|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: lnk-files
From: Ian Vitek (ian.vitek
INFOSEC.SE)Date: Wed May 17 2000 - 13:43:00 CDT
- Next message: Maxime Rousseau: "Re: ScriptGuard"
- Previous message: . Hecix: "Re: Bubble Boy Virus Spreading Mechanism"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
After reading about Windows hidden extensions, written by Jim Murray, I sat down
and tried to construct all of them. Nothing funny about that.
After some more testing I tried to link two lnk-files together (with a hex
editor) so they were poining at each other on a Windows NT 4.0. After updating
the explorer (F5) the utilization went up to 100% and explorer crashed and
restarted.
Then I put together a lnk-file pointing at a non existing very long file name (
"A" x 2004 . ".txt" ). Explorer restarted when I moved into the directory.
I put together a new lnk-file pointing at a non existing file with a very long
extension ( "test." . "A" x 2003 ). Got a Dr. Watson ( 0xc0000005 Address:
0x77f8eae4 ) when trying to open the link. Pointing to ( "test." . "B" x 2003 )
gives Dr. Watson ( 0xc0000005 Address: 0x77c43850 ). Same as the old long
extension?
Does anyone know what the osd-files do? They are under %windir%\Downloaded
Program Files and have a desktop.ini pointing to CLSID
{88C6381-2E85-11D0-94DE-444553540000}. They look like XML documents...
Work to do: Find a lnk or other extension not running explorer and try to
manipulate them to get a real buffer overflow or other unexpected result.
//Ian Vitek, Infosec
mailto:ian.vitekinfosec.se
- Next message: Maxime Rousseau: "Re: ScriptGuard"
- Previous message: . Hecix: "Re: Bubble Boy Virus Spreading Mechanism"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]