TUCoPS :: Browsers :: bt511.txt

PoC for Internet Explorer >=5.0 buffer overflow (trivial exploit for hard case).

Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Dear bugtraq@securityfocus.com,

  Attached exploit for [1] works with ~70% probability on Windows NT 4.0
  (I  didn't tested on different systems and it may differ, I don't care
  because  I  only  wanted to show code execution IS possible). It works
  slow  and  may require few minutes to complete, see explanation below.
  It  does  ExitProcess(0x3A3A)  and  nothing more. Shellbinding exploit
  needs  shellcode  to  be  changed  and  will  be  private  :)  In this
  realization shellcode may contain any characters except 0x0000 and few
  0xFFxx combinations. Details on unicode exploits can be found in [2].


  As  it  was said before, this is stack-based overflow in HTML32.cnv.

  Bad  thing:  data  can only contain printable ASCII characters (0x20 -
  0x79)  and  all  characters  are  capitalized.  This limits a range to
  0x20-0x60  and  0x7B-0x79.  It's  hard  to  create shellcode, but huge
  problem    is    that    memory   ranges   0x20202020-0x60797979   and
  0x7B202020-0x79797979 are unused. That is we cannot overwrite EIP with
  something  useful. So, at first look, exploitations is very difficult,
  if possible.

  Good  thing: We can put almost unlimited amount of code almost without
  any limitation on the heap. We can use it in 2 ways:

  1.  Try  to  feel  memory in a way 0x20202020 address point inside our
  code. It's hard, because it will require large amount of RAM and a lot
  (few hours on latest PIV) of CPU time.

  2. We can try partially overwrite EIP. And this trick really works (at
  least  on  my Windows NT 4.0). With some luck, many EIPs and carefully
  chosen  alignment  finally  we  can  exploit this bug with high enough
  success  rate.  Because it creates HTML of few hundreds Kb and puts it
  on  the  clipboard  from Javascript it needs some time to complete. As
  you      can     see     exploit     is   trivial  (because of leak of
  debugger  and  assembler  experience  since  MS-DOS  times  I  prefer
  simplicity :)) ).

  OS:  WinNT 4.0 SP6a, IE 6.0.2800, msvcrt.dll 6.10.8924.0 (exploit uses
  ExitProcess  import  address  from  msvcrt.dll  so  it  will fail with
  different  msvcrt).  Probably it will work with different IE versions,
  I'm not sure about different OS.

  Archive password is 3A3A

  P.S. please do not write something like "I don't understand how to use
  it".  This  thing  may  be  interesting  only for researchers, not for


  [1] Digital Scream, Internet Explorer >=5.0 : Buffer overflow

  [2]  3APA3A, Details and exploitation of buffer overflow in mshtml.dll
  (and    few    sidenotes    on    Unicode    overflows   in   general)

        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
You know my name - look up my number (The Beatles)
Content-Type: application/x-zip-compressed; name="test2.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="test2.zip"



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH