[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Allchin bug p-o-c.

To: full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] Allchin bug p-o-c.
From: Andrew.Berges@everestre.com
Date: Tue, 7 Oct 2003 11:02:13 -0400

Hi,

I'm rather new to this list, and I think I may have missed some of the
background on this - could someone bring me up to speed as to what is
happening here?

Thanks for the help,

Andrew Berges - Associate Manager, Systems
Everest Global Services
908.604.3020
andrew.berges@everestre.com


-----Original Message-----
From: Dave Korn [mailto:davek_throwaway@hotmail.com] 
Sent: Tuesday, October 07, 2003 6:56 AM
To: vuln-dev@securityfocus.com; full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Allchin bug p-o-c.


  Here's p-o-c code for the allchin vulnerability.  It allows you to write a

(fairly) arbitrary DWORD to a (also fairly) arbitrary address in the memory 
space of mqsvc.exe on a remote w2k server.  It should be straightforward 
enough to turn that into any kind of remote shell sploit using the standard 
well known techniques (e.g. overwrite an exception handler) but I haven't 
done so yet.

  Interestingly enough, this works on sp2 but sp4 seems to be immune; I 
haven't tested sp3.  I say 'interesting', because I can't find any reference

to this bug having been fixed in the lists of bugs fixed in those service 
packs, but it's definitely been whacked in some way by sp4....

   cheers,
       DaveK

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Allchin bug p-o-c.
  - From: Valdis.Kletnieks@vt.edu

Prev by Date: Re: [Full-Disclosure] Spam with PGP
Next by Date: Re: [Full-Disclosure] Verisign fighting back at ICANN
Previous by thread: [Full-Disclosure] Allchin bug p-o-c.
Next by thread: Re: [Full-Disclosure] Allchin bug p-o-c.
Index(es):
- Date
- Thread