####################################################################### Luigi Auriemma Application: W32Dasm (was http://www.expage.com/page/w32dasm) Versions: <= 8.93 (8.94???) Platforms: Windows Bug: buffer-overflow Exploitation: local Date: 24 Jan 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== W32Dasm is a cool and famous disassembler/debugger developed by URSoft. It has tons of functions and, also if it is no longer supported by long time, it is still widely used by a lot of people. ####################################################################### ====== 2) Bug ====== The program uses the wsprintf() function to copy the name of the imported/exported functions of the analyzed file into a buffer of only 256 bytes, with the possibility for an attacker to execute malicious code. ####################################################################### =========== 3) The Code =========== Exploiting the bug is very simple, all you need is to get an executable and searching for the name of an imported or exported function to modify. I have written a very simple proof-of-concept that overwrites the return address with 0xdeadc0de: http://aluigi.org/poc/w32dasmbof.zip ####################################################################### ====== 4) Fix ====== No fix. This program is no longer supported. #######################################################################