| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <F2F587B9DD51284EB3197919CADBC4680A1D89@forums.20vturbo.com> From: sk3tch at sk3tch.net (sk3tch@...tch.net) Subject: Windows 2000 Remote Buffer Overflow by class101 Posted here: http://dfind.kd-team.com/36/55/op.php "Stack based overflow, bug discovered by Luigi Auriemma aluigi.altervista.org Tested working on Win2K, This public version crash on any WinXP, read the code why. The exploit bind a shellcode on the victim port 101." >From the code: "Why Win2k only? After some days of debugging on it , I finally figured out how to exploit this hole, this public overflow method works only on Win2k, using the JMP EBX from comdlg32.dll from Win2k SP4 english. Because on WinXP , the register EBX points to a NULL address, this is not exploitable even if you update the JMP EBX, not exploitable VIA THIS WAY on XP I mean OK!. How do I did then on Win2k? I overwritte EIP with a JMP EBX, EBX is a perfect register because it points directly to my buffer, but problem, it points 4 bytes only before EIP, quite short... But enough to say him to jump ~80 bytes higher. Now i have enough space to adjust my shellcode to ESI and to finally jump to it... That's why on WinXP (and maybe others , havent tested) this doesnt works because EBX isnt available. Not happy? code yours or get a pvt version ;p How do I update to Win2k SP1 Dutch for example ? Grab a JMP EBX address in comdlg32.dll from this OS and update the code."
Powered by blists - more mailing lists