Doesn't look like a null pointer to me, especially since it crashes while reading 800c0005... I think it's a format string vulnerability, causing ntdll.RtlFormatMessage to call ntdll._snwprintf with your href. Might be exploitable, I'll have a look...
Cheers, SkyLined ----- Original Message ----- From: "Rafel Ivgi, The-Insider" <[EMAIL PROTECTED]> To: "vulnwatch" <[EMAIL PROTECTED]> Sent: Monday, June 14, 2004 23:20 Subject: [Full-Disclosure] Internet Explorer Remote Null Pointer Crash(mshtml.dll) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Application: Internet Explorer > Vendors: http://www.microsoft.com > Versions: 6.0.2800.1106.xpclnt_qfe.021108-2107 > Patched With: SP1;Q832894;Q330994;Q837009;Q831167; > ModName: mshtml.dll > ModVer: 6.0.2734.1600 > Platforms: Windows > Bug: Remote/Local Null Pointer Crash > Exploitation: Remote with browser > Date: 14 Jun 2004 > Author: Rafel Ivgi, The-Insider > e-mail: [EMAIL PROTECTED] > web: http://theinsider.deep-ice.com > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > 1) Introduction > 2) Bugs > 3) The Code > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > =============== > 1) Introduction > =============== > > Internet Explorer is currently the most common internet browser in the > world. > It comes by default with every windows operating system. Therefore any > vulnerability > concerning it is an highly important issue. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > ====== > 2) Bug > ====== > > Upon clicking "Save As" on a link with double colon --> "::" > and > a left curly bracket --> "{" > then > Internet Explorer Will Crash. > > AppName: iexplore.exe AppVer: 6.0.2600.0 ModName: ntdll.dll > ModVer: 5.1.2600.114 Offset: 00056074 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > =========== > 3) The Code > =========== > > Paste into an htm/html file: > <center><a href=::%7b>Right Click aOn Me And Click "Save Target As"</a> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > --- > Rafel Ivgi, The-Insider > http://theinsider.deep-ice.com > > "Scripts and Codes will make me D.O.S , but they will never HACK me." > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
