lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 27 Mar 2003 17:02:53 -0500
From: "Exurity Debugs" <exbugs@...ers.com>
To: <rnunez@...entech.com.ve>, <bugtraq@...urityfocus.com>
Subject: RE: WebDav Exploit ffs


I don't believe your shell code will work on other Kernel32.dll than the
version with the following ImageBase:
"\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver..

Because your code is reversed as:

loc_8F:
    mov     eax, [esi]
    add     eax, ebp
    cmp     dword ptr [eax], 50746547h
    jnz     short loc_C0
    cmp     dword ptr [eax+4], 41636F72h
    jnz     short loc_C0
    cmp     dword ptr [eax+8], 65726464h
    jnz     short loc_C0
    mov     eax, [edi+24h]
    add     eax, ebp
    movzx   ebx, word ptr [eax+edx*2]
    mov     eax, [edi+1Ch]
    add     eax, ebp
    mov     ebx, [eax+ebx*4]
    add     ebx, ebp

        ; should jump to found
loc_C0:
    add     esi, 4
    inc     edx
    cmp     edx, [edi+18h]
    jnz     short loc_8F
        ; then reached all and could not find, so find another version
So, if the Kernel32.dll happens to be different than the default, it will
simply crash without going too far.
Best regards
Peter Huang
Jumpable, Callable & Overflowing XPoson, New Exploitation Technology on the
way

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ