Local buffer-overflow in W32Dasm 8.93

From: Luigi Auriemma (aluigi_at_autistici.org)
Date: 01/24/05

  • Next message: Paul J Docherty: "Portcullis Security Advisory 05-002 Spectrum Cash Receipting System Weak Password Encryption"
    Date: Mon, 24 Jan 2005 21:49:11 +0000
    To: bugtraq@securityfocus.com, bugs@securitytracker.com, news@securiteam.com, full-disclosure@lists.netsys.com, vuln@secunia.com
    
    

    #######################################################################

                                 Luigi Auriemma

    Application: W32Dasm
                  (was http://www.expage.com/page/w32dasm)
    Versions: <= 8.93 (8.94???)
    Platforms: Windows
    Bug: buffer-overflow
    Exploitation: local
    Date: 24 Jan 2005
    Author: Luigi Auriemma
                  e-mail: aluigi@autistici.org
                  web: http://aluigi.altervista.org

    #######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix

    #######################################################################

    ===============
    1) Introduction
    ===============

    W32Dasm is a cool and famous disassembler/debugger developed by URSoft.
    It has tons of functions and, also if it is no longer supported by long
    time, it is still widely used by a lot of people.

    #######################################################################

    ======
    2) Bug
    ======

    The program uses the wsprintf() function to copy the name of the
    imported/exported functions of the analyzed file into a buffer of only
    256 bytes, with the possibility for an attacker to execute malicious
    code.

    #######################################################################

    ===========
    3) The Code
    ===========

    Exploiting the bug is very simple, all you need is to get an executable
    and searching for the name of an imported or exported function to
    modify.

    I have written a very simple proof-of-concept that overwrites the
    return address with 0xdeadc0de:

      http://aluigi.altervista.org/poc/w32dasmbof.disasm_me

    #######################################################################

    ======
    4) Fix
    ======

    No fix.
    This program is no longer supported.

    #######################################################################

    ---
    Luigi Auriemma
    http://aluigi.altervista.org


  • Next message: Paul J Docherty: "Portcullis Security Advisory 05-002 Spectrum Cash Receipting System Weak Password Encryption"

    Relevant Pages

    • Re: [Full-disclosure] How secure is software X?
      ... the vendor to fix the vulnerability? ... (i.e. the bug) ... overflow in that Linux critical server if it had Grsec running on. ... IDS noticed the 0day exploitation ). ...
      (Full-Disclosure)
    • Local buffer-overflow in W32Dasm 8.93
      ... Exploitation: local ... Bug ... Fix ... imported/exported functions of the analyzed file into a buffer of only ...
      (Full-Disclosure)
    • [Full-disclosure] Format string bug in Skulltag 0.96f
      ... Bug ... Fix ... The server is affected by a format string vulnerability exploitable ... The exploitation happens "outside" the server so there are no banning ...
      (Full-Disclosure)
    • [Full-Disclosure] Local buffer-overflow in W32Dasm 8.93
      ... Exploitation: local ... Bug ... Fix ... imported/exported functions of the analyzed file into a buffer of only ...
      (Full-Disclosure)
    • [Un] Unangband 0.6.3 released
      ... Allow player to assemble friendly monsters and carry eggs to hatch ... Updated druidic spells to use new region code. ... Fix lockup bugs generating the Old Forest. ... Fix bug where items dropped by monster death would infinitely ...
      (rec.games.roguelike.announce)