lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050124214911.414aebb9.aluigi@autistici.org> From: aluigi at autistici.org (Luigi Auriemma) Subject: Local buffer-overflow in W32Dasm 8.93 ####################################################################### Luigi Auriemma Application: W32Dasm (was http://www.expage.com/page/w32dasm) Versions: <= 8.93 (8.94???) Platforms: Windows Bug: buffer-overflow Exploitation: local Date: 24 Jan 2005 Author: Luigi Auriemma e-mail: aluigi@...istici.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== W32Dasm is a cool and famous disassembler/debugger developed by URSoft. It has tons of functions and, also if it is no longer supported by long time, it is still widely used by a lot of people. ####################################################################### ====== 2) Bug ====== The program uses the wsprintf() function to copy the name of the imported/exported functions of the analyzed file into a buffer of only 256 bytes, with the possibility for an attacker to execute malicious code. ####################################################################### =========== 3) The Code =========== Exploiting the bug is very simple, all you need is to get an executable and searching for the name of an imported or exported function to modify. I have written a very simple proof-of-concept that overwrites the return address with 0xdeadc0de: http://aluigi.altervista.org/poc/w32dasmbof.disasm_me ####################################################################### ====== 4) Fix ====== No fix. This program is no longer supported. ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org
Powered by blists - more mailing lists