{"id":25683,"date":"2007-08-07T10:00:00","date_gmt":"2007-08-07T10:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2007\/08\/07\/it-rather-involved-being-on-the-other-side-of-this-airtight-hatchway-executable-corruption\/"},"modified":"2007-08-07T10:00:00","modified_gmt":"2007-08-07T10:00:00","slug":"it-rather-involved-being-on-the-other-side-of-this-airtight-hatchway-executable-corruption","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20070807-00\/?p=25683","title":{"rendered":"It rather involved being on the other side of this airtight hatchway: Executable corruption"},"content":{"rendered":"

\nIn the category of dubious vulnerability, I submit the following\n(paraphrased) report:\n<\/p>\n

\nI discovered that if I take an EXE file and corrupt its header,\nthen when I try to run the EXE file, the process starts up\nand then crashes.\nI used the information in the crash dialog to direct\nfurther investigations, noting that the specific crash location\ncould be controlled by modifying particular bytes in the EXE.\nFinally, I was able to put all the details together to form\nan exploit:\nI modified a block of bytes in the EXE file to consist of\ncode which opens a network socket and connects it to a command shell,\nthen modified the header to point to those bytes.\nWhen I run the EXE, the exploit code runs,\nand I can connect to the network socket from another computer\nand control the command shell.\n<\/p><\/blockquote>\n

\nYeah, that’s great, but what’s the vulnerability?\nWhat you did was take a program that you have write permission to\nand change the code in it to run your exploit.\nIf you can modify an EXE file, then you may as well just\nreplace the entire contents of the file with\nthe bytes of PWNZ0RD.EXE<\/code>.\nIn other words,\nmodifying bytes here and there is just a very slow, inefficient,\nand unnecessarily complicated way of doing this:\n<\/p>\n

\ncopy pwnz0rd.exe victim.exe\n<\/pre>\n
Then when the user runs the infected program, they’re really running\nthe PWNZ0RD.EXE<\/code> program, and your so-called exploit\ncan do whatever it wants.\nThat’s a lot easier than trying to modify a dozen bytes here,\na dozen bytes there.\n<\/p>\n
\nIn order to trigger the vulnerability,\nthe user has to run the compromised program,\nbut a program is already arbitrary code.\nNo need to be so sneaky about it.\nIt’s sort of a tautology:\n“Here’s my clever way to get the user to run my code.\nStep 1: Write some code.\nStep 2: Get the user to run it.”\n<\/p>\n
\nOf course, if this corrupted EXE file created other types of problems,\nsuch as crashing Explorer or triggering a buffer overflow\nwhen the user tried to view its properties,\nthen you’d be onto something.\nOr if you could somehow avoid detection by not altering the digital signature,\nthen that’d be interesting as well.\nBut if the only way to trigger code injection is to run the injected\ncode, then that’s not really all that interesting.\nYou just found a roundabout way of creating a Trojan horse.<\/p>\n","protected":false},"excerpt":{"rendered":"
In the category of dubious vulnerability, I submit the following (paraphrased) report: I discovered that if I take an EXE file and corrupt its header, then when I try to run the EXE file, the process starts up and then crashes. I used the information in the crash dialog to direct further investigations, noting that […]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-25683","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"
In the category of dubious vulnerability, I submit the following (paraphrased) report: I discovered that if I take an EXE file and corrupt its header, then when I try to run the EXE file, the process starts up and then crashes. I used the information in the crash dialog to direct further investigations, noting that […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/25683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=25683"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/25683\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=25683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=25683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=25683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}