[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1149851166.20060114145602@blad3.ro>
Date: Sat Jan 14 12:56:18 2006
From: fd at blad3.ro (blad3)
Subject: Steve Gibson smokes crack?
Hello Georgi,
Saturday, January 14, 2006, 1:26:36 PM, you wrote:
> On Fri, Jan 13, 2006 at 05:55:17PM -0500, eric williams wrote:
>> however, the question is I gather flowing from the Gibson commentary,
>> how or what exactly causes WINE to execute the code pointed at by the
>> SetAbortProc record? Is it the "incorrect record length" is it some
>> other munged input, is it "by design" which has also been alluded to,
>> and seems to be your reference here.
>>
> http://www.grc.com/sn/SN-022.htm
> ----
> So what I found was that, when I deliberately lied about the size of this
> record and set the size to one and no other value, and I gave this particular
> byte sequence that makes no sense for a metafile, then Windows created a
> thread and jumped into my code, began executing my code.
> ...
> It turns out that the only way to get Windows to misbehave in this bizarre
> fashion is to set the length to one, which is an impossible value. I tried
> setting it to zero. It didn't trigger the exploit. I tried setting it to two,
> no effect. Three, no effect. Nothing, not even the correct length. Only one.
The claim about the length is not true.
http://it.slashdot.org/comments.pl?sid=173878&cid=14466008
Btw, somebody else in this thread already proved that.
> using invalid values to exploit a "design flaw" is "strange" at least.
> can someone comment if the claim about the length is true?
--
Best regards,
blad3 mailto:fd@...d3.ro
Powered by blists - more mailing lists