Bugtraq mailing list archives

Re: BoF in Windows 2000: ddeshare.exe

From: Valdis.Kletnieks () vt edu
Date: Tue, 09 Nov 2004 14:59:20 -0500

On Mon, 08 Nov 2004 21:24:00 EST, Jack C said:

Run in OllyDbg, we find that the above string makes the program attempt 
to JMP to 0x00420042. It just so happens that Hex 42 is a "B". So the 
two B's at the end of the exploit string change the instrucation pointer.

As far as I can tell, this is not exploitable to run a shellcode because 
of the fact that NULL's are inserted between charactors.


Ah, but what if the 2 trailing B's are replaced by 2 Unicode chars that
together take up 4 bytes? ;)

                                                          But besides 
that, it would only give the same privliges that you already have to run 
the program in the first place. It simply points out bad coding.


If you can find a way to programmaticaly call the same code, this can be
leveraged by a trojan code.  Consider:  If there was a way to get a user to
click on a URL that resolved to a file share and fall into this code, this
could be used as an initial attack point for a worm.....

Attachment: _bin
Description:

Current thread:

BoF in Windows 2000: ddeshare.exe Jack C (Nov 09)
- Re: BoF in Windows 2000: ddeshare.exe Berend-Jan Wever (Nov 09)
- Re: BoF in Windows 2000: ddeshare.exe Valdis . Kletnieks (Nov 09)
  - Re: BoF in Windows 2000: ddeshare.exe J. S. Connell (Nov 10)