lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAY129-F223FDA96A04571552530DBBE610@phx.gbl>
Date: Sun, 01 Apr 2007 21:21:43 +0000
From: "dev code" <devcode29@...mail.com>
To: cslyon@...il.com, full-disclosure@...ts.grok.org.uk
Subject: Re: Windows .ANI LoadAniIcon Stack Overflow

Just wanted to post that using a ret2libc attack works as shown in the video 
here:

http://www.zippyvideos.com/5991194746836606/ani-xp-sp2/


>From: "Chris Lyon" <cslyon@...il.com>
>To: full-disclosure@...ts.grok.org.uk
>Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
>Date: Sun, 1 Apr 2007 09:24:51 -0700
>
>On 4/1/07, wac <waldoalvarez00@...il.com> wrote:
>>
>>
>>
>>On 4/1/07, Larry Seltzer <Larry@...ryseltzer.com> wrote:
>> >
>> > >>The issue is that this only works with DEP turned off!
>> >
>> > Interesting point. I haven't seen this mentioned anywhere, including 
>>the
>> > Microsoft advisory
>> > ( http://www.microsoft.com/technet/security/advisory/935423.mspx).
>> >
>> > Has anyone actually tested this with DEP on/off to be sure?
>>
>>
>Did you guys see this from the CISRT.
>
>http://www.cisrt.org/enblog/read.php?68
>
>
>Yes, winhex uses the function when you open the .ani and I don't have it
>>running with DEP turned on and the same goes for firefox that also leaves
>>the file openend when I openen  web link dev sent me (already tested 
>>winhex
>>with the address of exitprocess that btw seems to float around from system
>>to system since the version dev sent me does not works for me and it works
>>like a charm when I built it). I was talking with dev code about DEP
>>bypassing btw, we think that is possible to exploit even with >> DEP ON 
>><<.
>>Just ideas for now.
>>
>>Larry Seltzer
>> > eWEEK.com Security Center Editor
>> > http://security.eweek.com/
>> > http://blog.eweek.com/blogs/larry_seltzer/
>> > Contributing Editor, PC Magazine
>> > larryseltzer@...fdavis.com
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>>
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>>


>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________
The average US Credit Score is 675. The cost to see yours: $0 by Experian. 
http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ