lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 01 Apr 2007 15:05:37 +0000
From: "dev code" <devcode29@...mail.com>
To: Larry@...ryseltzer.com, full-disclosure@...ts.grok.org.uk
Subject: Re: Windows .ANI LoadAniIcon Stack Overflow

I made a mistake in including "jmp esp" for XP SP2 because the stack cannot 
be executed (due to DEP of course :P). It is completely possible to execute 
shellcode if we can do some DEP bypass (ie. ret2libc attack, etc..) to add 
execute access to the stack and jmp to our code. My PoC i updated yesterday 
(added as an attachment to the full disclosure post) returns to 
ExitProcess()  and closes explorer.exe upon viewing the .ani file, just to 
show that it is possible to do our own shiznat in SP2.

>From: "Larry Seltzer" <Larry@...ryseltzer.com>
>To: <full-disclosure@...ts.grok.org.uk>
>Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
>Date: Sun, 1 Apr 2007 07:49:58 -0400
>
> >>The issue is that this only works with DEP turned off!
>
>Interesting point. I haven't seen this mentioned anywhere, including the
>Microsoft advisory
>(http://www.microsoft.com/technet/security/advisory/935423.mspx).
>
>Has anyone actually tested this with DEP on/off to be sure?
>
>Larry Seltzer
>eWEEK.com Security Center Editor
>http://security.eweek.com/
>http://blog.eweek.com/blogs/larry_seltzer/
>Contributing Editor, PC Magazine
>larryseltzer@...fdavis.com
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________
Exercise your brain! Try Flexicon. 
http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglinemarch07

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ