Full Disclosure mailing list archives
Buffer overflow in Shell32.dll . Net monitor
From: "David F. Madrid" <idoru () videosoft net uy>
Date: Fri, 30 May 2003 00:54:09 +0200
Issue Buffer overflow in Shell32.dll . Net monitor Tested version W2000 Server Sp3 Shell32.dll versiĆ³n 5.0.3502.5436 Vendor status Microsoft was informed months ago but as they seem to be even slower than me debugging I dediced to publish it . DescripciĆ³n Net monitor is a traffic analisis tool that ships with some versions of Windows . Besides analizing traffic you can open capture files ( .cap ) . If you try to open a capture file with a long file name ( ~252 bytes ) netmon will crash with an access violation . Program instruction pointer EIP is overwritten with the file name converted to unicode , therefore the cause of the crash is a corruption of adjacent variables in the stack . In order to execute code with this vulnerability you can place your code in a system enviroment variable . That place your code in an address ( ~00010040 ) that can be referenced from our controled EIP converted to unicode . The crash occurs in this function 77E3A294 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] 77E3A298 CD 2B INT 2B 77E3A29A C2 0400 RETN 4 After executing int 2B , program seems to change stack and ESP has the value of ~6bf88 . This memory zone is overwritten in the second call to MultiByteToWideChar function in module shell32.dll 775C059B FF7424 10 PUSH DWORD PTR SS:[ESP+10] ( Wide buffer size = 260 bytes ) 775C059F 66:890E MOV WORD PTR DS:[ESI],CX 775C05A2 8A50 02 MOV DL,BYTE PTR DS:[EAX+2] 775C05A5 80E2 34 AND DL,34 775C05A8 80FA 34 CMP DL,34 775C05AB 0F84 8AA20400 JE SHELL32.7760A83B 775C05B1 56 PUSH ESI ( pointer to Wide buffer ) 775C05B2 83C0 0E ADD EAX,0E 775C05B5 6A FF PUSH -1 775C05B7 50 PUSH EAX ( filename ) 775C05B8 51 PUSH ECX 775C05B9 51 PUSH ECX 775C05BA FF15 68185977 CALL DWORD PTR DS:[<&KERNEL32.MultiByteToWideChar>] I think the cause is in this call , because when converting to unicode a filename of 252 bytes the wide buffer size should be at least of 504 bytes . This sencond call to MultiByteToWideChar is made from GetOpenFileNameW , which opens a dialog to choose the file to open and fills a OpenFileName structure with the chosen file name and path . GetOpenFileNameW call completes correctly , the crash occurs a bit after , when executing the 2b interrupt . I ignore what does this interrupt do , I have found in google is reserved for DOS and is equivalent to RET . Every note or correction will be wellcome cause I am just a student and this is not tought at university :D Exploit In the spanish version of this advisory you can find a script to generate the long file name that will crash netmon when open in it http://nautopia.coolfreepages.com/vulnerabilidades/shell32_getOpenFileNameW.htm Regards , David F. Madrid , Madrid , Spain _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Buffer overflow in Shell32.dll . Net monitor David F. Madrid (May 30)