RE: security enforcement - new monitor for winnt

From: Oliver Lavery (olavery_at_pivx.com)
Date: 08/09/02

  • Next message: Shaun Colley: "Re: cdp buffer overflow vulnerability - updated details"
    To: "'Liu Die Yu'" <liudieyuinchina@yahoo.com.cn>, <bugtraq@securityfocus.com>
    Date: Fri, 9 Aug 2002 01:35:20 -0400
    
    

            Liu Die Yu, are you sure you don't want to be calling _snprintf
    here? ;) And since CreateFileW can be called with a 32,767 byte file name,
    I'm not sure what'll happen when you stuff it into a 200 byte buffer when
    it's converted to multi-byte... Call me crazy, but I'd be a little hesitant
    to run this in a production environment (even though it's at version 6.0)

            Microsoft doesn't have a monopoly on buggy code with B0fs in it. ;)

            This is a good idea though, hooking is neat. I'm not so sure I'd say
    it's unprecedented. Using AppInit_DLLs to load a hook DLL is a pretty common
    trick. Still, a nice hack.

    .text:10001AEB ; int __stdcall My_CreateFileW(LPCWSTR
    lpWideCharStr,int,int,int,int,int,int)
    .text:10001AEB public My_CreateFileW
    .text:10001AEB My_CreateFileW proc near ; DATA XREF:
    DllMain(x,x,x)+47o
    .text:10001AEB ; DllMain(x,x,x)+75o
    .text:10001AEB
    .text:10001AEB var_CD0 = byte ptr -0CD0h
    .text:10001AEB var_8D0 = dword ptr -8D0h
    .text:10001AEB var_8CC = dword ptr -8CCh
    .text:10001AEB MultiByteStr = byte ptr -8C8h
    .text:10001AEB Text = byte ptr -800h
    .text:10001AEB lpWideCharStr = dword ptr 8
    .text:10001AEB arg_4 = dword ptr 0Ch
    .text:10001AEB arg_8 = dword ptr 10h
    .text:10001AEB arg_C = dword ptr 14h
    .text:10001AEB arg_10 = dword ptr 18h
    .text:10001AEB arg_14 = dword ptr 1Ch
    .text:10001AEB arg_18 = dword ptr 20h
    .text:10001AEB
    .text:10001AEB push ebp
    .text:10001AEC mov ebp, esp
    .text:10001AEE sub esp, 0CD0h
    .text:10001AF4 mov [ebp+var_8D0], 0
    .text:10001AFE call sub_100012EF ; _reg
    .text:10001B03 test eax, eax
    .text:10001B05 jnz loc_10001C42
    .text:10001B0B lea eax, [ebp+var_CD0]
    .text:10001B11 push eax
    .text:10001B12 mov ecx, [ebp+arg_4]
    .text:10001B15 push ecx
    .text:10001B16 call sub_10001383
    .text:10001B1B push 0 ; lpUsedDefaultChar
    .text:10001B1D push 0 ; lpDefaultChar
    .text:10001B1F push 0C8h ; cchMultiByte
    .text:10001B24 lea edx, [ebp+MultiByteStr]
    .text:10001B2A push edx ; lpMultiByteStr
    .text:10001B2B push 0FFFFFFFFh ; cchWideChar
    .text:10001B2D mov eax, [ebp+lpWideCharStr]
    .text:10001B30 push eax ; lpWideCharStr
    .text:10001B31 push 0 ; dwFlags
    .text:10001B33 push 0 ; CodePage
    .text:10001B35 call ds:WideCharToMultiByte
    .text:10001B3B mov [ebp+Text], 0
    .text:10001B42 lea ecx, [ebp+MultiByteStr]
    .text:10001B48 push ecx
    .text:10001B49 lea edx, [ebp+var_CD0]
    .text:10001B4F push edx
    .text:10001B50 call ds:GetCommandLineA
    .text:10001B56 push eax
    .text:10001B57 call sub_100010C9
    .text:10001B5C push eax
    .text:10001B5D push offset aCreatefileSSSS ;
    "CreateFile:%s > %s ==> %s --> %s"
    .text:10001B62 lea eax, [ebp+Text]
    .text:10001B68 push eax
    .text:10001B69 call _sprintf
    .text:10001B6E add esp, 18h
    .text:10001B71 mov [ebp+var_8D0], 0
    .text:10001B7B jmp short loc_10001B8C

    Cheers,
    ~x

    > -----Original Message-----
    > From: Liu Die Yu [mailto:liudieyuinchina@yahoo.com.cn]
    > Sent: March 29, 2004 11:35 PM
    > To: bugtraq@securityfocus.com
    > Subject: security enforcement - new monitor for winnt
    >
    >
    >
    >
    > i want to stop ie:
    >
    > writing EXE/CAB/LNK ... files,
    >
    > calling MSHTA.EXE to parse remote web pages,
    >
    > accessing files outside "favorites" and cache("content.ie5").
    >
    >
    >
    > i want to stop WSCRIPT.EXE from parsing files inside TEMP and cache.
    >
    >
    >
    > i want to stop the system running executable files located in
    > TEMP and cache.
    >
    >
    >
    > afaik, i can stop ie 0day exploits by doing these things.
    >
    >
    >
    > so, i made this:
    >
    http://umbrella.name/winblox/

    of course, free. and you can define your own rules easily(assuming you guys
    know a bit about regular expression).

    it's totally a new idea(afaik). so, not for operational uses.

    ---
    Incoming mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
     
    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
     
    

  • Next message: Shaun Colley: "Re: cdp buffer overflow vulnerability - updated details"