lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <Law15-F38Ex93K16McU00001d8f@hotmail.com>
From: davek_throwaway at hotmail.com (Dave Korn)
Subject: Allchin bug p-o-c.


  Here's p-o-c code for the allchin vulnerability.  It allows you to write a 
(fairly) arbitrary DWORD to a (also fairly) arbitrary address in the memory 
space of mqsvc.exe on a remote w2k server.  It should be straightforward 
enough to turn that into any kind of remote shell sploit using the standard 
well known techniques (e.g. overwrite an exception handler) but I haven't 
done so yet.

  Interestingly enough, this works on sp2 but sp4 seems to be immune; I 
haven't tested sp3.  I say 'interesting', because I can't find any reference 
to this bug having been fixed in the lists of bugs fixed in those service 
packs, but it's definitely been whacked in some way by sp4....

   cheers,
       DaveK

_________________________________________________________________
Express yourself with cool emoticons - download MSN Messenger today! 
http://www.msn.co.uk/messenger
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: allchin.cpp
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031007/4c67dfae/allchin-0001.ksh

Powered by blists - more mailing lists