[Full-Disclosure] Buffer overflow in Shell32.dll . Net monitor
From: David F. Madrid (idoru_at_videosoft.net.uy)
Date: 05/30/03
- Previous message: bugzilla_at_redhat.com: "[Full-Disclosure] [RHSA-2003:181-01] Updated ghostscript packages fix vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <full-disclosure@lists.netsys.com> Date: Fri, 30 May 2003 00:54:09 +0200
Issue
Buffer overflow in Shell32.dll . Net monitor
Tested version
W2000 Server Sp3 Shell32.dll versión 5.0.3502.5436
Vendor status
Microsoft was informed months ago but as they seem to be even slower
than me debugging I dediced to publish it .
Descripción
Net monitor is a traffic analisis tool that ships with some versions of
Windows .
Besides analizing traffic you can open capture files ( .cap ) . If you try
to open
a capture file with a long file name ( ~252 bytes ) netmon will crash with
an
access violation . Program instruction pointer EIP is overwritten with the
file
name converted to unicode , therefore the cause of the crash is a corruption
of adjacent variables in the stack . In order to execute code with this
vulnerability
you can place your code in a system enviroment variable . That place your
code
in an address ( ~00010040 ) that can be referenced from our controled EIP
converted to unicode .
The crash occurs in this function
77E3A294 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
77E3A298 CD 2B INT 2B
77E3A29A C2 0400 RETN 4
After executing int 2B , program seems to change stack and ESP has the value
of ~6bf88 . This memory zone is overwritten in the second call to
MultiByteToWideChar
function in module shell32.dll
775C059B FF7424 10 PUSH DWORD PTR SS:[ESP+10] ( Wide buffer size =
260 bytes )
775C059F 66:890E MOV WORD PTR DS:[ESI],CX
775C05A2 8A50 02 MOV DL,BYTE PTR DS:[EAX+2]
775C05A5 80E2 34 AND DL,34
775C05A8 80FA 34 CMP DL,34
775C05AB 0F84 8AA20400 JE SHELL32.7760A83B
775C05B1 56 PUSH ESI (
pointer to Wide buffer )
775C05B2 83C0 0E ADD EAX,0E
775C05B5 6A FF PUSH -1
775C05B7 50 PUSH EAX (
filename )
775C05B8 51 PUSH ECX
775C05B9 51 PUSH ECX
775C05BA FF15 68185977 CALL DWORD PTR DS:[<&KERNEL32.MultiByteToWideChar>]
I think the cause is in this call , because when converting to unicode a
filename of 252
bytes the wide buffer size should be at least of 504 bytes .
This sencond call to MultiByteToWideChar is made from GetOpenFileNameW ,
which opens a dialog to choose the file to open and fills a OpenFileName
structure
with the chosen file name and path . GetOpenFileNameW call completes
correctly ,
the crash occurs a bit after , when executing the 2b interrupt . I ignore
what does
this interrupt do , I have found in google is reserved for DOS and is
equivalent to RET .
Every note or correction will be wellcome cause I am just a student and this
is not tought
at university :D
Exploit
In the spanish version of this advisory you can find a script to generate
the long file
name that will crash netmon when open in it
http://nautopia.coolfreepages.com/vulnerabilidades/shell32_getOpenFileNameW.htm
Regards ,
David F. Madrid ,
Madrid , Spain
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: bugzilla_at_redhat.com: "[Full-Disclosure] [RHSA-2003:181-01] Updated ghostscript packages fix vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
