lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <006801c525c6$fc873980$0200a8c0@box>
From: class101 at gmail.com (class 101)
Subject: Fw: 2 nice pop/pop/ret :) (update)

and the XP SP2 english:

 File Version:    0x000500010a280884
 Product Version: 0x000500010a280884
 File Flags:
 File OS:         NT WINDOWS32
 File Type:       DLL
 File Subtype:    Not currently supported
 File Date:       0x0000000000000000

Translation table:
-----------------
0409 04b0

         CompanyName:  Microsoft Corporation
     FileDescription:  Windows NT BASE API Client DLL
         FileVersion:  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
        InternalName:  kernel32
      LegalCopyright:  ? Microsoft Corporation. All rights reserved.
    OriginalFilename:  kernel32
         ProductName:  Microsoft? Windows? Operating System
      ProductVersion:  5.1.2600.2180


-------------------------------------------------------------
class101
Jr. Researcher
Hat-Squad.com
-------------------------------------------------------------
----- Original Message -----
From: "class 101" <class101@...il.com>
To: "Dave Korn" <davek_throwaway@...mail.com>; "Full-Disclosure"
<Full-Disclosure@...ts.grok.org.uk>
Sent: Friday, March 11, 2005 12:07 AM
Subject: re: [Full-disclosure] 2 nice pop/pop/ret :) (update)


> sorry, got a  problem to copy paste
>
> as I have said I think we have 2 different versions, mine is
>
>   File Version:    0x000500010a280452
>  Product Version: 0x000500010a280452
>  File Flags:
>  File OS:         NT WINDOWS32
>  File Type:       DLL
>  File Subtype:    Not currently supported
>  File Date:       0x0000000000000000
>
> Translation table:
> -----------------
> 0409 04b0
>
>          CompanyName:  Microsoft Corporation
>      FileDescription:  Windows NT BASE API Client DLL
>          FileVersion:  5.1.2600.1106 (xpsp1.020828-1920)
>         InternalName:  kernel32
>       LegalCopyright:  ? Microsoft Corporation. All rights reserved.
>     OriginalFilename:  kernel32
>          ProductName:  Microsoft? Windows? Operating System
>       ProductVersion:  5.1.2600.1106
>
> -------------------------------------------------------------
> class101
> Jr. Researcher
> Hat-Squad.com
> -------------------------------------------------------------
> ----- Original Message -----
> From: "class 101" <class101@...il.com>
> To: "Dave Korn" <davek_throwaway@...mail.com>; "Full-Disclosure"
> <Full-Disclosure@...ts.grok.org.uk>
> Sent: Thursday, March 10, 2005 11:33 PM
> Subject: Re: [Full-disclosure] 2 nice pop/pop/ret :) (update)
>
>
> > > I had the same problem with that universal w2k offset you posted about
> on
> > > 9th Feb (Subject: Nice call to ebx found).  I went and looked for it
on
> my
> > > W2k Pro Sp2 system at home.  It wasn't there :-(
> >
> > Yep normal, because if I remember , I have mentionned that it was for
w2k
> > pro&srv , SP4's series for all langages, but I guess its not the same
for
> > sp3-2-1-0
> >
> > > but the kernel32 one just isn't there:
> > >
> > > 0:003> u 0x77E7F69E
> > > kernel32!BasepShimCacheSearch+0x1d:
> > > 77e7f69e c02802           shr     byte ptr [eax],0x2
> >
> > ha shit ;( but looks like we have 2 different versions, the one where I
> have
> > tried is:
> >
> >  File Version:    0x000500010a280452
> >  Product Version: 0x000500010a280452
> >  File Flags:
> >  File OS:         NT WINDOWS32
> >  File Type:       DLL
> >  File Subtype:    Not currently supported
> >  File Date:       0x0000000000000000
> >
> > Translation table:
> > -----------------
> > 0409 04b0
> >
> >          CompanyName:  Microsoft Corporation
> >
> > -------------------------------------------------------------
> > class101
> > Jr. Researcher
> > Hat-Squad.com
> > -------------------------------------------------------------
> > ----- Original Message -----
> > From: "Dave Korn" <davek_throwaway@...mail.com>
> > To: <class101@...-squad.com>; <Full-Disclosure@...ts.grok.org.uk>
> > Sent: Thursday, March 10, 2005 8:05 PM
> > Subject: RE: [Full-disclosure] 2 nice pop/pop/ret :) (update)
> >
> >
> > > >From: "class 101" Date: Wed, 9 Mar 2005 10:01:57 +0100
> > >
> > >   Hi there class 101!
> > >
> > > >  Here is the result of comparing some huge list of pop/pop/ret of XP
> > SP1,
> > > >SP1a, SP2 ENGLISH
> > > >
> > > >I got 2 universal offsets accross those 3 Os
> > > >
> > > >SP2 ENGLISH
> > > >
> > > >0x71ABE325 pop esi - pop - retbis - WS2_32.DLL
> > > >0x77E7F69E pop ebx - pop - retbis - RPCRT4.DLL
> > > >
> > > >SP1a ENGLISH
> > > >
> > > >0x71ABE325 pop edi - pop - retbis - WS2_32.DLL
> > > >0x77E7F69E pop ebx - pop - retbis  - KERNEL32.DLL
> > > >
> > > >SP1 ENGLISH
> > > >
> > > >0x71ABE325 pop edi - pop - retbis - WS2_32.DLL
> > > >0x77E7F69E pop ebx - pop - retbis - KERNEL32.DLL
> > > >
> > > >
> > > >enjoy :)
> > >
> > >
> > >   That's interesting:  on my sp1 english system, only one of those
> > addresses
> > > works.  The winsock one is good:
> > >
> > > 0:003> u 0x71ABE325
> > > WS2_32!CopyBlobIndirect+0x71:
> > > 71abe325 5f               pop     edi
> > > 71abe326 5e               pop     esi
> > > 71abe327 c20400           ret     0x4
> > >
> > > but the kernel32 one just isn't there:
> > >
> > > 0:003> u 0x77E7F69E
> > > kernel32!BasepShimCacheSearch+0x1d:
> > > 77e7f69e c02802           shr     byte ptr [eax],0x2
> > > 77e7f6a1 0000             add     [eax],al
> > > 77e7f6a3 03442414         add     eax,[esp+0x14]
> > > 77e7f6a7 66833800         cmp     word ptr [eax],0x0
> > > 77e7f6ab 7415             jz    kernel32!BasepShimCacheSearch+0x3d
> > > (77e7f6c2)
> > > 77e7f6ad 50               push    eax
> > > 77e7f6ae ff74241c         push    dword ptr [esp+0x1c]
> > >
> > >   I had the same problem with that universal w2k offset you posted
about
> > on
> > > 9th Feb (Subject: Nice call to ebx found).  I went and looked for it
on
> my
> > > W2k Pro Sp2 system at home.  It wasn't there :-(
> > >
> > >   What do you suppose could be the reason why we find different
results?
> > > Hotfixes perhaps?  How does the version info look like from _your_
copy
> of
> > > kernel32.dll?  Mine says
> > >
> > > 0:003> lm v mkernel32
> > > start    end        module name
> > > 77e60000 77f46000   kernel32   (pdb symbols)
> > > C:\symcache\kernel32.pdb\40D1D0C52\kernel32.pdb
> > >     Loaded symbol image file: C:\WINDOWS\system32\kernel32.dll
> > >     Image path: C:\WINDOWS\system32\kernel32.dll
> > >     Image name: kernel32.dll
> > >     Timestamp:        Thu Jun 17 18:58:35 2004 (40D1DBCB)
> > >     CheckSum:         000EC3A9
> > >     ImageSize:        000E6000
> > >     File version:     5.1.2600.1560
> > >     Product version:  5.1.2600.1560
> > >     File flags:       0 (Mask 3F)
> > >     File OS:          40004 NT Win32
> > >     File type:        2.0 Dll
> > >     File date:        00000000.00000000
> > >     Translations:     0409.04b0
> > >     CompanyName:      Microsoft Corporation
> > >     ProductName:      Microsoft? Windows? Operating System
> > >     InternalName:     kernel32
> > >     OriginalFilename: kernel32
> > >     ProductVersion:   5.1.2600.1560
> > >     FileVersion:      5.1.2600.1560 (xpsp2_gdr.040517-1325)
> > >     FileDescription:  Windows NT BASE API Client DLL
> > >     LegalCopyright:   ? Microsoft Corporation. All rights reserved.
> > >
> > >
> > >     cheers,
> > >       DaveK
> > > --
> > > Can't think of a witty .sigline today....
> > >
> > >
> > >
> > >
> >
> >
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ