Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Windows Api SHGetPathFromIDList Buffer Overflow

From: labs () USSRBACK COM (Ussr Labs)
Date: Fri, 4 Feb 2000 17:13:27 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Windows Api SHGetPathFromIDList Buffer Overflow

To all those people who sent email to us asking for more information
about
the SHGetPathFromIDList Windows Api overflow.

Here is a more specific description about the problem. All Structure
lengths, or Length of string, can be a modified or altered and cause
whatever handles the shortcuts to crash.

SHGetPathFromIDList

Converts an item identifier list to a file system path.

BOOL SHGetPathFromIDList(
    LPCITEMIDLIST pidl,
    LPSTR pszPath
);

Parameters
pidl
Address of an item identifier list that specifies a file or directory
location relative to the root of the namespace (the desktop).
pszPath
Address of a buffer to receive the file system path. This buffer must
be at least MAX_PATH characters in size.
Return Values
Returns TRUE if successful, or FALSE otherwise.

Disassembly of a hypothetical shortcut file
Offset Bytes Contents
Header
0000    4C 00 00 00     ‘L’ Magic value
0004    01 04 02 00     GUID of shortcut files
        00 00 00 00
        C0 00 00 00
        00 00 00 46
0014    3F 00 00 00 Flags
                        Has item id list
                        Target is a file
                        Has description string
                        Has relative pathname
                        Has a working directory
                        Has a custom icon
0018    20 00 00 00     File attibutes
                        Archive
001C    C0 0E 82 D5     Time 1
        C1 20 BE 01
0024    00 08 BF 46     Time 2
        D5 20 BE 01
002C    00 47 AA EC     Time 3
        EC 15 BE 01
0034    A0 86 00 00     File length is 34464 bytes. 86A0h
0038    05 00 00 00     Icon number 5
003C    01 00 00 00     Normal window
0040    46 06 00 00     Ctrl-Alt-F hotkey
0044    00 00 00 00     Always zero, unknown/reserved
0048    00 00 00 00     Always zero, unknown/reserved
                        Item Id List
004C    2A 00           Size of item id list
                        First item
004E    28 00           Length of first item
0050    32 00           ???
0052    A0 86 00 00     File length
0056    76 25 71 3E     ???
005A    20 00           File attributes?
005C    62 65 73 74 5F 37       “best_773.mid” Long name
        37 33 2E 6D 69 64
        00              Null terminator
0069    42 45 53 54 5F 37       “BEST_773.MID” Short name
        37 33 2E 4D 49 44
        00              Null terminator
                        Last item
0076    00 00           Zero length value
File location info
0078    74 00 00 00     Structure length
007C    1C 00 00 00     Offset past last item in structure
0080    03 00 00 00     Flags
                        Local volume
                        Network volume
0084    1C 00 00 00     Offset of local volume table
0088    34 00 00 00     Offset of local path string
008C    40 00 00 00     Offset of network volume table
0090    5F 00 00 00     Offset of final path string
Local volume table
0094    18 00 00 00     Length of local volume table
0098    03 00 00 00     Fixed disk
009C    D0 07 33 3A     Volume serial number 3A33-07D0
00A0    10 00 00 00     Offset to volume label
00A4    44 52 49 56 45 20       “DRIVE C”,0
        43 00
00AC    43 3A 5C 57 49 4E       “C:\ WINDOWS\” local path string
        44 4F 57 53 5C 00
Network volume table
00B8    1F 00 00 00     Length of network volume table
00BC    02 00 00 00     ???
00C0    14 00 00 00     Offset of share name
00C4    00 00 00 00     ???
00C8    00 00 02 00     ???
00CC    5C 5C 4A 45 53 53       “\\ JESSE\ WD”,0 Share name
        45 5C 57 44 00
00D7    44 65 73 6B 74 6F       “Desktop\ best_773.mid”,0
        70 5C 62 65 73 74       Final path name
        5F 37 37 33 2E 6D
        69 64 00
Description string
00EC    12 00           Length of string
00EE    42 65 73 74 20 37       “Best 773 midi file”
        37 33 20 6D 69 64
        69 20 66 69 6C 65
Relative path
0100    0E 00 Length of string
0102    2E 5C 62 65 73 74 “.\ best_773.mid”
        5F 37 37 33 2E 6D
        69 64
Working directory
0114    12 00 Length of string
0116    43 3A 5C 57 49 4E “C:\ WINDOWS\ Desktop”
        44 4F 57 53 5C 44
        65 73 6B 74 6F 70
Command line arguments
0128    06 00
012A    2F 63 6C 6F 73 65 “/close”
Icon file
0130    16 00   Length of string
0132    43 3A 5C 57 49 4E “C:\ WINDOWS\ Mplayer.exe”
        44 4F 57 53 5C 4D
        70 6C 61 79 65 72
        2E 65 78 65
Ending stuff
0148    00 00 00 00     Length 0 - no more stuff

The target is located at:
C:\ WINDOWS\ Desktop\ best_773.mid
The windows directory is shared as:
\\ JESSE\ WD

Note:
 This overflow does not work under win2k

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c
h
http://www.ussrback.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOJsy5dybEYfHhkiVEQKw/QCcCUW+KwEiRJzL7APDeTbHL8J/jgcAoKmg
Iq7wT+Tnpxp0z/5hYVAB9RVq
=p19U
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: