Result of real world exploit test - Comodo Memory Firewall worked!

[Guest]

[MrBrian]

I have tested Comodo Memory Firewall on a real world proof of concept exploit, and Comodo Memory Firewall did indeed give an alert when the buffer overflow occurred!

Here is how to reproduce my test:
1. Uninstall Winamp if it's currently installed on your computer. 
2. Get Winamp 5.12 from filehippo.com and install it.
3. Download the C language text file at http://www.milw0rm.com/exploits/1458.
4. You'll need to compile this C language text file with a C compiler.  I used the free MinGW compiler at http://sourceforge.net/project/showfiles.php?group_id=2435.
5. Run the .exe file that the compiler produced.  IMPORTANT NOTE: run this file at your own discretion, as I cannot guarantee what it does, although you can examine the source code if you are knowledgeable.
6. The .exe, when run, creates a .pls file that Winamp can use.  Run this .pls file.  IMPORTANT NOTE: run this file at your own discretion, as I cannot guarantee what it does.  It causes a buffer overflow in Winamp 5.12, and, as a proof of concept, it causes windows Calculator to run.  If you have Comodo Memory Firewall installed, you indeed are given an alert about the buffer overflow!

I'd like to point out that Comodo Firewall 3.0, a separate product, will not warn you when this buffer overflow occurs.  This is by design, and not a bug in Comodo Firewall 3.0.  The point is that you do need Comodo Memory Firewall even if you are currently using Comodo Firewall 3.0!

Thanks to all of you involved in the creation of this program!

[shin-ganda]

really? wow. woohoo 
err, is there any "simple" test other than this? 

[MrBrian]

Comodo offers the free Comodo BO Tester.  But seeing how many times you've contributed to the forums, you probably knew that already.   Also, I could privately send you the .pls file if you wish.

[shin-ganda]

Ganda: Comodo offers the free Comodo BO Tester.  But seeing how many times you've contributed to the forums, you probably knew that already.   Also, I could privately send you the .pls file if you wish.

no, i mean a real exploit. maybe some nasty sites or bad apps that can produce real BO. you know, i've read/heard that BO is a common exploit, it can happen by only opening a website or simply open an email.but i've never seen any.
i wanna try yours, but it's to complex, winamp and some other stuff.

[MrBrian]

This is a real buffer overflow.  My antivirus, NOD32, detects the .pls as infected, although it is not an executable file.  The payload, showing windows Calculator, is (allegedly) innocent though.  But the source code could be modified to deliver a malicious payload instead.

If you wanted the .pls file, then all you would need to test is to install Winamp 5.12 and then double-click the .pls file in Explorer and you will get a real buffer overflow.  The rest of the steps in my writeup are merely how to generate the .pls file.

By the way, you can also get a buffer overflow by what this proof of concept demonstrates, namely using a purposely poisoned non-executable data file crafted for a specific program that has buffer overflow flaws.

[shin-ganda]

This is a real buffer overflow.  My antivirus, NOD32, detects the .pls as infected, although it is not an executable file.  The payload, showing windows Calculator, is (allegedly) innocent though.  But the source code could be modified to deliver a malicious payload instead.

If you wanted the .pls file, then all you would need to test is to install Winamp 5.12 and then double-click the .pls file in Explorer and you will get a real buffer overflow.  The rest of the steps in my writeup are merely how to generate the .pls file.

By the way, you can also get a buffer overflow by what this proof of concept demonstrates, namely using a purposely poisoned non-executable data file crafted for a specific program that has buffer overflow flaws.

i'm too lazy to download winamp 
nevermind Mr.Brian, thx. glad that CMF works. 
 
Ganda

[MiguelAngelXP]

MrBrian:

Reading the posts I believe you, and as said Ganda, I'm too lazy  to download Winamp 5.12, and honestly I don't use it, my stereo player (Sony CPT-555) plays MP3 as well. I'm from the old school, I like to hear the sound from big speakers  as when I did in my teenager years. But the bottom line here is that CMF is working fine and without problems as I posted in a separate topic

 

Regards
MiguelAngelXP

[Little Mac]

Oy, milw0rm has some good POC (proof of concept) exploits, as does Metasploit.  It should be strongly noted (as per MrBrian's post) that running these may have unintended consequences - they are designed to treat your system harshly in order to run the exploit. 

If you don't want to compile code and all that, you might have some fun with BackTrack, a penetration testing Linux distribution.  Download the Live ISO, and run in a virtual machine setting.  They have some tools from both these sites included.  I haven't tried crossing from a VM to Windows (ie, to cause the exploit in Windows on the same machine), but it may be possible.  Then you can see how Windows security reacts...

LM

[3xist]

Locked.

Reason: Out-Dated post.

Josh

[Tags:]