On Sun, Feb 01, 2009 at 10:41:25AM +0100, Guillaume SH wrote:
Imagine an ill-intentioned people, call it the attackers. By the mean of simply creating the following C application (based on classical "Hello word") :
#include needed header
int main (int argc, char * argv[]) { /* printf ( "Hello world!" ); */ GetOverlappedResult(0, NULL, NULL, FALSE);
return EXIT_SUCCESS;
Running this application on wine, I get to have my crash, with the possibility of an exploit.
A crash isn't magically a possibility of an exploit. Certain types of crashes (eg. user-supplied buffer overruns that hammer the return address on the stack) are vectors for security issues. Dereferencing a NULL isn't, off the top of my head.
A better exploit than GetOverlappedResult(0, NULL, NULL, FALSE) at that point is prolly to just do whatever your exploit's payload was going to be.
I won't describe in detail the way to perform the exploit as : 1 - I don't know how to proceed and I don't want to 2 - It would be showing poor sense of responsibilities
So you don't actually know what the exploit is you're trying to get us to break from the Win32 API to avoid, and you specifically refuse to describe it further?