Brett: Are you using the version of the code from the Russian Web Site? I compiled and tested it against XP. Forces the machine to crash both patched and unpatched. (MS is aware of this). None of the code ever added a user to the device. Did this happen on the 2K unpatched machine? I've seen some other versions of the code that don't seem to require the external bshell file but incorporates the shell into the C code but I haven't really had much time to investigate. Yes the code does work against an unpatched system.. Code execution reaches 77FCC992 mov dword ptr [edx],ecx 77FCC994 mov dword ptr [eax+4],ecx Where EDX is critical address and ECX is heap offset It then reaches 77FCC663 mov dword ptr [ecx],eax 77FCC665 mov dword ptr [eax+4],ecx Where ECX is heap offset and EAX is jump instruction.. This is what flashsky was referring to in his post about a universal way to exploit heap overflows.. Its not 100% reliable tho, as sometimes execution reaches the second code segment first, which will cause a crash. We also saw execution reaching 77D399FD call dword ptr [esi+8] where ESI points into the overflow buffer, but also causes a crash.. After installig the MS03-039 patch, the exploit code had no affect on our test system... Test system is Win2k English SP4+MS03-039.. It is possible however that other versions of Win2K are vulnerable to the denial of service that has been discussed... Has anybody confirmed this with details of the vulnerable systems? Brett Michael A. Gordon Information Security Services LM Aero - Fort Worth 817-935-1646 Mail Zone: 9381 <<Gordon, Mike.vcf>>
Attachment:
Gordon, Mike.vcf
Description: Binary data