Re: ESI Manipulation?
- From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
- Date: Sun, 11 Dec 2005 17:47:01 +0300
Dear Disco Jonny,
It looks like classical NULL-pointer dereference, probably there is no
way to get code execution.
--Friday, December 9, 2005, 4:51:52 PM, you wrote to vuln-dev@xxxxxxxxxxxxxxxxx:
DJ> I have been looking at stack stuff for a month or two now, so please
DJ> forgive my ignorance.
DJ> formed statement crashed my IE (Firefox recognises the bad script and
DJ> wont attempt to run it)
DJ> I fired up ollydb to take a look at it, and it would appear that I am
DJ> somehow overwriting the ESI or EAX with 00000000.
DJ> Now is there anything that I can do with this? I have tried to get it
DJ> to overwrite with different values but I cant. This is probably
DJ> nothing, but hey I thought I would ask. I don't know if this is of
DJ> any use to anyone, but here is some info from ollydb.
DJ> 636B43AE 8B32 MOV ESI,DWORD PTR DS:[EDX]
DJ> 636B43B0 8942 14 MOV DWORD PTR DS:[EDX+14],EAX
DJ> 636B43B3 FF36 PUSH DWORD PTR DS:[ESI] <-- throws exception here
DJ> 636B43B5 8D4A 04 LEA ECX,DWORD PTR DS:[EDX+4]
DJ> 636B43B8 50 PUSH EAX
DJ> EAX 00000000
DJ> ECX 0637EE60
DJ> EDX 0637EE60
DJ> EBX FFFFFFFF
DJ> ESP 0637EE44
DJ> EBP 0637EE7C
DJ> ESI 00000000
DJ> EDI 0637EEF4
DJ> EIP 636B43B3 mshtml.636B43B3
DJ> 0637EE44 00000000
DJ> 0637EE48 637514E4 RETURN to mshtml.637514E4 from mshtml.636B4396
DJ> I have been doing a bit of googling, and I came across an article that
DJ> seemed to suggest that setting the ESI to 000000000 is a security
DJ> thing implemented by microsoft? This article was more confusing than
DJ> helpful - although I think that is becuase the authour was assuming a
DJ> level of skill that I don't currently posses.
DJ> Any advice anyone?
DJ> I am running a fully patched W2K box.
- ESI Manipulation?
- From: Disco Jonny
- ESI Manipulation?
- Prev by Date: Re: ESI Manipulation?
- Next by Date: RE: (stupid one) physical security of remotes?
- Previous by thread: Re: ESI Manipulation?
- Next by thread: Reviews on Microsoft Communications Protocol Program (MCPP)