"Exploiting" Windows Spider Solitaire

morph3us.org

Quicksearch

Categories

Syndication

XML RSS 1.0 feed
XML RSS 2.0 feed
ATOM/XML ATOM 1.0 feed
XML RSS 2.0 Comments

Tagged entries

Top Referers

www.google.at (4)
www.google.de (4)
www.google.com (3)
forum.grauezelle.net (2)
search.msn.com (1)
www.google.bg (1)
www.google.ca (1)
www.google.ch (1)
www.google.com.vn (1)

"Exploiting" Windows Spider Solitaire

  (Friday, April 21. 2006)
Yesterday I could not fall asleep immediately so I decided to test some applications which are by default included in Windows. I had a look at the Windows games (Freecell, Hearts, Minesweeper, Pinball and so on) and during fooling around a feature namely saving game scores of Spider Solitaire sparked my interest in having a deeper look at it.
You can not choose the file where to save the highscore in and you overwrite the stored highscore everytime you save another game so I started Filemon and found the file `spider.sav' which is located at "%USERPROFILE%\Own Files".
I opened the 412 bytes big file with PsPad Editor (a great, free editor for Windows with a lot of features and an integrated hex editor) and saw a lot of binary characters - maybe a kind of object serialization..
Whatever, I created a new empty file and renamed it to `spider.sav' because I wanted to know how the application would behave. I expected an error dialog complaining about an empty respectively malformed savegame file but to my surprise the application crashed and Dr. Watson popped up. The next step was to create a file with ~100 'A' chars in it to execute Spider Solitaire again and to press Ctrl + O for loading the saved game. As anticipated an Access Violation occured and Spider Solitaire was killed by Windows again.

Here's a snippet of the created crash dump:
eax=c3c3c3c3 ebx=000af558 ecx=00380800 edx=00000000 
esi=01012008 edi=0000000c eip=01007411 esp=0007f704 ebp=0007f704 
[...]

        010073fb cc               int     3
        010073fc cc               int     3
        010073fd cc               int     3
        010073fe cc               int     3
        010073ff cc               int     3
        01007400 8bff             mov     edi,edi
        01007402 55               push    ebp
        01007403 8bec             mov     ebp,esp
        01007405 8b4508           mov     eax,[ebp+0x8]
        01007408 8b490c           mov     ecx,[ecx+0xc]
        0100740b 8b550c           mov     edx,[ebp+0xc]
        0100740e 8d0440           lea     eax,[eax+eax*2]
FAULT ->01007411 89548108         mov   [ecx+eax*4+0x8],edx ds:0023:0f471714=????????
        01007415 5d               pop     ebp
        01007416 c20800           ret     0x8
        01007419 cc               int     3
        0100741a cc               int     3
        0100741b cc               int     3
        0100741c cc               int     3
        0100741d cc               int     3
        0100741e 8bff             mov     edi,edi
        01007420 55               push    ebp
        01007421 8bec             mov     ebp,esp
        01007423 8b4508           mov     eax,[ebp+0x8]
        01007426 8b490c           mov     ecx,[ecx+0xc]
        01007429 8d0440           lea     eax,[eax+eax*2]
        0100742c 8b448108         mov     eax,[ecx+eax*4+0x8]
        01007430 5d               pop     ebp
        01007431 c20400           ret     0x4

----> Stack Back Trace <----
ChildEBP RetAddr  Args to Child              
0007f704 010046b4 41414141 00000000 77d1be4b spider+0x7411
0007f754 01006ce4 00000000 01012008 00019c4c spider+0x46b4
0007f978 01007089 004d0490 00000111 00019c4c spider+0x6ce4
0007f9e8 77d18734 004d0490 00000111 00019c4c spider+0x7089
0007fa14 77d18816 010070ab 004d0490 00000111 USER32!GetDC+0x6d
0007fa7c 77d1b4c0 00000000 010070ab 004d0490 USER32!GetDC+0x14f
0007fad0 77d1b50c 005fb940 00000111 00019c4c USER32!DefWindowProcW+0x184
0007faf8 7c91eae3 0007fb08 00000018 005fb940 USER32!DefWindowProcW+0x1d0
0007fb34 01007340 004d0490 01480889 0007fb84 ntdll!KiUserCallbackDispatcher+0x13
0007fe98 0100913c 01000000 00000000 000a2331 spider+0x7340
0007ffc0 7c816d4f 00340031 00350030 7ffd6000 spider+0x913c
0007fff0 00000000 01008fb2 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49

----> Raw Stack Dump <----
000000000007f704  54 f7 07 00 b4 46 00 01 - 41 41 41 41 00 00 00 00  T....F..AAAA....
000000000007f714  4b be d1 77 08 20 01 01 - 90 04 4d 00 4d ae b7 7d  K..w. ....M.M..}
000000000007f724  58 f7 07 00 f0 d7 d1 77 - 89 02 01 17 3e 00 00 00  X......w....>...
000000000007f734  41 41 41 41 41 41 41 41 - 3e 00 00 00 41 41 41 41  AAAAAAAA>...AAAA
000000000007f744  00 00 00 00 94 00 00 00 - 00 00 00 00 00 00 00 00  ................
[...]

With the manipulated `spider.sav' file as input 0xC3 (Ã) characters were placed into the EAX register. Why 0xC3 and not as probably expected 0x41? I do not know it. I assume the read chars get modified (converted) during parsing process.. whatever, more or less we are able to control the EAX register.

The next step would be to download the debugging symbols for `spider.exe' (I suppose they are available somewhere at MSDN) and to start a debugger to know what's going on.. unfortunately, debugging is not my strength and I'm not disposed to waste further time researching this bug.

np: Brooklyn Bounce - Born To Bounce
Posted by in Windows at 23:29
Defined tags for this entry: , ,
Related entries by tags:
Strange pings and broken Windows services
New external 400GB USB2 harddisk drive
Why Windows is less secure than GNU/Linux
Welcome Vista - Goodbye Windows
Unaddressed DoS vulnerabilities in IE 6 SP2
o2 XDA Trion rocks :)
"Killing" Windows's system process
Finding hidden drivers in Windoze NT
Windoze 03 Server SP1 DDK
MS06-001
Comments (2) | Trackbacks (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Hi morpheus,

these are my analysis on the "bug"...

01007400 /$ 8BFF MOV EDI,EDI
01007402 |. 55 PUSH EBP
01007403 |. 8BEC MOV EBP,ESP
01007405 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
01007408 |. 8B49 0C MOV ECX,DWORD PTR DS:[ECX+C]
0100740B |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0100740E |. 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; EAX = 41414141 -> C3C3C3C3
01007411 |. 895481 08 MOV DWORD PTR DS:[ECX+EAX*4+8],EDX ; This is the point where the error occurs -> ECX (00381320) + EAX (C3C3C3C3) * 4 + 8 --> 3(0F472234)
01007415 |. 5D POP EBP
01007416 \. C2 0800 RETN 8

EDX=00000000
DS:[0F472234]=??? MOV DWORD PTR DS:[ECX+EAX*4+8],EDX

I think that there is no exploit possible...

EAX C3C3C3C3
ECX 00381320
EDX 00000000
EBX 000AEBA8 ASCII 41,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
ESP 0007F754
EBP 0007F754
ESI 01012008 spider.01012008
EDI 0000000C
EIP 01007411 spider.01007411

#1 cyrus-tc (Homepage) on 2006-04-22 12:01 (Reply)
Hearts, Spider Solitair and Minesweeper - what makes these games dangerous?...

The following article I wrote during an hour of low concentration during writing my Bachelor-Thesis. It discusses why the Microsoft Games Hearts, Spider Solitair and Minesweeper are dangerous games and strategies to win them. Unfortunately the text is ...
#2 Das Kasi-Blog (Homepage) on 2006-10-30 14:21 (Reply)

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed