Vulnerability Development mailing list archives
corrupted link
From: JklojLrnzn () AOL COM (JklojLrnzn () AOL COM)
Date: Sun, 30 Apr 2000 16:10:12 EDT
Some time ago someone posted a corrupted .lnk which crashes Windows 9x Shell.dll with a page fault as soon as windows catches sight of it. We havent exactly found out why that link crashes windows but some debugging and trying revealed the following: It is easy to reproduce, just grab any working lnk file and change the byte at 00004D to 74 and the one at 00004F to E0. Interestingly quite a lot combinations work, e.g. these ranges will also work: 00004D 01 - DF 00004F 79 - FF According to the mail from u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h (http://www.ussrback.com) the word at 004c contains the size of the whole IDList and the word at 004e contains the lenght of the first item. Obviously SHGetpathFromIDList doenst like the first item to be greater than the whole list, which sounds convincing. However the lowbyte of both words which are normally nonzero whereas the highword is equal to zero doesnt matter at all. The crash only works with sizes greater than 255 even if 004e is greater than 004c. But (2nd however) if 4f = 4d+1 it wont work but 4f = 4d works. Furthermore interesting is that apart from these two words and the info needed to render the file as a valid link nothing more is needed. Which means that this file is also a working corrupted, however dead link: 0000: 4c 00 00 00 01 14 02 00 00 00 00 00 c0 00 00 00 0010: 00 00 00 46 ff 00 00 00 00 00 00 00 00 00 00 00 0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 74 00 e0 Anyone confirm this or comment? eAX & derDoc
Current thread:
- Re: Netaddress and amexmail, (continued)
- Re: Netaddress and amexmail Blue Boar (Apr 27)
- Re: Netaddress and amexmail Marc Slemko (Apr 28)
- Re: Netaddress and amexmail Arturo Busleiman (Apr 28)
- Re: Netaddress and amexmail Stone (Apr 27)
- Exploit Ease Level Rory Savage (Apr 25)
- Re: Exploit Ease Level Max Vision (Apr 26)
- Re: Exploit Ease Level Rory Savage (Apr 28)
- Using php to bounce scan Thiebaut (Apr 28)
- Re: Using php to bounce scan Omachonu Ogali (Apr 28)
- Re: Using php to bounce scan Thiebaut (Apr 30)
- corrupted link JklojLrnzn () AOL COM (Apr 30)
- Re: Using php to bounce scan Matt Rae (Apr 30)
- Re: Using php to bounce scan Thiebaut (Apr 30)
- Re: Exploit Ease Level Max Vision (Apr 28)
- Re: Exploit Ease Level jms (Apr 29)
- Re: Exploit Ease Level Rory Savage (Apr 29)
- Re: Exploit Ease Level Mark L. Jackson (Apr 29)
- Re: Exploit Ease Level jms (Apr 29)
- Re: Exploit Ease Level Sebastian (Apr 27)
- Re: Exploit Ease Level Rory Savage (Apr 28)