Full Disclosure mailing list archives
MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
From: "Berend-Jan Wever" <skylined () edup tudelft nl>
Date: Tue, 2 Nov 2004 01:41:43 +0100
Since nobody else posted an exploit I figured I might aswell slap the BoF together with my default exploit JavaScript for the scriptkiddies to rejoice and the sysadmins to worry about. <TECHNICAL> The JavaScript creates a large amount of heap-blocks filled with 0x0D byte nopslides followed by the shellcode. This is to make sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thing in the world but it works like a charm for most IE bugs. The BoF sets eax to 0x0D0D0D0D after which this code gets executed: 7178EC02 8B08 MOV ECX, DWORD PTR [EAX] [0x0D0D0D0D] == 0x0D0D0D0D, so ecx = 0x0D0D0D0D. 7178EC04 68 847B7071 PUSH 71707B84 7178EC09 50 PUSH EAX 7178EC0A FF11 CALL NEAR DWORD PTR [ECX] Again [0x0D0D0D0D] == 0x0D0D0D0D, so we jump to 0x0D0D0D0D. We land inside one of the nopslide and slide on down to the shellcode. The shellcode is of the portbinding type, port 28876 to be exact. So now you know when to send me a happy birthday email... The exploit will work with the <FRAME> and <IFRAME> tag, attached file uses <IFRAME> </TECHNICAL> <DUMMIES> For all you guys that cannot setup their AV software right, you can download the attachment from one of the many mirrors of this list. </DUMMIES> Cheers, SkyLined
Current thread:
- MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Berend-Jan Wever (Nov 01)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) morning_wood (Nov 02)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Georgi Guninski (Nov 09)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) pachiderme pachiderme (Nov 09)
- <Possible follow-ups>
- RE: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Menashe Eliezer (Nov 07)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Berend-Jan Wever (Nov 07)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) patryn (Nov 08)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Valdis . Kletnieks (Nov 08)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Jim Geovedi (Nov 09)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Berend-Jan Wever (Nov 07)