-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey all,
We recently found a unchecked buffer in Microsoft's Net Messenger
service (Sitedude found it first actually). By sending more than 2050
chars with the SEND function you can reproduce the buffer overflow
locally.
The client runs with privileges as the current user.
I am not familiar with the way Windows handles it's memory. The
EAX
buffer is overwritten between 2050 and 2389.
This overflow might not get anywhere. Doesn't really have much to
offer.
Here is Dr Watson's output:
State Dump for Thread Id 0x770
eax=00780078 ebx=00230000 ecx=00230178 edx=00230302 esi=00235928
edi=00234118
eip=77fc9e84 esp=0006fdb8 ebp=0006fdc4 iopl=0 nv up ei pl nz
na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000206
function: RtlFreeHeap
77fc9e68 0f8510290000 jne RtlZeroHeap+0x454
(77fcc77e)
77fc9e6e 8a4605 mov al,[esi+0x5]
ds:00e42efe=??
77fc9e71 2410 and al,0x10
77fc9e73 a810 test al,0x10
77fc9e75 884705 mov [edi+0x5],al
ds:00e416ee=??
77fc9e78 7544 jnz 77fd29be
77fc9e7a 8b4e0c mov ecx,[esi+0xc]
ds:00e42efe=????????
77fc9e7d 8b4608 mov eax,[esi+0x8]
ds:00e42efe=????????
77fc9e80 3bc1 cmp eax,ecx
77fc9e82 8901 mov [ecx],eax
ds:00230178=00780078
FAULT ->77fc9e84 894804 mov [eax+0x4],ecx
ds:0138d64e=????????
77fc9e87 0f847b0b0000 je RtlDestroyHeap+0xb19
(77fcaa08)
77fc9e8d 8a4605 mov al,[esi+0x5]
ds:00e42efe=??
77fc9e90 a804 test al,0x4
77fc9e92 0f8597290000 jne RtlZeroHeap+0x505
(77fcc82f)
77fc9e98 0fb70e movzx ecx,word ptr [esi]
ds:00235928=0078
77fc9e9b 8b4510 mov eax,[ebp+0x10]
ss:00c7d39a=????????
77fc9e9e 0108 add [eax],ecx
ds:00780078=????????
77fc9ea0 0fb70e movzx ecx,word ptr [esi]
ds:00235928=0078
77fc9ea3 294b28 sub [ebx+0x28],ecx
ds:00e3d5d6=????????
77fc9ea6 668b08 mov cx,[eax]
ds:00780078=????
77fc9ea9 f6470510 test byte ptr [edi+0x5],0x10
ds:00e416ee=??
It's kinda wierd to me. The eax is filled with 00780078. That would
make it fill with " x x". I dunno if it is exploitable but it at
least overwrites something! :)
You may check it out using a sample program I made to create it. Yes
guys, it's VB. I made it in VB because C wasn't parsing enough chars
=\
Oh well, it works. I'll figure out later why my C source wasn't
working.
You may download the test program at the following location:
Precompiled EXE:
http://www.hack3000.com/netcrash/p0pt4rtz/net.exe/test.exe
Source (ZIP):
http://www.hack3000.com/netcrash/p0pt4rtz/net.exe/testsource.ZIP
If you need the Visual Basic support files you may download them at:
Self Extracing EXE: http://hellomred.virtualave.net/files/dlls.exe
ZIP:
http://www.hack3000.com/netcrash/p0pt4rtz/net.exe/supportdlls.zip
Also, I noticed this in Dr Watson's symbol dump. These are within
ntdll.dll, kernel32.dll, netapi32.dll, and advapi32.dll
They just caught my eye.
- - --
77F8F1D6 00000000 stricmp
77F8F1D6 00000289 strcmpi
77F94653 00000025 wcscpy
77F95D84 00000025 wcscmp
77FB697C 00000053 memccpy
77FB73B7 00000330 memcpy
77FB76E7 00000098 memset
77FB790B 0000006c strcpy
77FB7977 000000a0 strcat
77FB7A17 00000081 strcmp
78001098 00000055 memset
7801EE65 0000006c mbscpy
77E87E39 00000000 lstrcpy
77E87E39 00000073 lstrcpyA
77E8A1A4 000001ce lstrcpyW
77E9016C 000000c9 lstrcmpW
77E90A24 00000000 lstrcmp
77E90A24 00000090 lstrcmpA
780013D1 00000059 memcmp
780020E2 00000025 wcscpy
78002107 0000002a wcscat
78003B18 00000106 strcpy
780047DE 00000214 strcmp
78004B60 00000758 strcat
- - --
There you have it. Unchecked buffer in Net.exe :)
Also, please keep in mind that this is a local buffer overflow.
Microsoft was contacted about this bug.
- - --
p0p t4rtz
p0pt4rtzat_private
Sitedude
macaddyat_private
Netcrash Security Research
http://www.netcrash.wronger.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPN2JwByQPmTAdF2MEQKgvACguJvMb2+5Xy9xDw68mAzcVkX6GEoAoJTO
ti9stPQCtfx3x9z/I9Ifejxr
=5HEn
-----END PGP SIGNATURE-----
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com
This archive was generated by hypermail 2b30 : Sat May 11 2002 - 15:16:40 PDT