Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

I made a mistake in including "jmp esp" for XP SP2 because the stack cannot
be executed (due to DEP of course :P). It is completely possible to execute
shellcode if we can do some DEP bypass (ie. ret2libc attack, etc..) to add
execute access to the stack and jmp to our code. My PoC i updated yesterday
(added as an attachment to the full disclosure post) returns to
ExitProcess() and closes explorer.exe upon viewing the .ani file, just to
show that it is possible to do our own shiznat in SP2.

From: "Larry Seltzer" <Larry@xxxxxxxxxxxxxxxx>
To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
Date: Sun, 1 Apr 2007 07:49:58 -0400

The issue is that this only works with DEP turned off!

Interesting point. I haven't seen this mentioned anywhere, including the
Microsoft advisory
(http://www.microsoft.com/technet/security/advisory/935423.mspx).

Has anyone actually tested this with DEP on/off to be sure?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry_seltzer/
Contributing Editor, PC Magazine
larryseltzer@xxxxxxxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________
Exercise your brain! Try Flexicon.
http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglinemarch07

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages