|
Full Disclosure
mailing list archives
Re: Internet Explorer Ver6.0.2800.1106 vulnerability
From: Valdis.Kletnieks () vt edu
Date: Mon, 29 May 2006 16:48:34 -0400
On Mon, 29 May 2006 21:30:31 BST, Aaron Gray said:
Look at the original post and you will see there is no where to inject any
code.
Aaron
<script>
var wwidth = (window.innerWidth)?window.innerWidth:
((document.all
)?document.body.offsetWidth:null);
while (wwidth)
{
self.resizeBy(-999999, -1);
}
</script>
No *obvious* way to inject code. Don't rule out something like this working:
<script>
var exploit96 = "some long-ass string that's just printable-96 chars"
var wwidth = (window.innerWidth)?yadda yadda...
and exploit96 just happens to end up someplace interesting/useful, and
gets successfully interpreted as executable code.....
A few years ago, somebody found an interesting overflow-the-environment
bug in a lot of telnetd's. Of course, the *tough* part was the fact
that you had to cram literally 45 megabytes or so of crap down telnetd's
throat first, to get the memory layout where you needed it for when
something overflowed a buffer......
Attachment:
_bin
Description:
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
| 
Intro
