lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 2 Nov 2004 10:19:34 +0100 (CET)
From: Michal Zalewski <lcamtuf@...edump.cx>
To: bugtraq@...urityfocus.com
Subject: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC
 exploit (was: python does mangleme (with IE bugs!)) (fwd)

A supposed PoC for a vulnerability discovered by ned of felinemenace.org
over a week ago, using his Python port of my mangleme utility (the utility
itself released some two weeks ago).

I'm taking this opportunity to do some whoring because the author
indicated that his original post bounced off BUGTRAQ due to "illegal"
Content-Type of text/html.

/mz

---------- Forwarded message ----------
Date: Tue, 2 Nov 2004 01:41:43 +0100
From: Berend-Jan Wever <skylined@...p.tudelft.nl>
Subject: MSIE <IFRAME> and <FRAME> tag NAME property
    bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))

Since nobody else posted an exploit I figured I might aswell slap the BoF together with my default exploit JavaScript for the scriptkiddies to rejoice and the sysadmins to worry about.
<TECHNICAL>

The JavaScript creates a large amount of heap-blocks filled with 0x0D byte nopslides followed by the shellcode. This is to make sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thing in the world but it works like a charm for most IE bugs.

The BoF sets eax to 0x0D0D0D0D after which this code gets executed:
7178EC02                      8B08            MOV     ECX, DWORD PTR [EAX]
[0x0D0D0D0D] == 0x0D0D0D0D, so ecx = 0x0D0D0D0D.
7178EC04                      68 847B7071     PUSH    71707B84
7178EC09                      50              PUSH    EAX
7178EC0A                      FF11            CALL    NEAR DWORD PTR [ECX]
Again [0x0D0D0D0D] == 0x0D0D0D0D, so we jump to 0x0D0D0D0D.

We land inside one of the nopslide and slide on down to the shellcode. The shellcode is of the portbinding type, port 28876 to be exact. So now you know when to send me a happy birthday email...

The exploit will work with the <FRAME> and <IFRAME> tag, attached file uses <IFRAME>
</TECHNICAL>
<DUMMIES>
For all you guys that cannot setup their AV software right, you can download the attachment from one of the many mirrors of this list.
</DUMMIES>

Cheers,
SkyLined
Download attachment "InternetExploiter.html.gz" of type "APPLICATION/X-GUNZIP" (2445 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ