Re: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
From: Georgi Guninski (guninski_at_guninski.com)
Date: 11/09/04
- Previous message: 3APA3A: "Re: [Full-Disclosure] Fw: Case ID 18941657 - Notice of Claimed Infringement"
- In reply to: Berend-Jan Wever: "[Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))"
- Next in thread: pachiderme pachiderme: "Re: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))"
- Reply: pachiderme pachiderme: "Re: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Berend-Jan Wever <skylined@edup.tudelft.nl> Date: Tue, 9 Nov 2004 12:56:38 +0200
On Tue, Nov 02, 2004 at 01:41:43AM +0100, Berend-Jan Wever wrote:
> The JavaScript creates a large amount of heap-blocks filled with 0x0D byte nopslides followed by the shellcode. This is to make sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thing in the world but it works like a charm for most IE bugs.
>
if you need a lot of memory to be filled with something and javascript is
disabled, you can use xml + xsl, which allows replacing a short string with
larger one, minimizing the download.
here is an example:
---xsl.xsl----------
<?xml-stylesheet type="text/xsl" href="#test"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0" xmlns:d="http://msux.com/" id="test">
<d:d>
<a />
<a />
<a />
</d:d>
<xsl:output method="html"/>
<xsl:template match="xsl:stylesheet">
<xsl:for-each select="d:d/a">
Where do you want bill to go today?
</xsl:for-each>
<iframe src="about:blank" />
<script>alert("javascript");</script>
</xsl:template>
</xsl:stylesheet>
--------------------
here "<a />" is replaced by "Where do you want bill to go today?".
-- georgi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: 3APA3A: "Re: [Full-Disclosure] Fw: Case ID 18941657 - Notice of Claimed Infringement"
- In reply to: Berend-Jan Wever: "[Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))"
- Next in thread: pachiderme pachiderme: "Re: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))"
- Reply: pachiderme pachiderme: "Re: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
