| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <005001c525c5$edf26d00$0200a8c0@box>
From: class101 at gmail.com (class 101)
Subject: 2 nice pop/pop/ret :) (update)
sorry, got a problem to copy paste
as I have said I think we have 2 different versions, mine is
File Version: 0x000500010a280452
Product Version: 0x000500010a280452
File Flags:
File OS: NT WINDOWS32
File Type: DLL
File Subtype: Not currently supported
File Date: 0x0000000000000000
Translation table:
-----------------
0409 04b0
CompanyName: Microsoft Corporation
FileDescription: Windows NT BASE API Client DLL
FileVersion: 5.1.2600.1106 (xpsp1.020828-1920)
InternalName: kernel32
LegalCopyright: ? Microsoft Corporation. All rights reserved.
OriginalFilename: kernel32
ProductName: Microsoft? Windows? Operating System
ProductVersion: 5.1.2600.1106
-------------------------------------------------------------
class101
Jr. Researcher
Hat-Squad.com
-------------------------------------------------------------
----- Original Message -----
From: "class 101" <class101@...il.com>
To: "Dave Korn" <davek_throwaway@...mail.com>; "Full-Disclosure"
<Full-Disclosure@...ts.grok.org.uk>
Sent: Thursday, March 10, 2005 11:33 PM
Subject: Re: [Full-disclosure] 2 nice pop/pop/ret :) (update)
> > I had the same problem with that universal w2k offset you posted about
on
> > 9th Feb (Subject: Nice call to ebx found). I went and looked for it on
my
> > W2k Pro Sp2 system at home. It wasn't there :-(
>
> Yep normal, because if I remember , I have mentionned that it was for w2k
> pro&srv , SP4's series for all langages, but I guess its not the same for
> sp3-2-1-0
>
> > but the kernel32 one just isn't there:
> >
> > 0:003> u 0x77E7F69E
> > kernel32!BasepShimCacheSearch+0x1d:
> > 77e7f69e c02802 shr byte ptr [eax],0x2
>
> ha shit ;( but looks like we have 2 different versions, the one where I
have
> tried is:
>
> File Version: 0x000500010a280452
> Product Version: 0x000500010a280452
> File Flags:
> File OS: NT WINDOWS32
> File Type: DLL
> File Subtype: Not currently supported
> File Date: 0x0000000000000000
>
> Translation table:
> -----------------
> 0409 04b0
>
> CompanyName: Microsoft Corporation
>
> -------------------------------------------------------------
> class101
> Jr. Researcher
> Hat-Squad.com
> -------------------------------------------------------------
> ----- Original Message -----
> From: "Dave Korn" <davek_throwaway@...mail.com>
> To: <class101@...-squad.com>; <Full-Disclosure@...ts.grok.org.uk>
> Sent: Thursday, March 10, 2005 8:05 PM
> Subject: RE: [Full-disclosure] 2 nice pop/pop/ret :) (update)
>
>
> > >From: "class 101" Date: Wed, 9 Mar 2005 10:01:57 +0100
> >
> > Hi there class 101!
> >
> > > Here is the result of comparing some huge list of pop/pop/ret of XP
> SP1,
> > >SP1a, SP2 ENGLISH
> > >
> > >I got 2 universal offsets accross those 3 Os
> > >
> > >SP2 ENGLISH
> > >
> > >0x71ABE325 pop esi - pop - retbis - WS2_32.DLL
> > >0x77E7F69E pop ebx - pop - retbis - RPCRT4.DLL
> > >
> > >SP1a ENGLISH
> > >
> > >0x71ABE325 pop edi - pop - retbis - WS2_32.DLL
> > >0x77E7F69E pop ebx - pop - retbis - KERNEL32.DLL
> > >
> > >SP1 ENGLISH
> > >
> > >0x71ABE325 pop edi - pop - retbis - WS2_32.DLL
> > >0x77E7F69E pop ebx - pop - retbis - KERNEL32.DLL
> > >
> > >
> > >enjoy :)
> >
> >
> > That's interesting: on my sp1 english system, only one of those
> addresses
> > works. The winsock one is good:
> >
> > 0:003> u 0x71ABE325
> > WS2_32!CopyBlobIndirect+0x71:
> > 71abe325 5f pop edi
> > 71abe326 5e pop esi
> > 71abe327 c20400 ret 0x4
> >
> > but the kernel32 one just isn't there:
> >
> > 0:003> u 0x77E7F69E
> > kernel32!BasepShimCacheSearch+0x1d:
> > 77e7f69e c02802 shr byte ptr [eax],0x2
> > 77e7f6a1 0000 add [eax],al
> > 77e7f6a3 03442414 add eax,[esp+0x14]
> > 77e7f6a7 66833800 cmp word ptr [eax],0x0
> > 77e7f6ab 7415 jz kernel32!BasepShimCacheSearch+0x3d
> > (77e7f6c2)
> > 77e7f6ad 50 push eax
> > 77e7f6ae ff74241c push dword ptr [esp+0x1c]
> >
> > I had the same problem with that universal w2k offset you posted about
> on
> > 9th Feb (Subject: Nice call to ebx found). I went and looked for it on
my
> > W2k Pro Sp2 system at home. It wasn't there :-(
> >
> > What do you suppose could be the reason why we find different results?
> > Hotfixes perhaps? How does the version info look like from _your_ copy
of
> > kernel32.dll? Mine says
> >
> > 0:003> lm v mkernel32
> > start end module name
> > 77e60000 77f46000 kernel32 (pdb symbols)
> > C:\symcache\kernel32.pdb\40D1D0C52\kernel32.pdb
> > Loaded symbol image file: C:\WINDOWS\system32\kernel32.dll
> > Image path: C:\WINDOWS\system32\kernel32.dll
> > Image name: kernel32.dll
> > Timestamp: Thu Jun 17 18:58:35 2004 (40D1DBCB)
> > CheckSum: 000EC3A9
> > ImageSize: 000E6000
> > File version: 5.1.2600.1560
> > Product version: 5.1.2600.1560
> > File flags: 0 (Mask 3F)
> > File OS: 40004 NT Win32
> > File type: 2.0 Dll
> > File date: 00000000.00000000
> > Translations: 0409.04b0
> > CompanyName: Microsoft Corporation
> > ProductName: Microsoft? Windows? Operating System
> > InternalName: kernel32
> > OriginalFilename: kernel32
> > ProductVersion: 5.1.2600.1560
> > FileVersion: 5.1.2600.1560 (xpsp2_gdr.040517-1325)
> > FileDescription: Windows NT BASE API Client DLL
> > LegalCopyright: ? Microsoft Corporation. All rights reserved.
> >
> >
> > cheers,
> > DaveK
> > --
> > Can't think of a witty .sigline today....
> >
> >
> >
> >
>
>
Powered by blists - more mailing lists