lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: brett.moore at security-assessment.com (Brett Moore)
Subject: RE: Re: Bad news on RPC DCOM vulnerability

Yes the code does work against an unpatched system..

Code execution reaches
77FCC992   mov         dword ptr [edx],ecx
77FCC994   mov         dword ptr [eax+4],ecx
Where EDX is critical address and ECX is heap offset

It then reaches
77FCC663   mov         dword ptr [ecx],eax
77FCC665   mov         dword ptr [eax+4],ecx
Where ECX is heap offset and EAX is jump instruction..

This is what flashsky was referring to in his post about a universal way
to exploit heap overflows..

Its not 100% reliable tho, as sometimes execution reaches the second code
segment first, which will cause a crash.
We also saw execution reaching
77D399FD   call        dword ptr [esi+8]
where ESI points into the overflow buffer, but also causes a crash..

After installig the MS03-039 patch, the exploit code had no affect on our
test system...

Test system is Win2k English SP4+MS03-039..

It is possible however that other versions of Win2K are vulnerable to the
denial of service that has been discussed...

Has anybody confirmed this with details of the vulnerable systems?

Brett



-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Alex
Sent: Monday, October 13, 2003 5:33 PM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] RE: Re: Bad news on RPC DCOM vulnerability
Importance: Low


This code doesn't work without shellcode. The simple version of a "battle"
shellcode can be found here:
http://www.SecurityLab.ru/_exploits/bshell2 (add user 'a' with pass 'a' in
administrator group)
You can change this shellcode as you need.
On system with MS03-39 installed, this code only crash systems, because
nature of new vulnerability is not known.
See more: http://www.securitylab.ru/40757.html

----- Original Message -----
From: Mike Gordon
To: full-disclosure@...ts.netsys.com
Sent: Monday, October 13, 2003 1:41 AM
Subject: [Full-Disclosure] RE: Re: Bad news on RPC DCOM vulnerability


A compiled version is found at http://www.SecurityLab.ru/_exploits/rpc3.zip
But it seems to only crash systems.
Does any one have a clean complile of the "better code" from
http://www.cyberphreak.ch/sploitz/MS03-039.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ