Jump to content

IE 6 pwn'd by <html>


anyedie
 Share

Recommended Posts

To Mods: Maybe this should go in 'news', if it does move it. :)

I dont think its has been shown here yet, but a guy named Hamachiya2 discoverd a

flaw in IE 6 that will crash it.  Just one line of HTML code,

&lt;style&gt;*{position:relative}&lt;/style&gt;&lt;table&gt;&lt;input&gt;&lt;/table&gt;

lolz.

From all accounts it renders fine in Opera, firefox, and IE 7

If you wish to try it out using IE 6 click below:

http://immike.net/scripts/ie_crash.html

source:

http://immike.net/blog/2007/08/06/single-l...l-crashes-ie-6/

Link to comment
Share on other sites

Doesn't crash the pc, but does close ie6. Some people have reported it crashing their pc, but mine just closes ie6 with no error.

Seems it doesn't matter what position method you use either. Relative or absolute do the same thing.

There are also many possible ways to crash it. Ex:

&lt;style&gt;*{position:absolute}&lt;/style&gt;&lt;table&gt;&lt;blockquote&gt;a&lt;/table&gt;

I think anything with an * style and code following the table tag will cause it to crash becasue it can't render * position for * contents of a table. There are probably other tags that will work, but I am not going to sit here all day looking through them, and it isn't very usefull unless you could insert a payload along with this because it closes so quickly we can't see how far you get before it could execute any code after the tables.

I wonder if you can do this with MySpace, because they allow you to use style tags, but no html. If you css in your page and anywhere in their page they render a table, it should crash the page, right?

Link to comment
Share on other sites

Just tested it on MySpace and it killed ie6. Now, wonde rif it can be put into a comment without being removed?

Link to comment
Share on other sites

Tried it in IE7, didn't crash. .

I forget where, but there is a way to bring down IE7 with this as well, but it ivolves something with the tabs or maybe when tabs are off? Can't remember, but I am sure there is a way to do it on IE7.

Link to comment
Share on other sites

Tried it in IE7, didn't crash. .

if you open it in the second tab ie7crashes aswell :P

do the following : open any random site in 1st tab, open http://hamachiya.com/junk/ie_crash.html in the second, switch back to first tab and have a few secs patience .... tada crash ...

I knew it had somehting to do with the tabs...thanks.

Link to comment
Share on other sites

nothing to do with tabs, that one is a virus. Set up ur scrip on my private host and crashs IE6 not IE7, run it on IE7 in second tab and just loads a input.

-edit-

It works took about 30 secs though to crash mine though :S and the AV's pick it up as a virus :S

Link to comment
Share on other sites

nothing to do with tabs, that one is a virus. Set up ur scrip on my private host and crashs IE6 not IE7, run it on IE7 in second tab and just loads a input.

-edit-

It works took about 30 secs though to crash mine though :S and the AV's pick it up as a virus :S

weird mine's detects it as a vbs virus aswell now , but last time i checked it didnt, and it didt have any hostile code, was the page changed or is this a wrong warning ?

*edit* its a invalid warning basically cos of the 1 lined script ....

just temp disable yer av and wget the file and watch the code ....

all it contains is the script :

&lt;!--
    Easy IE Crash by Hamachiya2 (http://hamachiya.com/junk/ie_crash.html)
--&gt;

&lt;style&gt;*{position:relative}&lt;/style&gt;&lt;table&gt;&lt;input&gt;

Link to comment
Share on other sites

*update*

ok so check this out :

put the one line in a .html file,

scan it useing your av, it wil detect ....

now encode it useing javascript ...

&lt;script language="JavaScript"&gt;
document.write(unescape("x3cx73x74x79x6cx65x3ex2ax7bx70x6fx73x69x74x69x6fx6ex3ax72x65x6cx61x74x69x76x
65x7dx3cx2fx73x74x79x6cx65x3ex3cx74x61x62x6cx65x3ex3cx69x6ex70x75x74x3e"))
&lt;/script&gt;

now scan the file ...

no detection :P

yet it still works in ie6 and ie7 :P

*update* arg nevermind, what the av does is useless , it doesnt detect the actual script that kills the browser but the signature of the creater combined with it.

&lt;!--
    Easy IE Crash by Hamachiya2 (http://hamachiya.com/junk/ie_crash.html)
--&gt;

so you can still use the original undetected, wtf ?? can the av makers get their head out of their ass ?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...