Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
From: Georgi Guninski <guninski () guninski com>
Date: Tue, 9 Nov 2004 12:56:38 +0200

On Tue, Nov 02, 2004 at 01:41:43AM +0100, Berend-Jan Wever wrote:
The JavaScript creates a large amount of heap-blocks filled with 0x0D byte nopslides followed by the shellcode. This 
is to make sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thing in the world but it works like a charm 
for most IE bugs.



if you need a lot of memory to be filled with something and javascript is
disabled, you can use xml + xsl, which allows replacing a short string with
larger one, minimizing the download.

here is an example:

---xsl.xsl----------
<?xml-stylesheet type="text/xsl" href="#test"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
version="1.0" xmlns:d="http://msux.com/"; id="test">
<d:d>
<a />
<a />
<a />
</d:d>
<xsl:output method="html"/>
<xsl:template match="xsl:stylesheet">
<xsl:for-each select="d:d/a">
Where do you want bill to go today?
</xsl:for-each>
<iframe src="about:blank" />
<script>alert("javascript");</script>
</xsl:template>
</xsl:stylesheet> 
--------------------

here "<a />" is replaced by "Where do you want bill to go today?".

-- 
georgi

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]