lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 26 Aug 2005 16:55:58 +0530
From: Sanjay Rawat <sanjayr@...oto.com>
To: Roman Medina-Heigl Hernandez <roman@...labs.com>,
	full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: MS05_039 Exploitation (different languages)


hi Roman:
I too observed the same thing. i am running a windows 2K, SP4. i found that 
base address of UMPNPMGR.DLL is 0x767a0000. however, when i run the attack 
with this address, the target machine got rebooted (a crash). this may be, 
because umpnpmgr.dll is a part of "service.exe", therefore, on failure, it 
reboots. but with the unchanged base address, it worked perfectly. so now 
the same code can be used for DoS also!!!

--Sanjay

At 10:06 PM 8/25/2005, Roman Medina-Heigl Hernandez wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi,
>
>I tested existing exploits for PnP bug on my W2k SP4 machine (Spanish)
>and they didn't work ("services" process is crashing but I got no
>shell). So I did a quick review with Olly and I realized that
>umpnpmgr.dll is being loaded at a different base address. In Spanish
>systems this base address is 0x76770000 but current exploits are
>assumming (I guess) 0x767a0000. Then I did a quick hack to HOD's exploit
>and it worked perfectly. I also modified Metasploit's module and
>included a target for Spanish systems. I've attached resulting exploits
>(they are trivial, though).
>
>Is it usual that Windows DLLs have different base address across same
>Windows/SP versions (but different languages)?
>
>
>- --
>
>Cheers,
>- -Roman
>
>PGP Fingerprint:
>09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
>[Key ID: 0xEAD56742. Available at KeyServ]
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.0 (MingW32)
>
>iD8DBQFDDfOr5H+KferVZ0IRAiZKAKDJ0A1RT+iyFcJipN3k56YEmzctqACePS5e
>aUJNlnMEsftew1Yn993iGJY=
>=XE3r
>-----END PGP SIGNATURE-----
>

Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
   Homepage: http://sanjay-rawat.tripod.com





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ