Terms of use
DonkBoy Internet
Home of the famous
Information Archives.
"For the curious"
Best viewed @ 1024 x 768
For your security, Turn off cookies.
Windows98J MS IE4/5 Overflow exploit
Microsoft Internet Explorer 4/5 overflows when the handling
of "file://" specification. This overflow occurs when
we are logging on to the Microsft Network, this overflow
can be verified if the long name is specfied to the
"file://". This is most typical exploitable buffer
overflow, because this overflow overwrites the RET address and
can control the EIP. This overflow contains the possibility
of the virus and trojans infection, sytsem destruction,
intrusion, and so on. If this overflow is used by attacker,
any codes will be sent to the visitors who browse the
exploting page, and the client host will be cracked. This
overflow also causes the problem on many kind of e-mail
clients software. If the user opens the HTML mail which
contains the exploit code, the exploit code will be
executed, because many e-mail software uses the IE for the
browsing of HTML mail. These codes generate the
HTML file that shuts down the client PC. They are tested on
Windows98 Japanese Edition. Following are demo
pages which are generated by these exploits.
http://shadowpenguin.backsection.net/toolbox.html#no052
The popular Image viewer "Irfan View32" contains the buffer overflow
problem, this problem exists in the
handling of Adobe Photoshop image file. Irfan view
checks the image type by the image header, if "8BPS"
pattern is found in the header, Irfan view judges this
file as Photo Shop image. We think the overflow happens
at the handling of reading this marker. This fact means
that the danger also exists on downloding the image
files and viewing them. Of course, there is a
possibility of such danger also in other software such as movie
players, audio players. This code generates the jpg file
which contains the exploit code that generates
"exp.com" in "c:\" and executes it. Sample JPG file:
This is a jpg file which is generated by this exploit (for
Windows98 Japanese only)
http://shadowpenguin.backsection.net/toolbox.html#no053
E-MailClub Ver1.0.0.5 Windows98J overflow exploit
We found the overflow bug of E-MailClub Ver1.0.0.5. It
overflows
when that receives the long From: in POP3
handling. If the host recives the mail which contains the
exploit code, the host has been cracked by any
instructions which are coded in the exploit code. This
example generates the e-mail which contains the exploit
code
that reboot the target host. This exploit is coded for
Windows98 Japanese edition, but if you change some
parameters written in the sample exploit program, it will
may works on Windows95 and WindowsNT.
http://shadowpenguin.backsection.net/toolbox.html#no054
Cgitest.exe (W4-Server2.6a/32-bits) overflow exploit
Cgitest.exe CGI which is written by C language is
distributed with W4-Server2.6a/32-bits, it has a security hole
by
the buffer overflow. Any instructions can be executed on
the victim host by using this buffer overflow bug.
http://shadowpenguin.backsection.net/toolbox.html#no055
WebBBS CGI Ver2.13 Exploit Windows98J overflow exploit
At the initial authorization
handling of WebBBS, If the long
longin name or password has been received, this
CGI overflows. This overflow overwrites the RET address,
EIP can be controlled. This overflow is used to
execute any instructions which are included in the user
name and password.
http://shadowpenguin.backsection.net/toolbox.html#no056