Back to list
MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) (fwd)
Nov 02 2004 09:19AM
Michal Zalewski (lcamtuf coredump cx)
A supposed PoC for a vulnerability discovered by ned of felinemenace.org
over a week ago, using his Python port of my mangleme utility (the utility
itself released some two weeks ago).
I'm taking this opportunity to do some whoring because the author
indicated that his original post bounced off BUGTRAQ due to "illegal"
Content-Type of text/html.
---------- Forwarded message ----------
Date: Tue, 2 Nov 2004 01:41:43 +0100
From: Berend-Jan Wever <skylined (at) edup.tudelft (dot) nl [email concealed]>
Subject: MSIE <IFRAME> and <FRAME> tag NAME property
bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
The BoF sets eax to 0x0D0D0D0D after which this code gets executed:
7178EC02 8B08 MOV ECX, DWORD PTR [EAX]
[0x0D0D0D0D] == 0x0D0D0D0D, so ecx = 0x0D0D0D0D.
7178EC04 68 847B7071 PUSH 71707B84
7178EC09 50 PUSH EAX
7178EC0A FF11 CALL NEAR DWORD PTR [ECX]
Again [0x0D0D0D0D] == 0x0D0D0D0D, so we jump to 0x0D0D0D0D.
We land inside one of the nopslide and slide on down to the shellcode. The shellcode is of the portbinding type, port 28876 to be exact. So now you know when to send me a happy birthday email...
The exploit will work with the <FRAME> and <IFRAME> tag, attached file uses <IFRAME>
For all you guys that cannot setup their AV software right, you can download the attachment from one of the many mirrors of this list.
[ reply ]
Copyright 2010, SecurityFocus