Re: Remote overflow in MSIE script action handlers (mshtml.dll)
Just to add to this again before we get sick of going on about it.
Some people have been reporting different things, namely that you must only
have one IE window open so that the other buffers cannot "absorb" the
attack. However,
Test 1:
No IE windows open, clicked on exploit link, launches IE - sometimes just
closes with no error, sometimes " The instruction at '0x7d525dcd' referenced
memory at '0x00009506'. The memory could not be 'read' " came up.
Test 2:
One IE window open already, opened up second one on exploit link - only
second window died. Same with two windows open already, three and so on;
just the actual IE window that is rendering the mshtml.dll exploit dies.
Obviously it's not sharing memory between the different instances of IE.
As I said before, Win XP SP2, all the lovely patches. (IE
6.0.2900.2180.xpsp_sp2_gdr.050301-1519)
c0redump
#hacktech @ undernet
----- Original Message -----
From: Master Phoxpherus
To: lcamtuf@xxxxxxxxxxxx
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Sent: Thursday, March 16, 2006 10:05 PM
Subject: Re: Remote overflow in MSIE script action handlers (mshtml.dll)
Hmm. I'm running a Windows 98 SE box and just tried what you said. Didn't
effect me "instantly" or after a time period. You sure you're not just
seeing shit? :P
Plus, keeping it real, there's a fair difference between a BoF that you can
perform easily remotely, and a BoF you have to talk people into. "Hey,
dude... can you just type <command> and if it don't work, hit refresh a few
times?" ... can you see it?
On Thu, 16 Mar 2006, Daniel Bonekeeper wrote:
> BTW, tested the POC on MSIE (File Version = 6.00.2900.2180
> (xpsp_sp2_rtm.040803-2158)) with mshtml.dll (6.00.2900.2802
> (xpsp_sp2_gdr.051123-1230)) and it didn't worked.
Daniel followed up with me in private and confirmed that the PoC *did*
work for him when he followed certain additional instructions: because the
attack depends on memory layout and usage, to get consistent results, be
sure to close *all* MSIE windows, then go to Start -> Run... and type:
iexplore http://lcamtuf.coredump.cx/iedie.html
That should crash the browser immediately, because there are no other
buffers nearby to "absorb" the initial fencepost. Still, if no dice, try
hitting 'Reload' a couple of times.
/mz
_________________________________________________________________
Are you using the latest version of MSN Messenger? Download MSN Messenger
7.5 today! http://messenger.msn.co.uk