Local buffer-overflow in W32Dasm 8.93

2005-01-25T00:00:00
ID SECURITYVULNS:DOC:7670
Type securityvulns
Reporter Securityvulns
Modified 2005-01-25T00:00:00

Description

                         Luigi Auriemma

Application: W32Dasm (was http://www.expage.com/page/w32dasm) Versions: <= 8.93 (8.94???) Platforms: Windows Bug: buffer-overflow Exploitation: local Date: 24 Jan 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: http://aluigi.altervista.org

1) Introduction 2) Bug 3) The Code 4) Fix

=============== 1) Introduction ===============

W32Dasm is a cool and famous disassembler/debugger developed by URSoft. It has tons of functions and, also if it is no longer supported by long time, it is still widely used by a lot of people.

====== 2) Bug ======

The program uses the wsprintf() function to copy the name of the imported/exported functions of the analyzed file into a buffer of only 256 bytes, with the possibility for an attacker to execute malicious code.

=========== 3) The Code ===========

Exploiting the bug is very simple, all you need is to get an executable and searching for the name of an imported or exported function to modify.

I have written a very simple proof-of-concept that overwrites the return address with 0xdeadc0de:

http://aluigi.altervista.org/poc/w32dasmbof.disasm_me

====== 4) Fix ======

No fix. This program is no longer supported.


Luigi Auriemma http://aluigi.altervista.org