Re: BoF in Windows 2000: ddeshare.exe

From: Berend-Jan Wever (skylined_at_edup.tudelft.nl)
Date: 11/09/04

  • Next message: Jake Appelbaum: "Security Contact for T-Mobile?"
    To: <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>
    Date: Tue, 9 Nov 2004 17:11:54 +0100
    
    

    > As far as I can tell, this is not exploitable to run a shellcode because
    > of the fact that NULL's are inserted between charactors. But besides
    This is not a problem, read phrack: unicode shellcodes are real.
    In fact you can create your own unicode alphanumeric uppercase shellcode using ALPHA2:
    http://www.edup.tudelft.nl/~bjwever/alpha2/alpha2.php

    Cheers,
    SkyLined

    ----- Original Message -----
    From: "Jack C" <jack@crepinc.com>
    To: <bugtraq@securityfocus.com>
    Sent: Tuesday, November 09, 2004 03:24
    Subject: BoF in Windows 2000: ddeshare.exe

    > Hello all,
    >
    > I found a static buffer overflow in ddeshare.exe on my Windows 2000,
    > latest updates/service packs box tonight. It appears as though no bounds
    > checking is performed on the share name before it is copied to the variable.
    >
    > Exploiting:
    > Start up c:\winnt\system32\ddeshare.exe. Click shares --> trusted
    > shares. Pick any of the shares already there (at least there are some on
    > my box, if not you can make one), and select Properties. Replace the
    > data in the "Share Name" text box with something like this:
    >
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB
    >
    > When you click OK, you get an error stating that ddeshare.exe has
    > "generated errors". Yay.
    >
    > Run in OllyDbg, we find that the above string makes the program attempt
    > to JMP to 0x00420042. It just so happens that Hex 42 is a "B". So the
    > two B's at the end of the exploit string change the instrucation pointer.
    >
    > As far as I can tell, this is not exploitable to run a shellcode because
    > of the fact that NULL's are inserted between charactors. But besides
    > that, it would only give the same privliges that you already have to run
    > the program in the first place. It simply points out bad coding.
    >
    > Again, this isn't another of Microsoft's giant end-of-the-world security
    > blunders, but still, it's a BoF.
    >
    > Thanks,
    >
    > -Jack C ("crEp")
    > jack [at] crepinc.com
    > http://www.crepinc.com
    >


  • Next message: Jake Appelbaum: "Security Contact for T-Mobile?"

    Relevant Pages

    • [Full-Disclosure] Re: BoF in Windows 2000: ddeshare.exe
      ... > of the fact that NULL's are inserted between charactors. ... In fact you can create your own unicode alphanumeric uppercase shellcode using ALPHA2: ... > two B's at the end of the exploit string change the instrucation pointer. ...
      (Full-Disclosure)
    • Re: BoF in Windows 2000: ddeshare.exe
      ... > of the fact that NULL's are inserted between charactors. ... In fact you can create your own unicode alphanumeric uppercase shellcode using ALPHA2: ... > two B's at the end of the exploit string change the instrucation pointer. ...
      (Full-Disclosure)
    • Re: Buffer Overrun Newbie
      ... (mostly as an excuse to use assembler) ... The program I am exploiting is just a simple c program I wrote which ... It's my understanding that shellcode is actually ... If you don't want to install Linux, ...
      (Vuln-Dev)