lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <Law15-F38Ex93K16McU00001d8f@hotmail.com> From: davek_throwaway at hotmail.com (Dave Korn) Subject: Allchin bug p-o-c. Here's p-o-c code for the allchin vulnerability. It allows you to write a (fairly) arbitrary DWORD to a (also fairly) arbitrary address in the memory space of mqsvc.exe on a remote w2k server. It should be straightforward enough to turn that into any kind of remote shell sploit using the standard well known techniques (e.g. overwrite an exception handler) but I haven't done so yet. Interestingly enough, this works on sp2 but sp4 seems to be immune; I haven't tested sp3. I say 'interesting', because I can't find any reference to this bug having been fixed in the lists of bugs fixed in those service packs, but it's definitely been whacked in some way by sp4.... cheers, DaveK _________________________________________________________________ Express yourself with cool emoticons - download MSN Messenger today! http://www.msn.co.uk/messenger -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: allchin.cpp Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031007/4c67dfae/allchin-0001.ksh
Powered by blists - more mailing lists