| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Aug 26 13:38:58 2005 From: roman at rs-labs.com (Roman Medina-Heigl Hernandez) Subject: Re: MS05_039 Exploitation (different languages) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sanjay Rawat wrote: > I too observed the same thing. i am running a windows 2K, SP4. i found > that base address of UMPNPMGR.DLL is 0x767a0000. however, when i run the > attack with this address, the target machine got rebooted (a crash). > this may be, because umpnpmgr.dll is a part of "service.exe", therefore, > on failure, it reboots. but with the unchanged base address, it worked > perfectly. so now the same code can be used for DoS also!!! You are simply crashing "services" proccess because EIP is not reaching the right instructions (eg: pop;pop;ret) or (depending on process' memory layout) it's referencing an invalid address. When Windows detects the crash, it reboots (since it lacks an important system component). This is a side effect. Anyway, if you have a shell, why do you want a simple DoS? :) In order to clarify: - - my hacked hod's exploit changed "destination EIP" to match Spanish systems. So it will NOT work on English systems (call it "DoS"; I prefer to name it "didn't work" ;-)). And that's why appended "-spanish" to filename. - - for Metasploit module, I simply added a new "target", so it supports both English (target 0) and Spanish (target 1). It can be directly copied to "exploits" directory on Metasploit source-tree. That's the reason I didn't change filename in this case (hdm: feel free to add it to Metasploit). Finally, the purpose of my post was not only to add a new target to an exploit (ml would be fastly flooded with tons of similar mails, if every people did it... so please, don't do it, I'm a bad example :-(), but to bring attention over the base address issue and try to learn from you, guys :). Indeed, I still have some questions: - - which is the connection between different languages' Windows, if there is any? (for instance, ad@...ss101.org suggested that "french offets are like the deutsch") (btw, I didn't change the offset but the base address, which is a different thing) - - any more or less accurate list of connections/links in Windows across different languages? Or perhaps it's something fairly random? PS: You could write directly to me and I'll summarize responses (different base addresses for the exploit are welcome; I don't think it's appropiate to flood the mailing-list with this...). - -- Regards, - -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFDDwzF5H+KferVZ0IRAu65AKCQC9nsb1VjzmooamBTWKZeEUS7sgCgjTwe BAz1iweHkMIgPq0pQaCW99s= =4fg1 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists