Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

NCSec: Local Buffer Overflow in Microsoft's Net Messenger Service

From: "a b" <p0pt4rtz () hotmail com>
Date: Sat, 11 May 2002 14:14:52 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all,
   We recently found a unchecked buffer in Microsoft's Net Messenger
service (Sitedude found it first actually). By sending more than 2050
chars with the SEND function you can reproduce the buffer overflow
locally.
   The client runs with privileges as the current user.
   I am not familiar with the way Windows handles it's memory. The
EAX
buffer is overwritten between 2050 and 2389.
This overflow might not get anywhere. Doesn't really have much to
offer.
Here is Dr Watson's output:

State Dump for Thread Id 0x770

eax=00780078 ebx=00230000 ecx=00230178 edx=00230302 esi=00235928
edi=00234118
eip=77fc9e84 esp=0006fdb8 ebp=0006fdc4 iopl=0         nv up ei pl nz
na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00000206

function: RtlFreeHeap
       77fc9e68 0f8510290000     jne     RtlZeroHeap+0x454
(77fcc77e)
       77fc9e6e 8a4605           mov     al,[esi+0x5]
ds:00e42efe=??
       77fc9e71 2410             and     al,0x10
       77fc9e73 a810             test    al,0x10
       77fc9e75 884705           mov     [edi+0x5],al
ds:00e416ee=??
       77fc9e78 7544             jnz     77fd29be
       77fc9e7a 8b4e0c           mov     ecx,[esi+0xc]
ds:00e42efe=????????
       77fc9e7d 8b4608           mov     eax,[esi+0x8]
ds:00e42efe=????????
       77fc9e80 3bc1             cmp     eax,ecx
       77fc9e82 8901             mov     [ecx],eax
ds:00230178=00780078
FAULT ->77fc9e84 894804           mov     [eax+0x4],ecx
ds:0138d64e=????????
       77fc9e87 0f847b0b0000     je      RtlDestroyHeap+0xb19
(77fcaa08)
       77fc9e8d 8a4605           mov     al,[esi+0x5]
ds:00e42efe=??
       77fc9e90 a804             test    al,0x4
       77fc9e92 0f8597290000     jne     RtlZeroHeap+0x505
(77fcc82f)
       77fc9e98 0fb70e           movzx   ecx,word ptr [esi]
ds:00235928=0078
       77fc9e9b 8b4510           mov     eax,[ebp+0x10]
ss:00c7d39a=????????
       77fc9e9e 0108             add     [eax],ecx
ds:00780078=????????
       77fc9ea0 0fb70e           movzx   ecx,word ptr [esi]
ds:00235928=0078
       77fc9ea3 294b28           sub     [ebx+0x28],ecx
ds:00e3d5d6=????????
       77fc9ea6 668b08           mov     cx,[eax]
ds:00780078=????
       77fc9ea9 f6470510         test    byte ptr [edi+0x5],0x10
ds:00e416ee=??

It's kinda wierd to me. The eax is filled with 00780078. That would
make it fill with " x x". I dunno if it is exploitable but it at
least overwrites something! :)

You may check it out using a sample program I made to create it. Yes
guys, it's VB. I made it in VB because C wasn't parsing enough chars
=\
Oh well, it works. I'll figure out later why my C source wasn't
working.

You may download the test program at the following location:
Precompiled EXE:
http://www.hack3000.com/netcrash/p0pt4rtz/net.exe/test.exe
Source (ZIP):
http://www.hack3000.com/netcrash/p0pt4rtz/net.exe/testsource.ZIP

If you need the Visual Basic support files you may download them at:
Self Extracing EXE: http://hellomred.virtualave.net/files/dlls.exe
ZIP:
http://www.hack3000.com/netcrash/p0pt4rtz/net.exe/supportdlls.zip

Also, I noticed this in Dr Watson's symbol dump. These are within
ntdll.dll, kernel32.dll, netapi32.dll, and advapi32.dll
They just caught my eye.
- - --
77F8F1D6 00000000   stricmp
77F8F1D6 00000289   strcmpi
77F94653 00000025   wcscpy
77F95D84 00000025   wcscmp
77FB697C 00000053   memccpy
77FB73B7 00000330   memcpy
77FB76E7 00000098   memset
77FB790B 0000006c   strcpy
77FB7977 000000a0   strcat
77FB7A17 00000081   strcmp
78001098 00000055   memset
7801EE65 0000006c   mbscpy
77E87E39 00000000   lstrcpy
77E87E39 00000073   lstrcpyA
77E8A1A4 000001ce   lstrcpyW
77E9016C 000000c9   lstrcmpW
77E90A24 00000000   lstrcmp
77E90A24 00000090   lstrcmpA
780013D1 00000059   memcmp
780020E2 00000025   wcscpy
78002107 0000002a   wcscat
78003B18 00000106   strcpy
780047DE 00000214   strcmp
78004B60 00000758   strcat
- - --

There you have it. Unchecked buffer in Net.exe :)
Also, please keep in mind that this is a local buffer overflow.

Microsoft was contacted about this bug.
- - --
p0p t4rtz
p0pt4rtz () hotmail com

Sitedude
macaddy () msn com

Netcrash Security Research
http://www.netcrash.wronger.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPN2JwByQPmTAdF2MEQKgvACguJvMb2+5Xy9xDw68mAzcVkX6GEoAoJTO
ti9stPQCtfx3x9z/I9Ifejxr
=5HEn
-----END PGP SIGNATURE-----


_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com
Previous By Date Next
Previous By Thread Next

Current thread: