Odobrio: kost. Napisao: Anonymous. Security tracker je objavio prvi exploit za Windowse (preciznije: MSIE 5) koji je nastao kao posljedica uvida u izvorni kod koji je procurio prije nekoliko dana. [Izvor].
Izvadak iz teksta exploita (molim uočiti spominjanje početničke programerske pogreške): --Hush_boundary-402f0cfb09a9f Content-type: text/plain I downloaded the Microsoft source code. Easy enough. It's a lot bigger than Linux, but there were a lot of people mirroring it and so it didn't take long. Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS. For example, in win2k/private/inet/mshtml/src/site/download/imgbmp.cxx: [snip snip some source code kojeg nisam niti okrznuo pogledom] .. Rrrrriiiiggghhhttt. Way to go, using a signed integer for an offset. Now all we have to do is create a BMP with bfOffBits > 2^31, and we're in. cbSkip goes negative and the Read call clobbers the stack with our data. See attached for proof of concept. index.html has [img src=1.bmp] where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211. Bring it up in IE5 (tested successfully on Win98) and get EIP=0x44332211. IE6 is not vulnerable, so I guess I'll get back to work. My Warhol worm will have to wait a bit... .gta PROPS TO the Fort and HAVE IT BE YOU.
|