----- Original Message ----- From: "xenophi1e" <oliver.laveryat_private> To: <vuln-devat_private> Sent: Sunday, June 01, 2003 1:23 AM Subject: strcpy bug > > > >Noticed this while looking for something else. EIP is smacked with a 268 >byte filename argument. Anyone know an interesting bit of software that >calls LZOpenFileA or W? > >.text:77EB63B6 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E >¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ >.text:77EB63B6 >.text:77EB63B6 ; Attributes: bp-based frame >.text:77EB63B6 >.text:77EB63B6 ; INT __stdcall LZOpenFileA(LPSTR,LPOFSTRUCT,WORD) >.text:77EB63B6 public LZOpenFileA > The windows "Search for files and folders" utility will search binaries and can often find the linkage names of functions and dlls they call. None showed up when I searched my w2ksp2 \winnt\system32 folder. The following files link against lz32.dll: fontext.dll - calls LZOpenFileW setupapi.dll - ditto setupdll.dll t2embed.dll - calls LZOpenFileA version.dll - LZCreateFileW iis.dll - LZOpenFileW let's just see if the unicode version is equally lousy.... LZ32!LZOpenFileW: 759b15be 55 push ebp 759b15bf 8bec mov ebp,esp 759b15c1 81ec14010000 sub esp,0x114 759b15c7 8b4508 mov eax,[ebp+0x8] 759b15ca 50 push eax 759b15cb 8945fc mov [ebp-0x4],eax 759b15ce ff1580109b75 call dword ptr [LZ32!_imp__wcslen (759b1080)] 759b15d4 d1e0 shl eax,1 kd> u LZ32!LZOpenFileW+18: 759b15d6 668945f8 mov [ebp-0x8],ax 759b15da 8b45f8 mov eax,[ebp-0x8] 759b15dd 83c002 add eax,0x2 759b15e0 59 pop ecx 759b15e1 668945fa mov [ebp-0x6],ax 759b15e5 8d85ecfeffff lea eax,[ebp-0x114] 759b15eb 8945f4 mov [ebp-0xc],eax 759b15ee 8d45f8 lea eax,[ebp-0x8] kd> u LZ32!LZOpenFileW+33: 759b15f1 6a00 push 0x0 759b15f3 50 push eax 759b15f4 8d45f0 lea eax,[ebp-0x10] 759b15f7 66c745f20401 mov word ptr [ebp-0xe],0x104 759b15fd 50 push eax 759b15fe ff1578109b75 call dword ptr [LZ32!_imp__RtlUnicodeStringToAnsiString (759b1078)] 759b1604 85c0 test eax,eax 759b1606 7d05 jge LZ32!LZOpenFileW+0x4f (759b160d) kd> u LZ32!LZOpenFileW+4a: 759b1608 6afb push 0xfb 759b160a 58 pop eax 759b160b eb12 jmp LZ32!LZOpenFileW+0x61 (759b161f) 759b160d ff7510 push dword ptr [ebp+0x10] 759b1610 8d85ecfeffff lea eax,[ebp-0x114] 759b1616 ff750c push dword ptr [ebp+0xc] 759b1619 50 push eax 759b161a e807ffffff call LZ32!LZOpenFileA (759b1526) Bah. That 0x104 in the size field of the result string from the RtlUnicodeStringToAnsiString call not only protects the stack frame, it also stops us feeding too long a string through the W version to the A version. D'oh. However, t2embed.dll looks more promising perhaps, since it is linked by mshtml.dll. Hmmmmm. A quick browse through the visible strings with PE view shows it to be something font related, so my guess is that its the true-type embedded font dll. Now, perhaps an LZ-compressed true-type font file with a very long name.... ?? So I guess the answer to your question is "Potentially, IE, OE, MSHta.exe and anything else that uses the IE browser engine. Font-face style tag perhaps? DaveK -- moderator of alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow Burn your ID card! http://www.optional-identity.org.uk/ Help support the campaign, copy this into your .sig! Proud Member of the Exclusive "I have been plonked by Davee because he thinks I'm interesting" List Member #<insert number here> Master of Many Meowing Minions Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above and beyond the call of hilarity. PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD _________________________________________________________________ Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger
This archive was generated by hypermail 2b30 : Thu Jun 05 2003 - 11:29:22 PDT