Re: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))

From: Georgi Guninski (guninski_at_guninski.com)
Date: 11/09/04

  • Next message: Nick FitzGerald: "Re: [Full-Disclosure] New MyDoom exploiting IFRAME"
    To: Berend-Jan Wever <skylined@edup.tudelft.nl>
    Date: Tue, 9 Nov 2004 12:56:38 +0200
    
    

    On Tue, Nov 02, 2004 at 01:41:43AM +0100, Berend-Jan Wever wrote:
    > The JavaScript creates a large amount of heap-blocks filled with 0x0D byte nopslides followed by the shellcode. This is to make sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thing in the world but it works like a charm for most IE bugs.
    >

    if you need a lot of memory to be filled with something and javascript is
    disabled, you can use xml + xsl, which allows replacing a short string with
    larger one, minimizing the download.

    here is an example:

    ---xsl.xsl----------
    <?xml-stylesheet type="text/xsl" href="#test"?>
    <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    version="1.0" xmlns:d="http://msux.com/" id="test">
    <d:d>
    <a />
    <a />
    <a />
    </d:d>
    <xsl:output method="html"/>
    <xsl:template match="xsl:stylesheet">
    <xsl:for-each select="d:d/a">
    Where do you want bill to go today?
    </xsl:for-each>
    <iframe src="about:blank" />
    <script>alert("javascript");</script>
    </xsl:template>
    </xsl:stylesheet>
    --------------------

    here "<a />" is replaced by "Where do you want bill to go today?".

    -- 
    georgi
     
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Nick FitzGerald: "Re: [Full-Disclosure] New MyDoom exploiting IFRAME"

    Relevant Pages

    • Re: onclick - reassign new function with parameters after displaye
      ... It creates an HTML document which looks and acts correctly. ... The orginal XSL is creating a record that shows data from two different ... The form reads in those global variables. ... XML Node that forms the context of your little XSL. ...
      (microsoft.public.scripting.jscript)
    • Re: Yahoo! UI AJAX IE memory leak workaround and justification
      ... Instead of binding a function to ... onreadystatechange, the library polls the readystate of the request ... All the interfaces on our server return JASONized XML ... as javascript including a user definable javascript callback function. ...
      (comp.lang.javascript)
    • Re: onclick - reassign new function with parameters after displaye
      ... As far as XML data, it is not on the client side, and my limted ... as global parameter the info I need to get correct record from HTML, ... needed into XSL proscessing. ... The form reads in those global variables. ...
      (microsoft.public.scripting.jscript)
    • Problem with .NET Security Settings
      ... The application uses intensively XSLT and XML. ... There is a special Stylesheet XSL A for deriving of values from XML A, ... I installed this on a Network-Folder and put all Stylesheets and XML on ...
      (microsoft.public.dotnet.xml)
    • Printing HTML from memory (no user interaction)
      ... application in C# that converts text from XML with an XSL to a HTML ... The string writer contains the information I wanted as HTML. ... The real problem is that I cannot parse the ...
      (microsoft.public.dotnet.academic)