Re: Internet Explorer >=5.0 : Buffer overflow

From: xenophi1e (
Date: 06/26/03

  • Next message: Brett Moore: "Windows Media Services Remote Command Execution #2"
    Date: 26 Jun 2003 17:31:01 -0000
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <>

    > wnd=open("about:blank","","");
    > wnd.moveTo(screen.Width,screen.Height);
    > WndDoc=wnd.document;

    This is a good one. Works for me on IE 6.0.2800.1106.xpsp2.

    It's a stack based buffer overflow in HTML32.cnv which is a HTML
    converter .DLL with a funny extension (it's in \Program Files\Common
    Files\Microsoft Shared\TextConv). You can control EBP, EIP, and some
    regs. The only twist is that the buffer is encoded before the overflow
    occurs. The encoding appears to be something like UTF-8; high ASCII is
    transformed into multi-byte sequences, low ASCII is truncated (?!). This
    is only a problem for getting a useful EIP in there, and not a very big
    one by any means.

    I'm no unicode guru, so maybe someone else knows if this is consistent
    with UTF-8:

     buffer += "\xcc\x59\xfb\x77";
    // becomes \xc3\x8c\x59\xc3\xbb\x57

    As surreal side note, this DLL contains a strange easter egg:

    .data:02344C94 aPresenting db 'Presenting',0 ; DATA XREF:
    .data:02344C94 ;
    .data:02344C9F align 4
    .data:02344CA0 aTheAnansi db 'The Anansi',0 ; DATA XREF:
    .data:02344CA0 ;
    .data:02344CAB align 4
    .data:02344CAC aAnansi db 'Anansi',0 ; DATA XREF:
    .data:02344CB3 align 4
    .data:02344CB4 aAnansiTheSpide db 'Anansi, the spider, is the chief
    character in most Ghanaian '
    .data:02344CB4 ; DATA XREF:
    .data:02344CB4 ;
    .data:02344CB4 db 'folk tales.',0
    .data:02344CFC aGenerallyRegar db ' Generally regarded as crafty and
    wise, he is often a maker '
    .data:02344CFC ; DATA XREF:
    .data:02344CFC ;
    .data:02344CFC db 'of mischief.',0
    .data:02344D45 align 4
    .data:02344D48 aHeSeeksToSweep db ' He seeks to sweep up all the wisdom
    of the world in order t'
    .data:02344D48 ; DATA XREF:
    .data:02344D48 ;
    .data:02344D48 db 'o be the wisest of all.',0
    .data:02344D9C aDevelopmentTea db ' Development Team',0 ; DATA XREF:
    .data:02344D9C ;

    Haven't figured out how to trigger it yet (just managed to find working
    debug symbols for this DLL):

    .text:02315420 _EnsureDocClosure proc near ; CODE XREF:

    .text:0231567D EasterEgg: ; CODE XREF:


  • Next message: Brett Moore: "Windows Media Services Remote Command Execution #2"

    Relevant Pages

    • Re: New Shortcut Wizard
      ... Jorrit Jongma < wrote: ... You'll get a buffer overflow. ... Since the third parameter to the DLL function is a PChar, ... The DLL won't know where the command line ends. ...
    • Re: Strange activity in IIS logs
      ... ('binary' encoding is not supported, ... >sure looks like a buffer overflow attempt of some kind, ... >Almost looks like a different spin on Code Red or Nimda. ... >virus, or has someone else heard of this? ...
    • OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow
      ... ('binary' encoding is not supported, ... function may cause buffer overflow. ...
    • Re: String to byte *
      ... I can't be sure without some more information about the what the dll expects ... encoding appropriate to the application and ... Declare the function prototype to take a byte ...
    • Re: converting int to char
      ... Are you confusing this dll with the Compatibility dll? ... Gerald ... >> You fail to mention the Text Encoding used, so I will assume the Integer ...