Hi Mauserme,
Nobody said that, we all are only trying to help this victim. You are doing a great job, be assured of that. Maybe we all waited for the decisive comment about that EXSMgr.dll. Suspicious because there is absolutely no info on it online. It is a pity Susz cannot analyze what that dll's overflow buffer hole is:
polonus's Technical Details on another similar dll problem:
The buffer overflow bug exists in a part of USER32.DLL involved in handling ANI animated cursor files. A partial ANI file format is given below:
"RIFF" {(DWORD)Length_of_file}
"ACON"
"LIST" {(DWORD)Length_of_list}
"INFO"
"INAM" {(DWORD)Length_of_title} {szTitle}
"IART" {(DWORD)Length_of_author} {szAuthor}
"anih" {(DWORD)Length_of_AnimationHeader} {AnimationHeaderBlock}
Generally, the length of AnimationHeaderBlock shoule be 36 bytes (0x00000024). The vulnerability is in the handling of the Length_of_AnimationHeader field. This value will be passed as the length argument of memcpy(), in order to copy the contents of AnimationHeaderBlock, but the value is not checked appropriately. The buffer intended to hold the AnimationHeaderBlock is located on the stack, so we can overwrite the return address and exception handler on the stack and jump into the buffer containing our code.
This vulnerability is a separate vulnerability from the ones discovered by Xfocus.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-002.mspxAnyway an ounce of protection is worth more than a kilo of cleansing afterwards, if you see what we are up against,
polonus
