Re: [Full-disclosure] AOL YGP Picture Editor YGPPicEdit.dll Multiple Buffer Overflows

[Elazar Broad <elazarb@xxxxxxxxxxxxx>]

<head><style>body{font-family: 
Geneva,Arial,Helvetica,sans-serif;font-size:9pt;background-color: 
#ffffff;color: black;}</style></head><body id="compText">If you follow the 
code, it hits the A's after a pop and some other instructions(forgot) and may 
be able to control the EIP. Correct me if I am 
wrong.<br><br>Elazar<br><br><br><blockquote style="border-left: 2px solid 
rgb(0, 0, 255); padding-left: 5px; margin-left: 0px;">-----Original Message-----
<br>From: reepex <reepex@xxxxxxxxx>
<br>Sent: Dec 25, 2007 10:53 PM
<br>To: Elazar Broad <elazarb@xxxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
<br>Subject: Re: [Full-disclosure] AOL YGP Picture Editor YGPPicEdit.dll 
Multiple Buffer Overflows

<br><br>On Dec 25, 2007 5:29 PM, Elazar Broad &lt;<a target="_blank" 
href="mailto:elazarb@xxxxxxxxxxxxx";>elazarb@xxxxxxxxxxxxx</a>&gt; 
wrote:<br></elazarb@xxxxxxxxxxxxx></reepex@xxxxxxxxx><div 
class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px 
solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
The AOL YGP Picture Editor Control(AIM PicEditor Control) version <a 
href="http://9.5.1.8"; target="_blank">9.5.1.8</a> suffers from multiple 
exploitable buffer overflows in various properties. This object is marked safe 
for scripting. I have not tested other versions. PoC as follows:
<br></blockquote></div><br><br>How does a bunch of 'A's prove something is 
exploitable?<br>
</blockquote></body>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/