long file name exploit .... existing ....since 2001-2002
On Fri, Jun 28, 2013 at 6:47 PM, Pedro Laguna <[email protected]>wrote: > Ey list! Just something quick and funny crash I found long time ago and it > may give some of you something to check this weekend. > > Windows XP cmd.exe crash when trying to copy files with a very long name. > The following BATCH file can crash the cmd.exe process: > > ----------------------------------- crash.bat > -------------------------------------- > @echo off > echo test > data.txt > copy "%CD%"\data.txt > \\.\C:\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.txt > REM copy "%CD%"\data.txt > \\?\C:\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.txt > ---------------------------------- / crash.bat > ---------------------------------------- > > It only happens with "copy" but not with "move" command and with both \\.\ > and \\?\ prefixes. I'm not an expert on these fields so I don't know if it > will be possible to exploit it, maybe some of you with crazy kung fu skills > can do it. If not, it's just a weird behaviour for the cmd.exe and given > that is less than a year to the end of life of the Windows XP cannot see > any harm sharing it. > > Ta! > > -- > Pedro Laguna > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
