CVE-2005-0308
published 2005-01-24CVE-2005-0308: Buffer overflow in the wsprintf function in W32Dasm 8.93 and earlier allows remote attackers to execute arbitrary code via a large import or export function…
PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
63.88%
99.1th percentile
Buffer overflow in the wsprintf function in W32Dasm 8.93 and earlier allows remote attackers to execute arbitrary code via a large import or export function name.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ursoftware | w32dasm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: W32Dasm parses a crafted PE file with an oversized import or export function name, overflowing the stack via wsprintf. Monitor for W32Dasm opening externally-supplied PE files with abnormally large import/export name strings. ↗
- →The exploit payload space is limited to 256 bytes with null bytes as bad characters; shellcode embedded in crafted PE files targeting this CVE will be null-free and ≤256 bytes. ↗
- →The exploit uses a stack adjustment of -3500 bytes before shellcode execution; look for anomalous large negative ESP adjustments in W32Dasm process memory. ↗
- →Return address targets jmp esp in kernel32.dll at 0x77e6de9c on Windows XP SP0; a saved return pointer of this value on the stack during W32Dasm execution is a strong exploit indicator. ↗
- ·The Metasploit module targets only Windows XP SP0 with a hardcoded kernel32.dll jmp-esp gadget; the return address will differ on other Windows versions or service packs. ↗
- ·Exploitation requires user interaction: a victim must manually open and disassemble the malicious PE file with a vulnerable W32Dasm version (≤8.93). ↗
- ·EXITFUNC is set to 'process', meaning the exploit terminates the W32Dasm process on exit rather than using a thread-safe exit; payload stability may vary. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
URSoft W32Dasm 8.93 - Disassembler Function Buffer Overflow (Metasploit)
exploitdb·2010-09-25
CVE-2005-0308 URSoft W32Dasm 8.93 - Disassembler Function Buffer Overflow (Metasploit)
URSoft W32Dasm 8.93 - Disassembler Function Buffer Overflow (Metasploit)
---
##
# $Id: ursoft_w32dasm.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'URSoft W32Dasm Disassembler Function Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in W32Dasm MSF_LICENSE,
'Author' => [ 'patrick' ],
'Version' => '$Revision: 10477 $',
'References' =>
[
[ 'CVE', '2005-0308' ],
[ 'OSVDB', '13169' ],
[ 'BID', '12352' ],
[ 'URL', 'http://aluigi.altervista.org/adv/w32dasmbof-adv.txt' ],
],
'Defaul
Metasploit
URSoft W32Dasm Disassembler Function Buffer Overflow
metasploit
URSoft W32Dasm Disassembler Function Buffer Overflow
URSoft W32Dasm Disassembler Function Buffer Overflow
This module exploits a buffer overflow in W32Dasm <= v8.93. By creating a malicious file and convincing a user to disassemble the file with a vulnerable version of W32Dasm, the Imports/Exports function is copied to the stack and arbitrary code may be executed locally as the user.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=110661194108205&w=2http://secunia.com/advisories/13986http://securitytracker.com/id?1012997http://www.securityfocus.com/bid/12352https://exchange.xforce.ibmcloud.com/vulnerabilities/19044http://marc.info/?l=bugtraq&m=110661194108205&w=2http://secunia.com/advisories/13986http://securitytracker.com/id?1012997http://www.securityfocus.com/bid/12352https://exchange.xforce.ibmcloud.com/vulnerabilities/19044
2005-01-24
Published