| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: deleon at hushmail.com (deleon@...hmail.com) Subject: Phrack #64 Is Release! HAAHAHAHHAH just kidding, is only ms004-04 attacking ways. Soooo we have our fun with isa, now you can also! Now even people who can not afford the corporate firewall, can still own one! So I have this crazy dream a few weeks earlier (maybe ate too much acid) that I send some bytes to a isa server and it withers up like ding spider. This is funny because I thought spiders coming out from my arm, but that is an other bad story for next email. Anyway bytes went like this- 03 00 xx xx 08 02 00 00-5a 7e xx xx 05 00 80 00 00 00 42 42 42 42 42 42-42 42 42 42 42 42 42 42 42 42 04 0A xx xx 80 xx-xx xx xx buffer starts here And somehow I know that first 13 bytes were error packet sent back from isa, like when you have really nice dream that you know the girl is michele branch even though you can't see the face, almost like that. Others xx are for lengths, yes these were xx in the dream and somehow again I know there are for length. Soo I was very surprise when I woke and tried it and it worked. I had to plugged in buffer but then I saw microsoft firewall service (wspsrv process) crash and after then it was more dead than a foundstone christmas party. I discover it was a heap overflow and I even found how. The problem is h323asn1.dll which ms004-04 patch, and microsoft tried to make this hard to find by changing lost of fake things, but we have no problem seeing the True Patch. Old function is sub_40fa6d, new is sub_40f627, and patch checks a word to see that it is short enough. This word is actually length of a string that follows (use ethereal to understand packet) and it can be any length but a few kb is enough to overflow in ways similar to a eeye bar tab at defcon. So most easy way to get to broken code is to use second h225 decode function, this is sub_419011 in unpatched dll. And of course a breakpoint of the function will show that it is reach after sending error packet back to isa. Then just follow trace through and see how to get to sub_40fa6d. Simple like that. Oh yeah here are ways to make lengths---- 03 00 (word length of all packet, even 03 00, all is big byte first order) 08 02 00 00 5a 7e (word length of data that follows) 05 00 80 00 00 00 (16 byte conference id, I use BBBBBBBBBBBBBBBB above) 04 0a (frag length of all data that follows) 80 (frag length of all data that follows) (word length of string that follows -1, like 0 means length is 1, 1 means length is 2 etc.) (very long string) And a frag length can be most easy done as 0x8000+length, like 0x9234 means length of next data that follows is 0x1234. More gets supported but trust me this will work for exploit ;) Like an example-- 03 00 10 2f 08 02 00 00-5a 7e 10 23 05 00 80 00 00 00 42 42 42 42 42 42-42 42 42 42 42 42 42 42 42 42 04 0a 90 09 80 90-06 10 03 (buffer with 0x1004 'A') I wish this is right, I cant sleep so much since all the spiders keep coming out from my arm. But they help me type this email so you can start having isa fun also. Don't feed the kids! Keep the knowledge free. Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Powered by blists - more mailing lists