Microsoft Windows - 'cmd.exe' Unicode Buffer Overflow (SEH)

Author: bitform
type: dos
platform: windows
port: 
date_added: 2010-07-08 
date_updated: 2017-03-31 
verified: 1 
codes:  
tags: 
aliases:  
screenshot_url: http://www.exploit-db.com/screenshots/idlt14500/14282.png 
application_url: 

# Exploit Title: cmd.exe Unicode Buffer Overflow (SEH)
# Date: 7/8/2010
# Author: bitform
# Software Link: N/A
# Version: N/A
# Tested on: Windows Server 2003 SP2 and Windows XP SP2
# CVE : none

1) Acknowledgements

Props to Dan Crowley (@dan_crowley) at Core Security Technologies
for doing the research on Windows File Pseudonyms and coming up
with the idea for this buffer overflow.

His presentation can be found here:
www.sourceconference.com/bos10pubs/windows%20file%20pseudonyms.pptx

2) Bug

The TYPE command in Windows is equivalent to cat in *nix. It simply
outputs the contents of a file to stdout. If you use TYPE in conjunction
with the device file CON, you can feed stdin into a file.

Example: TYPE CON > evil.txt

CON is also interpreted as a file so you can append an extension to
it. Supplying a overly large extension will overflow the structured
exception handler.

This buffer overflow is not exploitable since cmd.exe and it's DLLs
are all compiled with SafeSEH. Oh well. :D

3) Code

TYPE CON.<A * 626><B * 2><C * 2372>

Note: The two B's is where the SEH is overwritten.