lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 25 Aug 2005 23:29:28 +0200
From: <ad@...ss101.org>
To: "Roman Medina-Heigl Hernandez" <roman@...labs.com>,
	<full-disclosure@...ts.grok.org.uk>
Cc: bugshit <bugtraq@...urityfocus.com>
Subject: Re: MS05_039 Exploitation (different languages)


for the MS holes such this, yeah this is always like this because all
windows are differents, and about the langages if I remember the french
offets are like the deutsch, nl, etc , when you have a lot of free time you
can find out some OS langages using the same offsets.

****************************************************************
KEY: 0xA7C69C5F
PRINT: 694C 3495 BCC4 2F8B D794  6BD4 AF8B 457B A7C6 9C5F
****************************************************************


----- Original Message ----- 
From: "Roman Medina-Heigl Hernandez" <roman@...labs.com>
To: <full-disclosure@...ts.grok.org.uk>
Cc: <bugtraq@...urityfocus.com>
Sent: Thursday, August 25, 2005 6:36 PM
Subject: [Full-disclosure] MS05_039 Exploitation (different languages)


| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| Hi,
|
| I tested existing exploits for PnP bug on my W2k SP4 machine (Spanish)
| and they didn't work ("services" process is crashing but I got no
| shell). So I did a quick review with Olly and I realized that
| umpnpmgr.dll is being loaded at a different base address. In Spanish
| systems this base address is 0x76770000 but current exploits are
| assumming (I guess) 0x767a0000. Then I did a quick hack to HOD's exploit
| and it worked perfectly. I also modified Metasploit's module and
| included a target for Spanish systems. I've attached resulting exploits
| (they are trivial, though).
|
| Is it usual that Windows DLLs have different base address across same
| Windows/SP versions (but different languages)?
|
|
| - --
|
| Cheers,
| - -Roman
|
| PGP Fingerprint:
| 09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
| [Key ID: 0xEAD56742. Available at KeyServ]
| -----BEGIN PGP SIGNATURE-----
| Version: GnuPG v1.4.0 (MingW32)
|
| iD8DBQFDDfOr5H+KferVZ0IRAiZKAKDJ0A1RT+iyFcJipN3k56YEmzctqACePS5e
| aUJNlnMEsftew1Yn993iGJY=
| =XE3r
| -----END PGP SIGNATURE-----
|


----------------------------------------------------------------------------
----


| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.grok.org.uk/full-disclosure-charter.html
| Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ