| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <430DF3AB.8050001@rs-labs.com>
Date: Thu Aug 25 17:38:19 2005
From: roman at rs-labs.com (Roman Medina-Heigl Hernandez)
Subject: MS05_039 Exploitation (different languages)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I tested existing exploits for PnP bug on my W2k SP4 machine (Spanish)
and they didn't work ("services" process is crashing but I got no
shell). So I did a quick review with Olly and I realized that
umpnpmgr.dll is being loaded at a different base address. In Spanish
systems this base address is 0x76770000 but current exploits are
assumming (I guess) 0x767a0000. Then I did a quick hack to HOD's exploit
and it worked perfectly. I also modified Metasploit's module and
included a target for Spanish systems. I've attached resulting exploits
(they are trivial, though).
Is it usual that Windows DLLs have different base address across same
Windows/SP versions (but different languages)?
- --
Cheers,
- -Roman
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFDDfOr5H+KferVZ0IRAiZKAKDJ0A1RT+iyFcJipN3k56YEmzctqACePS5e
aUJNlnMEsftew1Yn993iGJY=
=XE3r
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ms05_039_spanish.tgz
Type: application/x-gtar
Size: 7339 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050825/8fb190d9/ms05_039_spanish.gtar
Powered by blists - more mailing lists