Vulnerability Development mailing list archives

Re: Win 2000 & IE 'shell://' problem?

From: jslat () HOTMAIL COM (Chris Hall)
Date: Fri, 2 Jun 2000 00:16:56 GMT

From: Christian Adams <christian.adams () RevolutionLtd com>
To: 'Chris Hall' <jslat () HOTMAIL COM>
Subject: RE: Win 2000 & IE 'shell://' problem?
Date: Thu, 1 Jun 2000 09:25:44 +0100


Chris,

Anything interesting in that .dmp file?

Chris.


   well, the file to me is pretty cryptic, and i wish i had time to learn to
interperate these file's but, heres a sniplet i found interesting , wouldn't
know if this is exploitable, my programing skills are pretty lax, to say the
least,

DrWtsn32.txt

Microsoft (R) Windows 2000 (TM) Version 5.00 DrWtsn32
Copyright (C) 1985-1999 Microsoft Corp. All rights reserved.

Application exception occurred:
        App: explorer.exe (pid=1024)
        When: 5/31/2000 @ 19:32:10.192
        Exception number: c00000fd (stack overflow)

*----> System Information <----*
        Computer Name: STATION1
        User Name: jslat
        Number of Processors: 1
        Processor Type: x86 Family 5 Model 8 Stepping 12
        Windows 2000 Version: 5.0
        Current Build: 2195
        Service Pack: None
        Current Type: Uniprocessor Free

[..........]

function: RegCloseKey
        77db7e22 f6450802         test    byte ptr [ebp+0x8],0x2
ss:00aa0692=??
        77db7e26 0f85e9000000     jne     RegCloseKey+0x1c8 (77db7f15)
        77db7e2c 8b45f8           mov     eax,[ebp+0xf8]
ss:00aa0692=????????
        77db7e2f 3bc7             cmp     eax,edi
        77db7e31 0f8501010000     jne     RegCloseKey+0x1eb (77db7f38)
        77db7e37 8d45f0           lea     eax,[ebp+0xf0]
ss:00aa0692=????????
        77db7e3a bf90000000       mov     edi,0x90
        77db7e3f 50               push    eax
        77db7e40 8d8558ffffff     lea     eax,[ebp+0xffffff58]
ss:00033014=00000000
        77db7e46 57               push    edi
FAULT ->77db7e47 50               push    eax
        77db7e48 53               push    ebx
        77db7e49 56               push    esi
        77db7e4a ff75e8           push    dword ptr [ebp+0xe8]
ss:00aa0692=????????
        77db7e4d 8b35a810db77     mov     esi,[77db10a8]
ds:77db10a8=77f83d9c
        77db7e53 ffd6             call    esi
        77db7e55 837df800         cmp   dword ptr [ebp+0xf8],0x0
ss:00aa0692=????????
        77db7e59 8945fc           mov     [ebp+0xfc],eax
ss:00aa0692=????????
        77db7e5c 8b45f4           mov     eax,[ebp+0xf4]
ss:00aa0692=????????
        77db7e5f 0f85e1000000     jne     RegCloseKey+0x1f9 (77db7f46)
        77db7e65 b905000080       mov     ecx,0x80000005
        77db7e6a 394dfc           cmp     [ebp+0xfc],ecx
ss:00aa0692=????????

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
000330BC 77DB80F2 00000600 000330E8 0003310C 00000000 advapi32!RegCloseKey
000330F4 77C7209A 00000000 775B2DF8 00000000 00033228
advapi32!RegQueryValueExW
00033230 77C72482 00000600 775B2DF8 00000000 00000000
shlwapi!SHQueryValueExW
00033470 775B2D4D 00000604 000339CC 775B2DF8 00000000 shlwapi!SHGetValueW
000334A0 775B2CF1 00000604 000339CC 00000003 00000000 shell32!Ordinal77
00033A4C 775B2E3D 00000002 775B5780 00000000 00000000 shell32!Ordinal77
00033C8C 775B8184 00118718 80000002 775B5780 00034D6C shell32!Ordinal77
00118718 001198C0 00000004 00000010 00000004 00630000 shell32!Ordinal83
00000003 00000000 00000000 00000000 00000000 00000000 <nosymbols>

[...........]

also, DR.watson generated a Application Error in the Event Log,
as well as winlogin.

winlogon..
The shell stopped unexpectedly and Explorer.exe was restarted.

DR.Watson..
The application, explorer.exe, generated an application error The error
occurred on 05/31/2000 @ 03:15:36.296 The exception generated was c00000fd
at address 77DB7E47 (RegCloseKey)

is anyoneelse getting a .dmp file ?? as i said this is just a default
install of win2k.  mabee someone with more experience can have a look see.

- Chirs

-----Original Message-----
From: Chris Hall [mailto:jslat () HOTMAIL COM]
Sent: Thursday, June 01, 2000 1:16 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Win 2000 & IE 'shell://' problem?

I am Running build 2195 (5.0.2195) Default install and doing just
a "shell:" causes IE to Flicker and create a C:\user.dmp but not close
Tried this in Windows explorer, doing just a "shell:", The Results varied,
sometimes it would close generate a user.dmp file, but doing a "shell:\\"
the results were the same as in IE ( except it would close. ) i really
don't
know too much about the inards workings of win, but
is strange to say the least.

just my 2 cents.

Chris


________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

Current thread:

Re: Win 2000 & IE 'shell://' problem? Blue Boar (May 31)
- <Possible follow-ups>
- Fwd: Re: Win 2000 & IE 'shell://' problem? Aaron Kelley (Jun 01)
- Re: Win 2000 & IE 'shell://' problem? Chris Hall (Jun 01)
- Re: Win 2000 & IE 'shell://' problem? Alex Schuetz (Jun 02)
- Re: Win 2000 & IE 'shell://' problem? Nobu Hakeda (Jun 02)
- Re: Win 2000 & IE 'shell://' problem? Stephen John (Jun 02)
  - Warning! 'shell://' with win98 causes endless problems Alex Schuetz (Jun 03)
    - Re: Warning! 'shell://' with win98 causes endless problems nine (Jun 03)
  - shell:// shell:\\ shell: Cory Kantar (Jun 03)
  - JOLT2.C Cory Kantar (Jun 03)
- Re: Win 2000 & IE 'shell://' problem? office (Jun 11)