lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <430F0CC5.1050301@rs-labs.com>
Date: Fri Aug 26 13:38:58 2005
From: roman at rs-labs.com (Roman Medina-Heigl Hernandez)
Subject: Re: MS05_039 Exploitation (different languages)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sanjay Rawat wrote:
> I too observed the same thing. i am running a windows 2K, SP4. i found
> that base address of UMPNPMGR.DLL is 0x767a0000. however, when i run the
> attack with this address, the target machine got rebooted (a crash).
> this may be, because umpnpmgr.dll is a part of "service.exe", therefore,
> on failure, it reboots. but with the unchanged base address, it worked
> perfectly. so now the same code can be used for DoS also!!!

You are simply crashing "services" proccess because EIP is not reaching
the right instructions (eg: pop;pop;ret) or (depending on process'
memory layout) it's referencing an invalid address. When Windows detects
the crash, it reboots (since it lacks an important system component).
This is a side effect. Anyway, if you have a shell, why do you want a
simple DoS? :)

In order to clarify:
- - my hacked hod's exploit changed "destination EIP" to match Spanish
systems. So it will NOT work on English systems (call it "DoS"; I prefer
to name it "didn't work" ;-)). And that's why appended "-spanish" to
filename.
- - for Metasploit module, I simply added a new "target", so it supports
both English (target 0) and Spanish (target 1). It can be directly
copied to "exploits" directory on Metasploit source-tree. That's the
reason I didn't change filename in this case (hdm: feel free to add it
to Metasploit).

Finally, the purpose of my post was not only to add a new target to an
exploit (ml would be fastly flooded with tons of similar mails, if every
people did it... so please, don't do it, I'm a bad example :-(), but to
bring attention over the base address issue and try to learn from you,
guys :). Indeed, I still have some questions:
- - which is the connection between different languages' Windows, if there
is any? (for instance, ad@...ss101.org suggested that "french offets are
like the deutsch") (btw, I didn't change the offset but the base
address, which is a different thing)
- - any more or less accurate list of connections/links in Windows across
different languages? Or perhaps it's something fairly random?

PS: You could write directly to me and I'll summarize responses
(different base addresses for the exploit are welcome; I don't think
it's appropiate to flood the mailing-list with this...).

- --

Regards,
- -Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDDwzF5H+KferVZ0IRAu65AKCQC9nsb1VjzmooamBTWKZeEUS7sgCgjTwe
BAz1iweHkMIgPq0pQaCW99s=
=4fg1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ