| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <KFEMINDBKGBEMHACCJHCKEGADCAA.brett.moore@security-assessment.com> From: brett.moore at security-assessment.com (Brett Moore) Subject: RE: Re: Bad news on RPC DCOM vulnerability Yes the code does work against an unpatched system.. Code execution reaches 77FCC992 mov dword ptr [edx],ecx 77FCC994 mov dword ptr [eax+4],ecx Where EDX is critical address and ECX is heap offset It then reaches 77FCC663 mov dword ptr [ecx],eax 77FCC665 mov dword ptr [eax+4],ecx Where ECX is heap offset and EAX is jump instruction.. This is what flashsky was referring to in his post about a universal way to exploit heap overflows.. Its not 100% reliable tho, as sometimes execution reaches the second code segment first, which will cause a crash. We also saw execution reaching 77D399FD call dword ptr [esi+8] where ESI points into the overflow buffer, but also causes a crash.. After installig the MS03-039 patch, the exploit code had no affect on our test system... Test system is Win2k English SP4+MS03-039.. It is possible however that other versions of Win2K are vulnerable to the denial of service that has been discussed... Has anybody confirmed this with details of the vulnerable systems? Brett -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Alex Sent: Monday, October 13, 2003 5:33 PM To: full-disclosure@...ts.netsys.com Subject: Re: [Full-Disclosure] RE: Re: Bad news on RPC DCOM vulnerability Importance: Low This code doesn't work without shellcode. The simple version of a "battle" shellcode can be found here: http://www.SecurityLab.ru/_exploits/bshell2 (add user 'a' with pass 'a' in administrator group) You can change this shellcode as you need. On system with MS03-39 installed, this code only crash systems, because nature of new vulnerability is not known. See more: http://www.securitylab.ru/40757.html ----- Original Message ----- From: Mike Gordon To: full-disclosure@...ts.netsys.com Sent: Monday, October 13, 2003 1:41 AM Subject: [Full-Disclosure] RE: Re: Bad news on RPC DCOM vulnerability A compiled version is found at http://www.SecurityLab.ru/_exploits/rpc3.zip But it seems to only crash systems. Does any one have a clean complile of the "better code" from http://www.cyberphreak.ch/sploitz/MS03-039.txt
Powered by blists - more mailing lists