Your test scripts GPFed Netscape 4.51 on our lab's "victim" Windows 98 system,
but did not execute an exploit.
--Brett Glass
At 11:45 PM 9/2/99 +0900, DEF CON ZERO WINDOW wrote:
>Hi,
>
> I discovered a buffer overflow bug which causes huge security hole on the `Netscape
>communicator 4.06J, 4.5J - 4.6J, 4.61e( probably, a version 3.0 after all )'.
>
> The problem of this application is in the handling of EMBED TAG, the buffer
>overflow is caused if the long string is specified at "pluginspage" option.
> I coded the exploit program to execute any command on the victim machine. I tested
>on the Windows98.
>
> However, this program specifies immediately the address of the system() function
>which is defined on the msvcrt.dll, this program does not work on the Windows machine
>which is installed the other version of msvcrt.dll (This program is for Version
>6.00.8397).
>
> The reason that I specified the immediate address of the function is the buffer
>which can be written the exploit code is very short, the size of writable buffer is
>about 83 bytes. The buffer is too small to put the code which gets the address of the
>functions which are defined on the "msvcrt.dll".
>
> However, this problem will be solved if the code that searchs the attack code and
>executes that code is put on the exploit code. The attack code also can be written on
>the other buffer.
>
># An attack code could be written in 2300 bytes to stack_bottom.
>
> The trojan or virus can be written on the attack code, this problem is very serious.
>
> In this case, the stack pointer (ESP) when the overflow is caused differs by the
>environment. So, the method of the RET address overwrites can not be used to exploit.
>This example overwrites the handling address of the access violation, the exploit
>code is called when the access violation is caused. When the access violation is
>caused, the address of the exploit buffer is stored in the EBX register. So, I
>overwrite the handling address to the code that the "JMP EBX" instruction is written.
>
> You can quickly test this exploit on my site. I have prepared some versions of
>exploits that execute "welcome.exe" on your Windows98 machine. If you are user of the
>specified version of netscape, please test. I did not code the exploit program for
>the WindowsNT and Windows95, but they also contain same problem.
>
>... and, This problem can't be avoided.
>
>
>[ exploit demo page ]
>
>exec "welcome.exe" - nc4x_ex.c
>http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex.cgi
>
>exec "notepad.exe"
>http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex2.cgi
>
>---
>
>[ exploit test ]
>
>blue screen(int 01h)
>http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm
>http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm
>
>
>[ document(japanese) ]
>http://www.ugtop.com/defcon0/hc/nc4x_ex_demo.htm
>
>
>special thanks:
>UNYUN( The Shadow Penguin Security )
>http://shadowpenguin.backsection.net/
>
>
>
>--
>: R00t Zer0 - http://www.ugtop.com/defcon0/index.htm :
>: E-Mail: [EMAIL PROTECTED] :
>: -- -- :
>: "HP/UX is the worst OS for the hacker..." - Mark Abene :
