[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Windows 2000 Remote Buffer Overflow by class101
- To: <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: [Full-Disclosure] Windows 2000 Remote Buffer Overflow by class101
- From: <sk3tch@xxxxxxxxxx>
- Date: Fri, 22 Oct 2004 13:20:36 -0500
Posted here:
http://dfind.kd-team.com/36/55/op.php
"Stack based overflow, bug discovered by Luigi Auriemma
aluigi.altervista.org
Tested working on Win2K, This public version crash on any WinXP, read
the code why.
The exploit bind a shellcode on the victim port 101."
From the code:
"Why Win2k only?
After some days of debugging on it , I finally figured out how to
exploit this
hole, this public overflow method works only on Win2k, using the
JMP EBX from comdlg32.dll from Win2k SP4 english.
Because on WinXP , the register EBX points to a NULL address, this is
not exploitable
even if you update the JMP EBX, not exploitable VIA THIS WAY on XP I
mean OK!.
How do I did then on Win2k?
I overwritte EIP with a JMP EBX, EBX is a perfect register because it
points directly
to my buffer, but problem, it points 4 bytes only before EIP, quite
short...
But enough to say him to jump ~80 bytes higher.
Now i have enough space to adjust my shellcode to ESI and to finally
jump to it...
That's why on WinXP (and maybe others , havent tested) this doesnt works
because EBX isnt
available.
Not happy? code yours or get a pvt version ;p
How do I update to Win2k SP1 Dutch for example ?
Grab a JMP EBX address in comdlg32.dll from this OS and update the
code."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html