[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
- To: Berend-Jan Wever <skylined@xxxxxxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
- From: Georgi Guninski <guninski@xxxxxxxxxxxx>
- Date: Tue, 9 Nov 2004 12:56:38 +0200
On Tue, Nov 02, 2004 at 01:41:43AM +0100, Berend-Jan Wever wrote:
> The JavaScript creates a large amount of heap-blocks filled with 0x0D byte
> nopslides followed by the shellcode. This is to make sure [0x0D0D0D0D] ==
> 0x0D0D0D0D. It's not the most efficient thing in the world but it works like
> a charm for most IE bugs.
>
if you need a lot of memory to be filled with something and javascript is
disabled, you can use xml + xsl, which allows replacing a short string with
larger one, minimizing the download.
here is an example:
---xsl.xsl----------
<?xml-stylesheet type="text/xsl" href="#test"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
version="1.0" xmlns:d="http://msux.com/"; id="test">
<d:d>
<a />
<a />
<a />
</d:d>
<xsl:output method="html"/>
<xsl:template match="xsl:stylesheet">
<xsl:for-each select="d:d/a">
Where do you want bill to go today?
</xsl:for-each>
<iframe src="about:blank" />
<script>alert("javascript");</script>
</xsl:template>
</xsl:stylesheet>
--------------------
here "<a />" is replaced by "Where do you want bill to go today?".
--
georgi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html