Информационная безопасность
[RU] switch to English

Дополнительная информация

  Переполнение буфера в Internet Explorer (buffer overflow)

  CERT Advisory CA-2003-14 Buffer Overflow in Microsoft Windows HTML

  Microsoft Security Bulletin MS03-023: Buffer Overrun In HTML Converter Could Allow Code Execution (Q823559)

  Internet Explorer >=5.0 : Buffer overflow

From:3APA3A <3APA3A_(at)_security.nnov.ru>
Date:1 июля 2003 г.
Subject:PoC for Internet Explorer >=5.0 buffer overflow (trivial exploit for hard case).

Dear [email protected],

 Attached exploit for [1] works with ~70% probability on Windows NT 4.0
 (I  didn't tested on different systems and it may differ, I don't care
 because  I  only  wanted to show code execution IS possible). It works
 slow  and  may require few minutes to complete, see explanation below.
 It  does  ExitProcess(0x3A3A)  and  nothing more. Shellbinding exploit
 needs  shellcode  to  be  changed  and  will  be  private  :)  In this
 realization shellcode may contain any characters except 0x0000 and few
 0xFFxx combinations. Details on unicode exploits can be found in [2].


 As  it  was said before, this is stack-based overflow in HTML32.cnv.

 Bad  thing:  data  can only contain printable ASCII characters (0x20 -
 0x79)  and  all  characters  are  capitalized.  This limits a range to
 0x20-0x60  and  0x7B-0x79.  It's  hard  to  create shellcode, but huge
 problem    is    that    memory   ranges   0x20202020-0x60797979   and
 0x7B202020-0x79797979 are unused. That is we cannot overwrite EIP with
 something  useful. So, at first look, exploitations is very difficult,
 if possible.

 Good  thing: We can put almost unlimited amount of code almost without
 any limitation on the heap. We can use it in 2 ways:

 1.  Try  to  feel  memory in a way 0x20202020 address point inside our
 code. It's hard, because it will require large amount of RAM and a lot
 (few hours on latest PIV) of CPU time.

 2. We can try partially overwrite EIP. And this trick really works (at
 least  on  my Windows NT 4.0). With some luck, many EIPs and carefully
 chosen  alignment  finally  we  can  exploit this bug with high enough
 success  rate.  Because it creates HTML of few hundreds Kb and puts it
 on  the  clipboard  from Javascript it needs some time to complete. As
 you      can     see     exploit     is   trivial  (because of leak of
 debugger  and  assembler  experience  since  MS-DOS  times  I  prefer
 simplicity :)) ).

 OS:  WinNT 4.0 SP6a, IE 6.0.2800, msvcrt.dll 6.10.8924.0 (exploit uses
 ExitProcess  import  address  from  msvcrt.dll  so  it  will fail with
 different  msvcrt).  Probably it will work with different IE versions,
 I'm not sure about different OS.

 Archive password is 3A3A

 P.S. please do not write something like "I don't understand how to use
 it".  This  thing  may  be  interesting  only for researchers, not for


 [1] Digital Scream, Internet Explorer >=5.0 : Buffer overflow

 [2]  3APA3A, Details and exploitation of buffer overflow in mshtml.dll
 (and    few    sidenotes    on    Unicode    overflows   in   general)

       { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
You know my name - look up my number (The Beatles)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород