On Wed, 19 Apr 2000 08:08:25 -0400, The Cyberiad wrote:
>I confirmed the 742-A's caused a page fault in KERNEL32.DLL
>at 0167:bff87ede under FP 3.0.2.1105, installed with PWS
>under Windows 98 (PWS.EXE Version 4.02.0690). However,
>this length did not force A's into the EIP. Instead the stack pointer
>is corrupted, now pointing to invalid memory (which caused the page
>fault). The relationship of the corrupted stack pointer to the input
>overflow data is unclear (its not 0x41414141) so I'll have to do
>some more reverse engineering; I did try longer strings with the
>same result.
I do not have access to a copy of frontpage, but I downloaded
htimage.exe (7.952 bytes) from some webserver with incorrect permissions set.
I could _not_ reproduce a crash in which EIP is taken. A rough look
at the disassembled code revealed that the crash happens like this:
If the fopen() call to the specified file fails, the program will create an
error message on the stack in a static buffer of 1000 bytes lenght.
The error message is:
"Picture config file no found, tried the following:"
Then, the program uses strcat() to append the PATH_TRANSLATED
and PATH_INFO environment variables (the data pased to the program)
to the error message on the stack. You can see that this will smash
the stack. Now comes the problem:
This overflow occurs within main(), and before main() ret's anywhere,
an Error-Output function is called which just printf()'s the error message
and then calls exit(). I don't know if this is exploitable at all.
On the other hand, I don't claim this is a correct analysis. As I said, all
I have is a single htimage.exe I downloaded from somewhere, and I
tried to get the overflow to work.
Shoddy coding in the file nonetheless.... strcat'ing user input onto the
stack :-o
Concerning the crash on 9x, might be that some important things for
the cleanup are on the stack... I didn't test under 9x, but under NT SP5,
so it might be that 9x doesn't like the overwriting of the stack.
Thomas Dullien
[EMAIL PROTECTED]
Win32 Security Consultant ;-> Hire me !
