up second one on exploit link - only second window died. Same with two windows open already, three and so on; just the actual IE window that is rendering the mshtml.dll exploit dies.
Obviously it's not sharing memory between the different instances of IE.As I said before, Win XP SP2, all the lovely patches. (IE 6.0.2900.2180.xpsp_sp2_gdr.050301-1519)
c0redump #hacktech @ undernet----- Original Message ----- From: Master Phoxpherus
To: lcamtuf () dione ids pl Cc: bugtraq () securityfocus com Sent: Thursday, March 16, 2006 10:05 PM Subject: Re: Remote overflow in MSIE script action handlers (mshtml.dll) Hmm. I'm running a Windows 98 SE box and just tried what you said. Didn't effect me "instantly" or after a time period. You sure you're not just seeing shit? :P Plus, keeping it real, there's a fair difference between a BoF that you can perform easily remotely, and a BoF you have to talk people into. "Hey, dude... can you just type <command> and if it don't work, hit refresh a few times?" ... can you see it?
On Thu, 16 Mar 2006, Daniel Bonekeeper wrote: > BTW, tested the POC on MSIE (File Version = 6.00.2900.2180 > (xpsp_sp2_rtm.040803-2158)) with mshtml.dll (6.00.2900.2802 > (xpsp_sp2_gdr.051123-1230)) and it didn't worked. Daniel followed up with me in private and confirmed that the PoC *did* work for him when he followed certain additional instructions: because the attack depends on memory layout and usage, to get consistent results, be sure to close *all* MSIE windows, then go to Start -> Run... and type: iexplore http://lcamtuf.coredump.cx/iedie.html That should crash the browser immediately, because there are no other buffers nearby to "absorb" the initial fencepost. Still, if no dice, try hitting 'Reload' a couple of times. /mz
_________________________________________________________________ Are you using the latest version of MSN Messenger? Download MSN Messenger7.5 today! http://messenger.msn.co.uk
Current thread:
- Remote overflow in MSIE script action handlers (mshtml.dll) Michal Zalewski (Mar 16)
- Re: Remote overflow in MSIE script action handlers (mshtml.dll) Daniel Bonekeeper (Mar 16)
- Re: Remote overflow in MSIE script action handlers (mshtml.dll) Michal Zalewski (Mar 16)
- Re: Remote overflow in MSIE script action handlers (mshtml.dll) Hariharan (Mar 17)
- Re: Remote overflow in MSIE script action handlers (mshtml.dll) Michal Zalewski (Mar 17)
- Re: Remote overflow in MSIE script action handlers (mshtml.dll) Tomasz Onyszko (Mar 17)
- Re: Remote overflow in MSIE script action handlers (mshtml.dll) Master Phoxpherus (Mar 17)
- Re: Remote overflow in MSIE script action handlers (mshtml.dll) Michal Zalewski (Mar 17)
- Re: Remote overflow in MSIE script action handlers (mshtml.dll) c0redump (Mar 20)
- Re: Remote overflow in MSIE script action handlers (mshtml.dll) Michal Zalewski (Mar 16)
- Re: Remote overflow in MSIE script action handlers (mshtml.dll) Jamie Riden (Mar 17)
- Re: Remote overflow in MSIE script action handlers (mshtml.dll) Daniel Bonekeeper (Mar 16)
- <Possible follow-ups>
- RE: Remote overflow in MSIE script action handlers (mshtml.dll) David Schenz (Mar 17)
- Re: Remote overflow in MSIE script action handlers (mshtml.dll) c0redump (Mar 17)
- Re: Re: Remote overflow in MSIE script action handlers (mshtml.dll) Nazca (Mar 17)
- Re: Re: Remote overflow in MSIE script action handlers (mshtml.dll) Phil Frederick (Mar 20)
- Re: Remote overflow in MSIE script action handlers (mshtml.dll) Steve Shockley (Mar 20)