Nmap logo

Another MSIE 4.0 overflow

Description:Standard overflow, this one can almost certainly be exploited by a malicious page to run arbitrary code on a user's system.
Author:Georgi Guninski <guninski@hotmail.com>
Compromise:Run arbitrary code on the machines of Windows users connecting to your web page.
Vulnerable Systems:Windows 95/NT running MSIE 4.0. Perhaps even the Solaris version is vulnerable, though I've never seen anyone run it.
Date:20 March 1998

Date: Fri, 20 Mar 1998 12:09:46 +0200
From: Georgi Guninski <guninski@hotmail.com>
Subject: MSIE buffer overrun

Microsoft Internet Explorer 4.0 (don't know for other versions)
can be crashed and eventually made execute arbitrary code
with a little help of the <EMBED> tag.

The following:
<EMBED SRC=file://C|/A.ABOUT_200_CHARACTERS_HERE___________________>
opens a dialog box and closes IE 4.0.
It seems that the long file extension causes stack overrun.

The stack is smashed - full with our values, EIP is also ours and CS=SS.
So probably a string could be constructed, executing code at the
client's machine.

Solution: Do not browse hostile pages.
To try this: http://www.geocities.com/ResearchTriangle/1711/msie.html

Georgi Guninski

-----------------------cut here and save as
Trying to crash IE 4.0
80                                                                               160                    170                 180                 190          200

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]