Odobrio: kost. Napisao: Anonymous.
Security tracker je objavio prvi exploit za Windowse (preciznije: MSIE 5) koji je nastao kao posljedica uvida u izvorni kod koji je procurio prije nekoliko dana. [Izvor].

Izvadak iz teksta exploita (molim uočiti spominjanje početničke programerske pogreške):

--Hush_boundary-402f0cfb09a9f
Content-type: text/plain

I downloaded the Microsoft source code. Easy enough. It's a lot bigger than Linux, but there were a lot of people mirroring it and so it didn't take long.

Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS. For example, in win2k/private/inet/mshtml/src/site/download/imgbmp.cxx:

[snip snip some source code kojeg nisam niti okrznuo pogledom]

.. Rrrrriiiiggghhhttt. Way to go, using a signed integer for an offset. Now all we have to do is create a BMP with bfOffBits > 2^31,

and we're in. cbSkip goes negative and the Read call clobbers the stack with our data.

See attached for proof of concept. index.html has [img src=1.bmp] where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211. Bring it up in IE5 (tested successfully on Win98) and get EIP=0x44332211.

IE6 is not vulnerable, so I guess I'll get back to work. My Warhol worm will have to wait a bit...

.gta
PROPS TO the Fort and HAVE IT BE YOU.