Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: exploit for W98 long filenameextensions buffer overflow

From: 11a () GMX NET (Bluefish)
Date: Tue, 2 May 2000 02:55:58 +0200

I've no exprerience of writing buffert overflows, but it would seem that
the difference between Benjamin H.'s explorer.exe and the once the
exploit works with is quite minor?


Bytes bei CS:EIP:

Stapelwerte:
43427044 43cccccc 43427244 43427344


-------------^^^^^^ sample overflow

--^^^^^^^^^^^       'junk code' from overflow, change to 90 hex
                    or change EIP somewhat

So, using 90 (NOP) which should be no problem to use in a filename, would
solve this? make the five (or all) charaters before the 'exploit' 90 hex.


Does anyone know, how to get the EIP pointing to the stack ??
Or might there be a way to execute code that's in EBP (as we control it,
too);
something like "mov [ebx], ebp ; jmp ebx" ?


To execute code, you have to be able to change CS:EIP (where you execute
code) or overflow a static buffer in the code-segment (don't know if this
is common in most systems?)

Typically a buffert overflow is to overflow something on the stack and
then overwrite the return address. Example:

| some stuff     |  <- ESP points here
[ char[23] y     |
| return address |

So, once writing to y[23] (or rather, y[23..27]) you will store a new
value for EIP. Once the function exits, it will fetch the return address
using 'RET'. As you have overwritten it, EIP will change to whereever you
asked it to. So unless it's a very unusual function, controll over EBX
won't be usefull.

Now, that above is based on theory tought in school, no real world
experience. So I won't gaurantee 100% correctness. But EBP shouldn't be
very usefull. More information should be available in some tutorial on the
net, I presume.

It's my impression that you missunderstood something, it seems quite clear
to me that the exploit was successfull in changing EIP, and that no mayor
changes are needed to make the overflow executable on both variants of
win98 explorer.exe.


I hope somebody out there has a solution or knows at least a tool for
finding static code (perhaps in the kernel?).


You mean in order to do system calls? way beyond my knowledge of windows
internals.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team
Previous By Date Next
Previous By Thread Next

Current thread: