Unaddressed DoS vulnerabilities in IE 6 SP2
(Wednesday, January 31. 2007)
I reported almost all of these DoS vulnerabilities more than a year ago to Microsoft but they are still not fixed..
Note that the offsets where the browser crashes has changed because of the installed security updates.
Note that the offsets where the browser crashes has changed because of the installed security updates.
Online demo:
1. ie60-1132900617750-7d6d8eba.html
Possibly you have to hit the refresh button several times to trigger bug number two.
Online demo:
2. ie60-1132900490843-7d6c74b1.html
Online demo:
3. ie60-1132901785453-7d6d2db4.html
np: york feat. asheni - mercury rising
1. ie60-1132900617750-7d6d8eba.html
eax=00000000 ebx=00fcdc00 ecx=00000000 edx=00000000 esi=0012e230 edi=00fca190
eip=7de0b808 esp=0012dd08 ebp=00000000 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
7de0b7c7 44 inc esp
7de0b7c8 2410 and al,0x10
7de0b7ca 8a44241c mov al,[esp+0x1c]
7de0b7ce 33c9 xor ecx,ecx
7de0b7d0 33d2 xor edx,edx
7de0b7d2 894c2414 mov [esp+0x14],ecx
7de0b7d6 8b8ea4000000 mov ecx,[esi+0xa4]
7de0b7dc 24fe and al,0xfe
7de0b7de 57 push edi
7de0b7df 89542410 mov [esp+0x10],edx
7de0b7e3 8954241c mov [esp+0x1c],edx
7de0b7e7 88442420 mov [esp+0x20],al
7de0b7eb e806f0e4ff call mshtml+0x7a7f6 (7dc5a7f6)
7de0b7f0 8b4c2428 mov ecx,[esp+0x28]
7de0b7f4 68accce17d push 0x7de1ccac
7de0b7f9 8bf8 mov edi,eax
7de0b7fb e86394e5ff call mshtml+0x84c63 (7dc64c63)
7de0b800 50 push eax
7de0b801 8bcf mov ecx,edi
7de0b803 e8e3ecfdff call mshtml+0x20a4eb (7ddea4eb)
FAULT ->7de0b808 668b500c mov dx,[eax+0xc] ds:0023:0000000c=????
7de0b80c 6685d2 test dx,dx
7de0b80f 0f8cb351e2ff jl mshtml+0x509c8 (7dc309c8)
7de0b815 833d5033e87d01 cmp dword ptr [mshtml+0x2a3350 (7de83350)],0x1
7de0b81c 0fbffa movsx edi,dx
7de0b81f 7513 jnz mshtml+0x22b834 (7de0b834)
7de0b821 a14c33e87d mov eax,[mshtml+0x2a334c (7de8334c)]
7de0b826 8b484c mov ecx,[eax+0x4c]
7de0b829 8b4134 mov eax,[ecx+0x34]
7de0b82c 8d147f lea edx,[edi+edi*2]
7de0b82f 8b3c90 mov edi,[eax+edx*4]
7de0b832 eb1c jmp mshtml+0x22b850 (7de0b850)
7de0b834 a14033e87d mov eax,[mshtml+0x2a3340 (7de83340)]
7de0b839 50 push eax
7de0b83a ff152412be7d call dword ptr [mshtml+0x1224 (7dbe1224)]
7de0b840 8b484c mov ecx,[eax+0x4c]
7de0b843 8b4134 mov eax,[ecx+0x34]
7de0b846 8d147f lea edx,[edi+edi*2]
7de0b849 8b3c90 mov edi,[eax+edx*4]
7de0b84c eb02 jmp mshtml+0x22b850 (7de0b850)
7de0b84e 8bf8 mov edi,eax
Possibly you have to hit the refresh button several times to trigger bug number two.
Online demo:
2. ie60-1132900490843-7d6c74b1.html
eax=00fc040a ebx=00fc9aa0 ecx=00000001 edx=00fca460 esi=00000000 edi=0012a084
eip=7ddf9e1e esp=00129f5c ebp=00129f84 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
7ddf9de8 100f adc [edi],cl
7ddf9dea 844105 test [ecx+0x5],al
7ddf9ded 0000 add [eax],al
7ddf9def 8b550c mov edx,[ebp+0xc]
7ddf9df2 8b4228 mov eax,[edx+0x28]
7ddf9df5 897028 mov [eax+0x28],esi
7ddf9df8 6a0b push 0xb
7ddf9dfa 33c0 xor eax,eax
7ddf9dfc 59 pop ecx
7ddf9dfd 8bfe mov edi,esi
7ddf9dff f3ab rep stosd
7ddf9e01 8b45f8 mov eax,[ebp-0x8]
7ddf9e04 8906 mov [esi],eax
7ddf9e06 897228 mov [edx+0x28],esi
7ddf9e09 e9af010000 jmp mshtml+0x219fbd (7ddf9fbd)
7ddf9e0e 8b4728 mov eax,[edi+0x28]
7ddf9e11 8b7028 mov esi,[eax+0x28]
7ddf9e14 897728 mov [edi+0x28],esi
7ddf9e17 8b4320 mov eax,[ebx+0x20]
7ddf9e1a 668b4002 mov ax,[eax+0x2]
FAULT ->7ddf9e1e 8b4e24 mov ecx,[esi+0x24] ds:0023:00000024=????????
7ddf9e21 66250030 and ax,0x3000
7ddf9e25 662d0010 sub ax,0x1000
7ddf9e29 66f7d8 neg ax
7ddf9e2c 897510 mov [ebp+0x10],esi
7ddf9e2f 1bc0 sbb eax,eax
7ddf9e31 40 inc eax
7ddf9e32 50 push eax
7ddf9e33 e8bf8efeff call mshtml+0x202cf7 (7dde2cf7)
7ddf9e38 0fb6c0 movzx eax,al
7ddf9e3b 48 dec eax
7ddf9e3c 83f80c cmp eax,0xc
7ddf9e3f 0f877b010000 jnbe mshtml+0x219fc0 (7ddf9fc0)
7ddf9e45 ff248534a3df7d jmp dword ptr [mshtml+0x21a334 (7ddfa334)+eax*4]
7ddf9e4c 8b4e20 mov ecx,[esi+0x20]
7ddf9e4f f6410208 test byte ptr [ecx+0x2],0x8
7ddf9e53 7419 jz mshtml+0x219e6e (7ddf9e6e)
7ddf9e55 8b45fc mov eax,[ebp-0x4]
7ddf9e58 ff7014 push dword ptr [eax+0x14]
7ddf9e5b 8b4610 mov eax,[esi+0x10]
7ddf9e5e 03460c add eax,[esi+0xc]Online demo:
3. ie60-1132901785453-7d6d2db4.html
eax=00000000 ebx=00000000 ecx=00fc9158 edx=00fca7c4 esi=0012a250 edi=00000000
eip=7de055da esp=0012a210 ebp=0012a244 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
7de05597 0000 add [eax],al
7de05599 8b7f04 mov edi,[edi+0x4]
7de0559c 3b7e10 cmp edi,[esi+0x10]
7de0559f 75de jnz mshtml+0x22557f (7de0557f)
7de055a1 8bce mov ecx,esi
7de055a3 e862f9ffff call mshtml+0x224f0a (7de04f0a)
7de055a8 50 push eax
7de055a9 e82cf8ffff call mshtml+0x224dda (7de04dda)
7de055ae 85c0 test eax,eax
7de055b0 8945f8 mov [ebp-0x8],eax
7de055b3 0f85c4020000 jne mshtml+0x22587d (7de0587d)
7de055b9 8b461c mov eax,[esi+0x1c]
7de055bc 8b4e18 mov ecx,[esi+0x18]
7de055bf 8365f400 and dword ptr [ebp-0xc],0x0
7de055c3 8365fc00 and dword ptr [ebp-0x4],0x0
7de055c7 8b7e14 mov edi,[esi+0x14]
7de055ca 8945f0 mov [ebp-0x10],eax
7de055cd e88e3fe4ff call mshtml+0x69560 (7dc49560)
7de055d2 3bc7 cmp eax,edi
7de055d4 0f8402020000 je mshtml+0x2257dc (7de057dc)
FAULT ->7de055da 8b07 mov eax,[edi] ds:0023:00000000=????????
7de055dc 8bc8 mov ecx,eax
7de055de 83e10f and ecx,0xf
7de055e1 49 dec ecx
7de055e2 0f849c010000 je mshtml+0x225784 (7de05784)
7de055e8 49 dec ecx
7de055e9 0f84b3000000 je mshtml+0x2256a2 (7de056a2)
7de055ef 49 dec ecx
7de055f0 49 dec ecx
7de055f1 746c jz mshtml+0x22565f (7de0565f)
7de055f3 83e904 sub ecx,0x4
7de055f6 0f85a5010000 jne mshtml+0x2257a1 (7de057a1)
7de055fc 8bcf mov ecx,edi
7de055fe e87130feff call mshtml+0x208674 (7dde8674)
7de05603 85c0 test eax,eax
7de05605 7430 jz mshtml+0x225637 (7de05637)
7de05607 837e0400 cmp dword ptr [esi+0x4],0x0
7de0560b 742a jz mshtml+0x225637 (7de05637)
7de0560d 8bcf mov ecx,edi
7de0560f e87231feff call mshtml+0x208786 (7dde8786)
7de05614 85c0 test eax,eaxnp: york feat. asheni - mercury rising
Posted by
in Security, Windows
at
21:12
Related entries by tags:
- Strange pings and broken Windows services
- New external 400GB USB2 harddisk drive
- Why Windows is less secure than GNU/Linux
- Welcome Vista - Goodbye Windows
- o2 XDA Trion rocks :)
- "Killing" Windows's system process
- How-to fake heise news entries
- "Exploiting" Windows Spider Solitaire
- Dotless IP addresses and URL Obfuscation
- BuHa ExploitMe Contest
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
Hey bro,
nice to see an entry from you after long time... :)
I tried the links with IE7 it seems all to be fixed - no crashes etc.
.c-tc
nice to see an entry from you after long time... :)
I tried the links with IE7 it seems all to be fixed - no crashes etc.
.c-tc
Yeah, in general IE 7 seems to be much more stable..