-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I tried the 4 exploit test links, and they all crashed Netscape but didn't cause any bluescreens or run any programs. I have win98, Netscape 4.5 128-bit, and the same msvcrt.dll (6.00.8397). I'm not sure how to debug the crashes, so I'm including the illegal operation errors, hopefully they will be of some help: (in the same order as the original links) -- NETSCAPE caused an invalid page fault in module KERNEL32.DLL at 018f:bff87eb5. Registers: EAX=c00300ec CS=018f EIP=bff87eb5 EFLGS=00010202 EBX=00b3e54c SS=0197 ESP=00a3ffd0 EBP=00a4003c ECX=00a401f0 DS=0197 ESI=817c0430 FS=19df EDX=bff76859 ES=0197 EDI=00a40218 GS=0000 Bytes at CS:EIP: 53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75 Stack dump: NETSCAPE caused an invalid page fault in module KERNEL32.DLL at 018f:bff87eb5. Registers: EAX=c00300ec CS=018f EIP=bff87eb5 EFLGS=00010202 EBX=00b3e54c SS=0197 ESP=00a3ffd0 EBP=00a4003c ECX=00a401f0 DS=0197 ESI=817c9048 FS=1d0f EDX=bff76859 ES=0197 EDI=00a40218 GS=0000 Bytes at CS:EIP: 53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75 Stack dump: NETSCAPE caused an invalid page fault in module KERNEL32.DLL at 018f:bff7a06b. Registers: EAX=00b3f39c CS=018f EIP=bff7a06b EFLGS=00010246 EBX=00b3f39c SS=0197 ESP=00a4002c EBP=00a4004c ECX=00a400d0 DS=0197 ESI=817c900c FS=1d0f EDX=bff76859 ES=0197 EDI=00a400f8 GS=0000 Bytes at CS:EIP: ff a6 c5 f7 bf ac c5 f7 bf ff ff ff ff be c5 f7 Stack dump: bff7684d 00a400f8 00b3f39c 00a40114 00a400d0 00a40204 bff76859 00b3f39c 00a400e0 bff87fc0 00a400f8 00b3f39c 00a40114 00a400d0 bff7a06b 00a402bc NETSCAPE caused an invalid page fault in module KERNEL32.DLL at 018f:bff7a06b. Registers: EAX=00b3f39c CS=018f EIP=bff7a06b EFLGS=00010246 EBX=00b3f39c SS=0197 ESP=00a4002c EBP=00a4004c ECX=00a400d0 DS=0197 ESI=817c6800 FS=1d0f EDX=bff76859 ES=0197 EDI=00a400f8 GS=0000 Bytes at CS:EIP: ff a6 c5 f7 bf ac c5 f7 bf ff ff ff ff be c5 f7 Stack dump: bff7684d 00a400f8 00b3f39c 00a40114 00a400d0 00a40204 bff76859 00b3f39c 00a400e0 bff87fc0 00a400f8 00b3f39c 00a40114 00a400d0 bff7a06b 00a402bc - ----- dap24at_private http://neongoat.netpedia.net PGP Key ID/Fingerprint: 0xF90FFFE5 / F362 51F7 6D51 85EB AF68 75B9 D29B 1AFC F90F FFE5 - ----- - -----Original Message----- From: DEF CON ZERO WINDOW <defcon0at_private> To: BUGTRAQat_private <BUGTRAQat_private> Date: Friday, September 03, 1999 8:16 PM Subject: Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow >Hi, > > I discovered a buffer overflow bug which causes huge security hole on the `Netscape communicator 4.06J, 4.5J - 4.6J, 4.61e( probably, a version 3.0 after all )'. > > The problem of this application is in the handling of EMBED TAG, the buffer overflow is caused if the long string is specified at "pluginspage" option. > I coded the exploit program to execute any command on the victim machine. I tested on the Windows98. > > However, this program specifies immediately the address of the system() function which is defined on the msvcrt.dll, this program does not work on the Windows machine which is installed the other version of msvcrt.dll (This program is for Version 6.00.8397). > > The reason that I specified the immediate address of the function is the buffer which can be written the exploit code is very short, the size of writable buffer is about 83 bytes. The buffer is too small to put the code which gets the address of the functions which are defined on the "msvcrt.dll". > > However, this problem will be solved if the code that searchs the attack code and executes that code is put on the exploit code. The attack code also can be written on the other buffer. > ># An attack code could be written in 2300 bytes to stack_bottom. > > The trojan or virus can be written on the attack code, this problem is very serious. > > In this case, the stack pointer (ESP) when the overflow is caused differs by the environment. So, the method of the RET address overwrites can not be used to exploit. This example overwrites the handling address of the access violation, the exploit code is called when the access violation is caused. When the access violation is caused, the address of the exploit buffer is stored in the EBX register. So, I overwrite the handling address to the code that the "JMP EBX" instruction is written. > > You can quickly test this exploit on my site. I have prepared some versions of exploits that execute "welcome.exe" on your Windows98 machine. If you are user of the specified version of netscape, please test. I did not code the exploit program for the WindowsNT and Windows95, but they also contain same problem. > >... and, This problem can't be avoided. > > >[ exploit demo page ] > >exec "welcome.exe" - nc4x_ex.c >http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex.cgi > >exec "notepad.exe" >http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex2.cgi > >--- > >[ exploit test ] > >blue screen(int 01h) >http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm >http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm > > >[ document(japanese) ] >http://www.ugtop.com/defcon0/hc/nc4x_ex_demo.htm > > >special thanks: >UNYUN( The Shadow Penguin Security ) >http://shadowpenguin.backsection.net/ > > > >-- >: R00t Zer0 - http://www.ugtop.com/defcon0/index.htm : >: E-Mail: defcon0at_private : >: -- -- : >: "HP/UX is the worst OS for the hacker..." - Mark Abene : > -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQA/AwUBN9CYJtKbGvz5D//lEQJ9ywCgibQit7j2zLT744YHxNBg6/6sMXkAoJ4m KV7FQukDWwEHKdztvG3S0xP3 =g8zV -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:33 PDT