« Home | Nmap Idle Scanning and Linux » | Exploiting X-11 forwarding in SSH » | Bypassing Windows DEP » | Using socketNinja.pl with the Metasploit Framework... » | About the body Onload Internet Explorer Vunerabili... » | Obfuscating The Mozilla Recent Firefox DOS » | Obfuscating Web Pages » | Optomizer.pl » 

Friday, March 24, 2006

The new Internet Explorer 0-day createTextRange on a Checkbox Vulnerability

It begins as always with a bug that crashes Internet Explorer.

From: http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044297.html

<input type="checkbox" id='c'>
<script>
r=document.getElementById("c");
a=r.createTextRange();
</script>


Then the folks at computerterrorism.com said that you could get this to execute code on the target machine. They provided details, but did not publish an exploit (until Microsoft comes out with a patch.)

http://www.computerterrorism.com/research/ct22-03-2006

From their advisory:

As per the publication, the bug originates from the use of a createTextRange() method, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference.

As a result, IE encounters an exception when trying to call a deferenced 32bit address, as highlighted by the following sniplet of code.

0x7D53C15D MOV ECX, DWORD PTR DS:[EDI]
..
0x7D53C166 CALL DWORD PTR [ECX]

Due to the incorrect reference, ECX points to a very remote, non-existent memory location, causing IE to crash (DoS). However, although the location is some what distant, history dictates that a condition of this nature is conducive towards
reliable exploitation.

Anyway, I ported the sample Exploit code I found to the Metaspoit Framework, and you can find my module at http://www.rhce2b.com/ie_checkbox.pm

E-mail this post



Remenber me (?)



All personal information that you provide here will be governed by the Privacy Policy of Blogger.com. More...

Add a comment