Bugtraq mailing list archives
Re: BoF in Windows 2000: ddeshare.exe
From: Valdis.Kletnieks () vt edu
Date: Tue, 09 Nov 2004 14:59:20 -0500
On Mon, 08 Nov 2004 21:24:00 EST, Jack C said:
Run in OllyDbg, we find that the above string makes the program attempt to JMP to 0x00420042. It just so happens that Hex 42 is a "B". So the two B's at the end of the exploit string change the instrucation pointer. As far as I can tell, this is not exploitable to run a shellcode because of the fact that NULL's are inserted between charactors.
Ah, but what if the 2 trailing B's are replaced by 2 Unicode chars that together take up 4 bytes? ;)
But besides that, it would only give the same privliges that you already have to run the program in the first place. It simply points out bad coding.
If you can find a way to programmaticaly call the same code, this can be leveraged by a trojan code. Consider: If there was a way to get a user to click on a URL that resolved to a file share and fall into this code, this could be used as an initial attack point for a worm.....
Attachment:
_bin
Description:
Current thread:
- BoF in Windows 2000: ddeshare.exe Jack C (Nov 09)
- Re: BoF in Windows 2000: ddeshare.exe Berend-Jan Wever (Nov 09)
- Re: BoF in Windows 2000: ddeshare.exe Valdis . Kletnieks (Nov 09)
- Re: BoF in Windows 2000: ddeshare.exe J. S. Connell (Nov 10)