OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Buffer Overflows with long file extensions in Windows
From: Ussr Labs (labsUSSRBACK.COM)
Date: Wed Aug 02 2000 - 06:58:25 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

;To: BugTraq
;Subject: Buffer Overflows with long file extensions in Windows
;Date: Fri May 26 2000 02:17:32
;Author: Moritz Jodeit
;Message-ID: <23988.959321852www2.gmx.net>
;
;
;There is a buffer overflow in how Windows handles files, which have
a very
;long file extension. In Windows 98, I created the following file:
;"x.xxxxxxxx[225 more x's]". If you keep your mouse a second over the
file, you get a
;general protection fault in the EXPLORER process. EAX, EIP and EBP
are
;overwritten with the x-values. I'm not aware of the fact, that this
could be
;remotely exploited. This was tested on Windows 98 4.10.1998. Windows
2000 seems
;to have a similar bug. If you create the above file and make a copy
of it to
;the same directory, so it should get the name "Copy of ...", there
is some
;buffer overflow, too. I tested this on Windows 2000 Professional
5.00.2195.
;If you try this in Windows 98, you get a general protection fault in
module
;SHELL32.DLL and EAX and ESI are overwritten with the x-values. In
Windows 95,
;there is the same problem, as in Windows 98. I didn't have the
chance, to
;test this on NT, but it should work there as well.
;
;--
;Moritz Jodeit
;http://jodeit.exit.de
;
;Sent through GMX FreeMail - http://www.gmx.net

Yes! it can be explioted! I made an exploit with 200 bytes of payload
but the only point is :(, all the time of you log intro the machine,
have different return address.

So?, is exploiteable, but there is no way to make a generic exploit
with it :(

Example First Time:
EXPLORER caused a general protection fault
in module KRNL386.EXE at 0001:00008614.
Registers:
EAX=00004c00 CS=014f EIP=00008614 EFLGS=00010212
EBX=80078d03 SS=0177 ESP=006cd8f6 EBP=acacd8fa
ECX=006cfda8 DS=0167 ESI=00464d50 FS=1ac7
EDX=ce646e20 ES=0177 EDI=7fcbd320 GS=0000
Bytes at CS:EIP:
87 5e fc 8e 5e fe 50 9c 58 f6 c4 02 58 75 01 fb
Stack dump:
01770032 acacacad 016facac 02020000 acac0000 acacacac acacacac
acacacac acacacac acacacac acacacac acacacac acacacac acacacac
acacacac acacacac

Example Second Time:
EXPLORER caused a general protection fault
in module KRNL386.EXE at 0001:00008614.
Registers:
EAX=00004c00 CS=014f EIP=00008614 EFLGS=00010212
EBX=80078d03 SS=0177 ESP=0086d8f6 EBP=acacd8fa
ECX=0086fda8 DS=0167 ESI=0044dd88 FS=2357
EDX=ce5eb720 ES=0177 EDI=7fcbd320 GS=0000
Bytes at CS:EIP:
87 5e fc 8e 5e fe 50 9c 58 f6 c4 02 58 75 01 fb
Stack dump:
01770032 acacacad 016facac 02020000 acac0000 acacacac acacacac
acacacac acacacac acacacac acacacac acacacac acacacac acacacac
acacacac acacacac

Example First Time Esp: 006cd8f6
Example Second Time Esp: 0086d8f6

Another thing is I tested on 8 machines running Microsoft Windows
2000 (Professional,Server and Advanced server.),and in 4 machines NT
4.0 Server,and do the same thing, "NOTING". no crash, no overflow.

u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c
h
http://www.ussrback.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOYgM4a3JcbWNj6DDEQIM0ACfYKPqEqoPf7EoT2uXMje9nwW0hOIAoJHA
uVwd4JOuK3mOEyMBab01htPt
=BoME
-----END PGP SIGNATURE-----

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net