Vulnerability Development mailing list archives
exploit for W98 long filenameextensions buffer overflow.
From: Laurent.Eschenauer () STUDENT ULG AC BE (Laurent Eschenauer)
Date: Sun, 23 Apr 2000 18:28:08 +0200
Hi all, I managed to write an exploit for the nasty filename extension buffer overflow. If you put more bytes in the extensions than in the batch proposed by Zoa Chien you can overflow such that ESP is actually pointing to your shellcode. If you don't fill in the buffer enough you need to go upward in the stack to find a reference to the extension... - Does that means we have two differents buffer overflows? Since we have ESP pointing to our code, we just have to find a JMP ESP somewhere. I used one in comctl32.dll, but i'm not sure if this one is static in all win98 release ? - Anyone has a list of dll one can use to be sure he has an universal exploit ? How do YOU do to check such thing ? I've just put an "int 3" as code to exec to show that it's possible to use this baby. Anyway, it's going to be really tricky to do more since we have only a few bytes of code (after the smashed EIP at the end of the extension). A solution would be to check if the other part of the extension is stored at a fixed place upward in the stack and jump to it, i'll check that later. One last thing, since we have to create a file with our exploit as filename, we encounters many "bad bytes" because you can't use everything you want for a filename. I'll check that later too if i try to make a real exploit out of this ! I didn't check with other products like Eudora but hey vuln-dev is for developement no ? So let's get to work to show Microsoft they have a new BigBug to handle with ! I'm sure that with a little creativity we can find many way of remote exploiting this. You'll find more technical details in the code, where are the bytes that overwrite the eip, where should be the code, etc... have fun, laurent. ------------------------ Laurent eschenauer <laurent.e () mail com> graduate student in computer engineering networking and security project University of Liège, belgium. ------------------------ <HR NOSHADE> <UL> <LI>text/plain attachment: longext-exploit.c </UL>
Current thread:
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Bob Fiero (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Ron DuFresne (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Su Wadlow (Apr 22)
- buffer overflow??? Cyber_Bob (Apr 23)
- Re: buffer overflow??? Przemyslaw Frasunek (Apr 23)
- Re: buffer overflow??? Sebastian (Apr 23)
- Re: buffer overflow??? Markus Kern (Apr 23)
- exploit for W98 long filenameextensions buffer overflow. Laurent Eschenauer (Apr 23)
- Re: buffer overflow??? Blue Boar (Apr 23)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Markus Kern (Apr 23)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Su Wadlow (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Ron DuFresne (Apr 22)
- <Possible follow-ups>
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Thomas Dullien (Apr 23)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. John Swensson (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Ron DuFresne (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. John Swensson (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Su Wadlow (Apr 22)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. James Dyson (Apr 23)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. Arturo Busleiman (Apr 23)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Blue Boar (Apr 23)
- Re: Securax Security Advisory: Windows98 contains a serious buffer overflow with long filenameextensions. John Swensson (Apr 22)