Hi,
On Fri, 9 Dec 2005 13:51:52 +0000
Disco Jonny <discojonny_at_gmail.com> wrote:
> Now is there anything that I can do with this? I have tried to get it
> to overwrite with different values but I cant. This is probably
> nothing, but hey I thought I would ask. I don't know if this is of
> any use to anyone, but here is some info from ollydb.
>
> 636B43AE 8B32 MOV ESI,DWORD PTR DS:[EDX]
> 636B43B0 8942 14 MOV DWORD PTR DS:[EDX+14],EAX
> 636B43B3 FF36 PUSH DWORD PTR DS:[ESI] <-- throws exception
> 636B43B5 8D4A 04 LEA ECX,DWORD PTR DS:[EDX+4]
> 636B43B8 50 PUSH EAX
>
> EAX 00000000
> ECX 0637EE60
> EDX 0637EE60
> EBX FFFFFFFF
> ESP 0637EE44
> EBP 0637EE7C
> ESI 00000000
> EDI 0637EEF4
> EIP 636B43B3 mshtml.636B43B3
It looks like a NULL pointer reference to me. Since ECX (which I assume holds
the "this" pointer) and EDX, from where your ESI value is taken at 636B43AE,
are the same, I would assume boldly that the first member of the class
instance pointed to by ECX is in fact NULL, while the following code assumes
it is not.
Understandibly, you didn't post the JavaScript code that caused it, but if the
code is considered invalid by FireFox because "something" is missing, it would
support my shot-in-the-dark theory. If that's the case, I don't see an obvious
way to exploit it from the details given.
cheers
Felix
--
Felix Lindner, CISSP | Senior Security Consultant, n.runs GmbH
fx_at_nruns.com | +49 (0)171 740 20 62
People demand freedom of speech to make up for the freedom of thought
which they avoid. - Soren Kierkegaard
Received on Dec 13 2005
Intro
