[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <430F0CC5.1050301@rs-labs.com>
Date: Fri, 26 Aug 2005 14:36:21 +0200
From: Roman Medina-Heigl Hernandez <roman@...labs.com>
To: Sanjay Rawat <sanjayr@...oto.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: MS05_039 Exploitation (different languages)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sanjay Rawat wrote:
> I too observed the same thing. i am running a windows 2K, SP4. i found
> that base address of UMPNPMGR.DLL is 0x767a0000. however, when i run the
> attack with this address, the target machine got rebooted (a crash).
> this may be, because umpnpmgr.dll is a part of "service.exe", therefore,
> on failure, it reboots. but with the unchanged base address, it worked
> perfectly. so now the same code can be used for DoS also!!!
You are simply crashing "services" proccess because EIP is not reaching
the right instructions (eg: pop;pop;ret) or (depending on process'
memory layout) it's referencing an invalid address. When Windows detects
the crash, it reboots (since it lacks an important system component).
This is a side effect. Anyway, if you have a shell, why do you want a
simple DoS? :)
In order to clarify:
- - my hacked hod's exploit changed "destination EIP" to match Spanish
systems. So it will NOT work on English systems (call it "DoS"; I prefer
to name it "didn't work" ;-)). And that's why appended "-spanish" to
filename.
- - for Metasploit module, I simply added a new "target", so it supports
both English (target 0) and Spanish (target 1). It can be directly
copied to "exploits" directory on Metasploit source-tree. That's the
reason I didn't change filename in this case (hdm: feel free to add it
to Metasploit).
Finally, the purpose of my post was not only to add a new target to an
exploit (ml would be fastly flooded with tons of similar mails, if every
people did it... so please, don't do it, I'm a bad example :-(), but to
bring attention over the base address issue and try to learn from you,
guys :). Indeed, I still have some questions:
- - which is the connection between different languages' Windows, if there
is any? (for instance, ad@...ss101.org suggested that "french offets are
like the deutsch") (btw, I didn't change the offset but the base
address, which is a different thing)
- - any more or less accurate list of connections/links in Windows across
different languages? Or perhaps it's something fairly random?
PS: You could write directly to me and I'll summarize responses
(different base addresses for the exploit are welcome; I don't think
it's appropiate to flood the mailing-list with this...).
- --
Regards,
- -Roman
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFDDwzF5H+KferVZ0IRAu65AKCQC9nsb1VjzmooamBTWKZeEUS7sgCgjTwe
BAz1iweHkMIgPq0pQaCW99s=
=4fg1
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists