-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Windows Api SHGetPathFromIDList Buffer Overflow
To all those people who sent email to us asking for more information
about
the SHGetPathFromIDList Windows Api overflow.
Here is a more specific description about the problem. All Structure
lengths, or Length of string, can be a modified or altered and cause
whatever handles the shortcuts to crash.
SHGetPathFromIDList
Converts an item identifier list to a file system path.
BOOL SHGetPathFromIDList(
LPCITEMIDLIST pidl,
LPSTR pszPath
);
Parameters
pidl
Address of an item identifier list that specifies a file or directory
location relative to the root of the namespace (the desktop).
pszPath
Address of a buffer to receive the file system path. This buffer must
be at least MAX_PATH characters in size.
Return Values
Returns TRUE if successful, or FALSE otherwise.
Disassembly of a hypothetical shortcut file
Offset Bytes Contents
Header
0000 4C 00 00 00 ‘L’ Magic value
0004 01 04 02 00 GUID of shortcut files
00 00 00 00
C0 00 00 00
00 00 00 46
0014 3F 00 00 00 Flags
Has item id list
Target is a file
Has description string
Has relative pathname
Has a working directory
Has a custom icon
0018 20 00 00 00 File attibutes
Archive
001C C0 0E 82 D5 Time 1
C1 20 BE 01
0024 00 08 BF 46 Time 2
D5 20 BE 01
002C 00 47 AA EC Time 3
EC 15 BE 01
0034 A0 86 00 00 File length is 34464 bytes. 86A0h
0038 05 00 00 00 Icon number 5
003C 01 00 00 00 Normal window
0040 46 06 00 00 Ctrl-Alt-F hotkey
0044 00 00 00 00 Always zero, unknown/reserved
0048 00 00 00 00 Always zero, unknown/reserved
Item Id List
004C 2A 00 Size of item id list
First item
004E 28 00 Length of first item
0050 32 00 ???
0052 A0 86 00 00 File length
0056 76 25 71 3E ???
005A 20 00 File attributes?
005C 62 65 73 74 5F 37 “best_773.mid” Long name
37 33 2E 6D 69 64
00 Null terminator
0069 42 45 53 54 5F 37 “BEST_773.MID” Short name
37 33 2E 4D 49 44
00 Null terminator
Last item
0076 00 00 Zero length value
File location info
0078 74 00 00 00 Structure length
007C 1C 00 00 00 Offset past last item in structure
0080 03 00 00 00 Flags
Local volume
Network volume
0084 1C 00 00 00 Offset of local volume table
0088 34 00 00 00 Offset of local path string
008C 40 00 00 00 Offset of network volume table
0090 5F 00 00 00 Offset of final path string
Local volume table
0094 18 00 00 00 Length of local volume table
0098 03 00 00 00 Fixed disk
009C D0 07 33 3A Volume serial number 3A33-07D0
00A0 10 00 00 00 Offset to volume label
00A4 44 52 49 56 45 20 “DRIVE C”,0
43 00
00AC 43 3A 5C 57 49 4E “C:\ WINDOWS\” local path string
44 4F 57 53 5C 00
Network volume table
00B8 1F 00 00 00 Length of network volume table
00BC 02 00 00 00 ???
00C0 14 00 00 00 Offset of share name
00C4 00 00 00 00 ???
00C8 00 00 02 00 ???
00CC 5C 5C 4A 45 53 53 “\\ JESSE\ WD”,0 Share name
45 5C 57 44 00
00D7 44 65 73 6B 74 6F “Desktop\ best_773.mid”,0
70 5C 62 65 73 74 Final path name
5F 37 37 33 2E 6D
69 64 00
Description string
00EC 12 00 Length of string
00EE 42 65 73 74 20 37 “Best 773 midi file”
37 33 20 6D 69 64
69 20 66 69 6C 65
Relative path
0100 0E 00 Length of string
0102 2E 5C 62 65 73 74 “.\ best_773.mid”
5F 37 37 33 2E 6D
69 64
Working directory
0114 12 00 Length of string
0116 43 3A 5C 57 49 4E “C:\ WINDOWS\ Desktop”
44 4F 57 53 5C 44
65 73 6B 74 6F 70
Command line arguments
0128 06 00
012A 2F 63 6C 6F 73 65 “/close”
Icon file
0130 16 00 Length of string
0132 43 3A 5C 57 49 4E “C:\ WINDOWS\ Mplayer.exe”
44 4F 57 53 5C 4D
70 6C 61 79 65 72
2E 65 78 65
Ending stuff
0148 00 00 00 00 Length 0 - no more stuff
The target is located at:
C:\ WINDOWS\ Desktop\ best_773.mid
The windows directory is shared as:
\\ JESSE\ WD
Note:
This overflow does not work under win2k
u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c
h
http://www.ussrback.com
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQA/AwUBOJsy5dybEYfHhkiVEQKw/QCcCUW+KwEiRJzL7APDeTbHL8J/jgcAoKmg
Iq7wT+Tnpxp0z/5hYVAB9RVq
=p19U
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:36 PDT