SHGetPathFromIDList.txt

2000-02-04T00:00:00
ID PACKETSTORM:10623
Type packetstorm
Reporter Underground Security Systems Research
Modified 2000-02-04T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Windows Api SHGetPathFromIDList Buffer Overflow  
  
To all those people who sent email to us asking for more information  
about  
the SHGetPathFromIDList Windows Api overflow.  
  
Here is a more specific description about the problem. All Structure  
lengths, or Length of string, can be a modified or altered and cause  
whatever handles the shortcuts to crash.  
  
SHGetPathFromIDList  
  
Converts an item identifier list to a file system path.  
  
BOOL SHGetPathFromIDList(  
LPCITEMIDLIST pidl,  
LPSTR pszPath  
);  
  
Parameters  
pidl  
Address of an item identifier list that specifies a file or directory  
location relative to the root of the namespace (the desktop).  
pszPath  
Address of a buffer to receive the file system path. This buffer must  
be at least MAX_PATH characters in size.  
Return Values  
Returns TRUE if successful, or FALSE otherwise.  
  
  
Disassembly of a hypothetical shortcut file  
Offset Bytes Contents  
Header  
0000 4C 00 00 00 =91L=92 Magic value  
0004 01 04 02 00 GUID of shortcut files  
00 00 00 00  
C0 00 00 00  
00 00 00 46  
0014 3F 00 00 00 Flags  
Has item id list  
Target is a file  
Has description string  
Has relative pathname  
Has a working directory  
Has a custom icon  
0018 20 00 00 00 File attibutes  
Archive  
001C C0 0E 82 D5 Time 1  
C1 20 BE 01  
0024 00 08 BF 46 Time 2  
D5 20 BE 01  
002C 00 47 AA EC Time 3  
EC 15 BE 01  
0034 A0 86 00 00 File length is 34464 bytes. 86A0h  
0038 05 00 00 00 Icon number 5  
003C 01 00 00 00 Normal window  
0040 46 06 00 00 Ctrl-Alt-F hotkey  
0044 00 00 00 00 Always zero, unknown/reserved  
0048 00 00 00 00 Always zero, unknown/reserved  
Item Id List  
004C 2A 00 Size of item id list  
First item  
004E 28 00 Length of first item  
0050 32 00 ???  
0052 A0 86 00 00 File length  
0056 76 25 71 3E ???  
005A 20 00 File attributes?  
005C 62 65 73 74 5F 37 =93best_773.mid=94 Long name  
37 33 2E 6D 69 64  
00 Null terminator  
0069 42 45 53 54 5F 37 =93BEST_773.MID=94 Short name  
37 33 2E 4D 49 44  
00 Null terminator  
Last item  
0076 00 00 Zero length value  
File location info  
0078 74 00 00 00 Structure length  
007C 1C 00 00 00 Offset past last item in structure  
0080 03 00 00 00 Flags  
Local volume  
Network volume  
0084 1C 00 00 00 Offset of local volume table  
0088 34 00 00 00 Offset of local path string  
008C 40 00 00 00 Offset of network volume table  
0090 5F 00 00 00 Offset of final path string  
Local volume table  
0094 18 00 00 00 Length of local volume table  
0098 03 00 00 00 Fixed disk  
009C D0 07 33 3A Volume serial number 3A33-07D0  
00A0 10 00 00 00 Offset to volume label  
00A4 44 52 49 56 45 20 =93DRIVE C=94,0  
43 00  
00AC 43 3A 5C 57 49 4E =93C:\ WINDOWS\=94 local path string  
44 4F 57 53 5C 00  
Network volume table  
00B8 1F 00 00 00 Length of network volume table  
00BC 02 00 00 00 ???  
00C0 14 00 00 00 Offset of share name  
00C4 00 00 00 00 ???  
00C8 00 00 02 00 ???  
00CC 5C 5C 4A 45 53 53 =93\\ JESSE\ WD=94,0 Share name  
45 5C 57 44 00  
00D7 44 65 73 6B 74 6F =93Desktop\ best_773.mid=94,0  
70 5C 62 65 73 74 Final path name  
5F 37 37 33 2E 6D  
69 64 00  
Description string  
00EC 12 00 Length of string  
00EE 42 65 73 74 20 37 =93Best 773 midi file=94  
37 33 20 6D 69 64  
69 20 66 69 6C 65  
Relative path  
0100 0E 00 Length of string  
0102 2E 5C 62 65 73 74 =93.\ best_773.mid=94  
5F 37 37 33 2E 6D  
69 64  
Working directory  
0114 12 00 Length of string  
0116 43 3A 5C 57 49 4E =93C:\ WINDOWS\ Desktop=94  
44 4F 57 53 5C 44  
65 73 6B 74 6F 70  
Command line arguments  
0128 06 00  
012A 2F 63 6C 6F 73 65 =93/close=94  
Icon file  
0130 16 00 Length of string  
0132 43 3A 5C 57 49 4E =93C:\ WINDOWS\ Mplayer.exe=94  
44 4F 57 53 5C 4D  
70 6C 61 79 65 72  
2E 65 78 65  
Ending stuff  
0148 00 00 00 00 Length 0 - no more stuff  
  
The target is located at:  
C:\ WINDOWS\ Desktop\ best_773.mid  
The windows directory is shared as:  
\\ JESSE\ WD  
  
  
Note:  
This overflow does not work under win2k  
  
u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c  
h  
http://www.ussrback.com  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>  
  
iQA/AwUBOJsyuNybEYfHhkiVEQJHNACg58a5nakFaSPNoFVOLZ0WMPMHVYcAn0TT  
2HEPwsUBJTmD4Fzah4yZ+Zjh  
=3DBFth  
-----END PGP SIGNATURE-----  
  
  
`