Internet Explorer Crash (Malformed META Tag
Results 1 to 7 of 7

Thread: Internet Explorer Crash (Malformed META Tag

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Internet Explorer Crash (Malformed META Tag

    Summary
    Internet Explorer is Microsoft's core browser which is a part of any Windows operating system and is the dominant browser currently in the world.

    A malformed HTML page containing Javascript code with a specially crafted META tag will bring down Internet Explorer with an access violation.

    Details
    Vulnerable Systems:
    * Internet Explorer 6.0 SP1 with all the latest patches

    The following script code will cause Internet Explorer to crash when trying to parse the META tag contained within. The problem stems from a bug in the MSHTML library (mshtml.dll). Below is the script code that causes the crash:

    <scr!pt type="text/javascript">
    Wnd = window.createPopup();
    Wnd.document.body.innerHTML='<meta http-equiv="imagetoolbar" content="no">';
    </scr!pt>

    The effect of the META tag is to cause an access violation within mshtml.dll, however not exploitable. The problematic piece of code is shown below:

    636D54AF 8B48 2C MOV ECX, [EAX+2C]
    EAX = 0, Bad read of address 0x0000002C.

    Additional information
    The information has been provided by Mike Mauler.
    Source : http://www.securiteam.com/windowsntf...DP0B20CUW.html

    I test it myself! Change the ! for i in the script code and save it on a local page. This will make IE crash!
    -Simon \"SDK\"

  2. #2
    THAT'S all it takes? Geez. Just another reason I abandoned IE altogether!

  3. #3
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    *sniff* and to think I thought I was safe...LMFAO,it was a JOKE ppl!!
    How did they find out anyway?Random testing sure seems a long way to get to it:\

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    i was thinking the same thing therenegade. they must take off their <stright> jackets and let them out on weekends to figure this out.

    yet another reason to block js
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    I didn't found it... I know a French website that take ALOT of computer news RSS Feed and return them into one page. In about 1 minute, I can see the news of about 20 computers related site and I saw this one. That why I consider myself a news post whore.
    -Simon \"SDK\"

  6. #6
    Banned
    Join Date
    Apr 2003
    Posts
    3,840
    thats why you all shoul use Mozilla or other browser.

    In fact, i order you to delete any IE shorcut or icon you see, and install FireFox, Netscape(or not) or SlimBroswer ......

  7. #7
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    779
    Very kool. This is how I did mine. I started with the basic elements html, head, title,


    <h±ml>

    <h£ad>

    <t|tle> Try this trick </t|tle>

    </h£ad>

    <script type="text/javascript">
    Wnd = window.createPopup();
    Wnd.document.body.innerHTML='<meta http-equiv="imagetoolbar" content="no">';

    </html>

    Here's a screenshot

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •