Application: W32Dasm (was http://www.expage.com/page/w32dasm) Versions: <= 8.93 (8.94???) Platforms: Windows Bug: buffer-overflow Exploitation: local Date: 24 Jan 2005 Author: Luigi Auriemma e-mail: email@example.com web: http://aluigi.altervista.org
1) Introduction 2) Bug 3) The Code 4) Fix
=============== 1) Introduction ===============
W32Dasm is a cool and famous disassembler/debugger developed by URSoft. It has tons of functions and, also if it is no longer supported by long time, it is still widely used by a lot of people.
====== 2) Bug ======
The program uses the wsprintf() function to copy the name of the imported/exported functions of the analyzed file into a buffer of only 256 bytes, with the possibility for an attacker to execute malicious code.
=========== 3) The Code ===========
Exploiting the bug is very simple, all you need is to get an executable and searching for the name of an imported or exported function to modify.
I have written a very simple proof-of-concept that overwrites the return address with 0xdeadc0de:
====== 4) Fix ======
No fix. This program is no longer supported.
Luigi Auriemma http://aluigi.altervista.org