lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <41266631545.20030701152732@SECURITY.NNOV.RU>
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: PoC for Internet Explorer >=5.0 buffer overflow (trivial exploit for hard case).

Dear bugtraq@...urityfocus.com,

  Attached exploit for [1] works with ~70% probability on Windows NT 4.0
  (I  didn't tested on different systems and it may differ, I don't care
  because  I  only  wanted to show code execution IS possible). It works
  slow  and  may require few minutes to complete, see explanation below.
  It  does  ExitProcess(0x3A3A)  and  nothing more. Shellbinding exploit
  needs  shellcode  to  be  changed  and  will  be  private  :)  In this
  realization shellcode may contain any characters except 0x0000 and few
  0xFFxx combinations. Details on unicode exploits can be found in [2].

  Details:

  As  it  was said before, this is stack-based overflow in HTML32.cnv.

  Bad  thing:  data  can only contain printable ASCII characters (0x20 -
  0x79)  and  all  characters  are  capitalized.  This limits a range to
  0x20-0x60  and  0x7B-0x79.  It's  hard  to  create shellcode, but huge
  problem    is    that    memory   ranges   0x20202020-0x60797979   and
  0x7B202020-0x79797979 are unused. That is we cannot overwrite EIP with
  something  useful. So, at first look, exploitations is very difficult,
  if possible.

  Good  thing: We can put almost unlimited amount of code almost without
  any limitation on the heap. We can use it in 2 ways:

  1.  Try  to  feel  memory in a way 0x20202020 address point inside our
  code. It's hard, because it will require large amount of RAM and a lot
  (few hours on latest PIV) of CPU time.

  2. We can try partially overwrite EIP. And this trick really works (at
  least  on  my Windows NT 4.0). With some luck, many EIPs and carefully
  chosen  alignment  finally  we  can  exploit this bug with high enough
  success  rate.  Because it creates HTML of few hundreds Kb and puts it
  on  the  clipboard  from Javascript it needs some time to complete. As
  you      can     see     exploit     is   trivial  (because of leak of
  debugger  and  assembler  experience  since  MS-DOS  times  I  prefer
  simplicity :)) ).

  OS:  WinNT 4.0 SP6a, IE 6.0.2800, msvcrt.dll 6.10.8924.0 (exploit uses
  ExitProcess  import  address  from  msvcrt.dll  so  it  will fail with
  different  msvcrt).  Probably it will work with different IE versions,
  I'm not sure about different OS.

  Archive password is 3A3A

  P.S. please do not write something like "I don't understand how to use
  it".  This  thing  may  be  interesting  only for researchers, not for
  profit.

  References:

  [1] Digital Scream, Internet Explorer >=5.0 : Buffer overflow
  http://www.security.nnov.ru/search/news.asp?binid=2926

  [2]  3APA3A, Details and exploitation of buffer overflow in mshtml.dll
  (and    few    sidenotes    on    Unicode    overflows   in   general)
  http://www.security.nnov.ru/search/document.asp?docid=2554

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test2.zip
Type: application/x-zip-compressed
Size: 567 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030701/52304cd6/test2.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ