lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: kf_lists at secnetops.com (kf_lists)
Subject: Windows 2000 Remote Buffer Overflow by class101

What listens on port 2000?
-KF


sk3tch@...tch.net wrote:

>Posted here:
>
>http://dfind.kd-team.com/36/55/op.php
>
>"Stack based overflow, bug discovered by Luigi Auriemma
>aluigi.altervista.org
>Tested working on Win2K, This public version crash on any WinXP, read
>the code why.
>The exploit bind a shellcode on the victim port 101."
>
>>From the code:
>
>"Why Win2k only?
> After some days of debugging on it , I finally figured out how to
>exploit this 
>hole, this public overflow method works only on Win2k, using the 
>JMP EBX from comdlg32.dll from Win2k SP4 english.
>Because on WinXP , the register EBX points to a NULL address, this is
>not exploitable
>even if you update the JMP EBX, not exploitable VIA THIS WAY on XP I
>mean OK!.
>
>How do I did then on Win2k?
> I overwritte EIP with a JMP EBX, EBX is a perfect register because it
>points directly
>to my buffer, but problem, it points 4 bytes only before EIP, quite
>short...
>But enough to say him to jump ~80 bytes higher.
>Now i have enough space to adjust my shellcode to ESI and to finally
>jump to it...
>That's why on WinXP (and maybe others , havent tested) this doesnt works
>because EBX isnt 
>available.
>Not happy? code yours or get a pvt version ;p
>
>How do I update to Win2k SP1 Dutch for example ?
> Grab a JMP EBX address in comdlg32.dll from this OS and update the
>code."
>
> 
>
> 
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>  
>

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 101_shixx.cpp
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041022/e71c3f16/101_shixx.ksh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ