| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: guninski at guninski.com (Georgi Guninski)
Subject: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
On Tue, Nov 02, 2004 at 01:41:43AM +0100, Berend-Jan Wever wrote:
> The JavaScript creates a large amount of heap-blocks filled with 0x0D byte nopslides followed by the shellcode. This is to make sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thing in the world but it works like a charm for most IE bugs.
>
if you need a lot of memory to be filled with something and javascript is
disabled, you can use xml + xsl, which allows replacing a short string with
larger one, minimizing the download.
here is an example:
---xsl.xsl----------
<?xml-stylesheet type="text/xsl" href="#test"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0" xmlns:d="http://msux.com/" id="test">
<d:d>
<a />
<a />
<a />
</d:d>
<xsl:output method="html"/>
<xsl:template match="xsl:stylesheet">
<xsl:for-each select="d:d/a">
Where do you want bill to go today?
</xsl:for-each>
<iframe src="about:blank" />
<script>alert("javascript");</script>
</xsl:template>
</xsl:stylesheet>
--------------------
here "<a />" is replaced by "Where do you want bill to go today?".
--
georgi
Powered by blists - more mailing lists