Windows XP sp0 and sp1 Stack overflows
Results 1 to 7 of 7

Thread: Windows XP sp0 and sp1 Stack overflows

  1. #1
    Senior Member
    Join Date
    Jun 2003
    Posts
    188

    Windows XP sp0 and sp1 Stack overflows

    i everyone,

    It seems that the old windows98 rundll32.exe command line stack overflow has reappeared
    in Windows XP SP0 and SP1. Also the old regsvr32.exe command line buffer overflow has also been observed.

    a)Rundll32.exe

    giving the command rundll32.exe shell32.dll,AAAAA...about 500 A's
    causes the EIP of the program to be overwritten.Since we are dealing with unicode here exploitation is a bit difficult.

    The problem lies in a routine which formats the error for invalid entry point the AAAAA's , the local function allocates a small amount of stack(THE EPILOG ) for the storage.The stack is overwritten and when the program returns from the function it pops up the registers wrongly,since there will be only A's here.The program causes exception.

    The same thing occurs with regsvr32.exe, but case is different here, in windows 98 it was because of of Overflow in LoadLibrary.(psst... also in GetProcAddress etc).

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Eventhough I think Buffer-Overflows are "A Bad Thing" and need to be corrected, what's the use if someone exploited it? Can you gain more privileges?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    Jun 2003
    Posts
    772
    A buffer overflow allows a person to execute code if properly exploited.
    Well, read the "Smashing the stack for fun and profit" -> www.phrack.org
    The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content - me

    www.elhalf.com

  4. #4
    ya,

    Buffer Overflows are an EXTREAMLY high risk. Allowing a hacker to run any thing...most just open a telnet service, or even setup a simple server...

    However, this threat can be minimized with using different privliaged accounts, so at least the exploit wont be able to run as root/admin

  5. #5
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Pointing out that XP has buffer overflow problems is akin to telling us Bin Laden is a bad guy.

    Stop being the problem and start being the solution. FreeBSD,OPENBSD, et al.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    A buffer overflow allows a person to execute code if properly exploited.
    Buffer Overflows are an EXTREAMLY high risk. Allowing a hacker to run any thing...most just open a telnet service, or even setup a simple server...
    Correct. But this "attacker" already has the opportunity to run code of his choice. How else would this be exploitable?

    However, this threat can be minimized with using different privliaged accounts, so at least the exploit wont be able to run as root/admin
    This is always recommended. That's why I asked if you could elevate your privileges if you exploited this. Then it would make sense to "use" it.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    I have to agree with sirdice here... as the command is going to run in the security context of the local user there is no privilege elevation possible here...

    Buffer overflows are only a problem when you can overflow the buffer of an application that is running at a higher security context than the account you are using to start the buffer overflow.. Or if they can be overflowed remotely.

    While this is a problem, it is a small one at best..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides