Shon Harris, Allen Harper, Chris Eagle, and Jonathan Ness
"Gray Hat Hacking, Second Edition"
Because this vulnerability has already been fixed with a Microsoft security update, you??™ll first need to uninstall the security update before you??™ll be able to reproduce it. You??™ll find the update in the Add/Remove Programs dialog box as KB 927779. Reboot your computer after uninstalling the update and open the AxMan web UI. Plug in the single clsid, click Single, and a few minutes later you??™ll have the crash shown in Figure 15-5. In the window status field at the bottom of the screen, you can see the property or method being tested at the time of the crash. In this case, it is the method ???Execute??? and we??™re passing in a long number as the first field, a string ???1??™ as the second field, and a long number as the third field.We don??™t know yet whether this is an exploitable crash, so let??™s try building up a simple HTML reproduction to do further testing in IE directly. Chapter 15: Client-Side Browser Exploits 381 PART IV NOTE If different arguments crash your installation, use those values in place of the values you see in the HTML here.