Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] MSInfo Buffer Overflow

from [E.Kellinis] Network Security [Permanent Link]
Subject: [Full-Disclosure] MSInfo Buffer Overflow
Date: Mon, 30 Aug 2004 20:16:33 -0700 
#########################################
Application:     MSInfo
Vendors:         http://www.microsoft.com
Platforms:       Windows 2000
Bug:                Msinfo32.exe BOF
Risk:               Low
Exploitation:    Local
Date:              30 August 2004
Author:           Emmanouel Kellinis
e-mail:            me[at]cipher(dot)org(dot)uk
web:               http://www.cipher.org.uk
#########################################


=======
Product
=======
Microsoft System Information collects system information,
such as devices that are installed in your computer or device
drivers loaded in your computer, and provides a menu for displaying
the associated system topics. You can use Microsoft System
Information
to diagnose computer issues, for example, if you are having display
issues, you can use Microsoft System Information to determine what
display adapter is installed on your computer and view the status
of its drivers.


===
Bug
===

MSINFO32 is having an option which let you Open
a specific NFO or CAB file

msinfo32 /msinfo_file=filename

The buffer of msinfo_file can be overflowed and overwrite
the Code register. 

The BOF works if you  exceed 258 characters as an input to
msinfo_file.

if you put at the possition of 259 of a string a hex value
then the redirection will go a memory location with address
which is a  decimal number created by the following
pattern :

e.g. 0x05 -> 0x79
     0x06 -> 0x7A
     0x07 -> 0x7B
. and so on



I've tested values up to 0xFF which points to 0x00000173
there is a possibility to broad the range of memory values you
control if you feed more characters in the BOF string.

Although in tests this bug wouldnt lead to dangerous situations.. 
I wouldnt bet 100% on that !

Microsoft know about it since 9th of May


=====================
Proof Of Concept Code
=====================

C:\Program Files\Common Files\Microsoft Shared\MSInfo>
msinfo32 /msinfo_file=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAA



=========================================================
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
=========================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-Disclosure] RealVNC server 4.0 remote 'd'dos vulnerabilitywith exploit, Orhan BAYRAK
Next by Date:  Re: [Full-Disclosure] RealVNC 4.0 remote dos vulnerability with stupid Exploit, Orhan BAYRAK
Previous by Thread:  Re: [Full-Disclosure] RealVNC server 4.0 remote 'd'dos vulnerabilitywith exploit, Orhan BAYRAK
Next by Thread:  RE: [Full-Disclosure] MSInfo Buffer Overflow, joe
Indexes:  [Date] [Thread] [Top] [All Lists]