Re: ESI Manipulation?



Dear Disco Jonny,

It looks like classical NULL-pointer dereference, probably there is no
way to get code execution.

--
~/ZARAZA
http://www.security.nnov.ru


--Friday, December 9, 2005, 4:51:52 PM, you wrote to vuln-dev@xxxxxxxxxxxxxxxxx:

DJ> Hi,

DJ> I have been looking at stack stuff for a month or two now, so please
DJ> forgive my ignorance.

DJ> Anyways, I was idly writing some JavaScript last night, when a badly
DJ> formed statement crashed my IE (Firefox recognises the bad script and
DJ> wont attempt to run it)

DJ> I fired up ollydb to take a look at it, and it would appear that I am
DJ> somehow overwriting the ESI or EAX with 00000000.

DJ> Now is there anything that I can do with this? I have tried to get it
DJ> to overwrite with different values but I cant. This is probably
DJ> nothing, but hey I thought I would ask. I don't know if this is of
DJ> any use to anyone, but here is some info from ollydb.

DJ> 636B43AE 8B32 MOV ESI,DWORD PTR DS:[EDX]
DJ> 636B43B0 8942 14 MOV DWORD PTR DS:[EDX+14],EAX
DJ> 636B43B3 FF36 PUSH DWORD PTR DS:[ESI] <-- throws exception here
DJ> 636B43B5 8D4A 04 LEA ECX,DWORD PTR DS:[EDX+4]
DJ> 636B43B8 50 PUSH EAX

DJ> EAX 00000000
DJ> ECX 0637EE60
DJ> EDX 0637EE60
DJ> EBX FFFFFFFF
DJ> ESP 0637EE44
DJ> EBP 0637EE7C
DJ> ESI 00000000
DJ> EDI 0637EEF4
DJ> EIP 636B43B3 mshtml.636B43B3

DJ> 0637EE44 00000000
DJ> 0637EE48 637514E4 RETURN to mshtml.637514E4 from mshtml.636B4396

DJ> I have been doing a bit of googling, and I came across an article that
DJ> seemed to suggest that setting the ESI to 000000000 is a security
DJ> thing implemented by microsoft? This article was more confusing than
DJ> helpful - although I think that is becuase the authour was assuming a
DJ> level of skill that I don't currently posses.

DJ> Any advice anyone?

DJ> I am running a fully patched W2K box.

DJ> Thanks,

DJ> S.



Relevant Pages