Re: Strcpy

[H D Moore <hdm-daily-dave () digitaloffense net>]

There are (at least) three ways to exploit MS06-040:

1) Start path with \\ (unicode) and trigger plain stack overflow
2) Start path without \\ and trigger stack overflow elsewhere
3) Start path without \\ and trigger a wcscpy() call that writes our 
shellcode into a location and then returns using a corrupted address.

Case 1 and 2 work fine for NT 4.0 -> XP SP1/2003 SP0. Case 3 is much more 
reliable, since you tell it where to put your shellcode and then ask it 
to return to where it put it. This what the most (all?) of the exploit 
frameworks are using. The problem with XP SP2/2003 SP1 is that the 
modules were compiled with /GS, which blocks the return address part. The 
wcscpy() call (should) allow you to overwrite any writable memory area 
with your choice of data. If you can find a pointer in memory (say, 
ws2_32 .data, the VEH, etc) and overwrite this, you can probably get code 
execution on these platforms.

If you are developing an IDS/IPS signature, you should crack open IDA Pro 
and look for Xrefs to NetpIsRemote() in netapi32.dlll. Most of the 
functions starting with I_* are accessible via the SRVSVC/WKSSVC RPC 
interfaces. Anyone checking for 4b324fc8-1670-01d3-1278-5a47bf6ee188 and 
function 0x1F is going to get made fun of once I get some free.

The Metasploit module is broken in its current form -- it happened to work 
great on all of my VMs and not at all on everyone else's. This should be 
addressed in the near future...

-HD

On Thursday 10 August 2006 11:55, Danett song wrote:
> don't have idea about you are speaking... the title
> say strcpy() in the body you say wcscpy() and a new
> way to worms, a technique to bypass most new windows
> protection... what is this? a new method of
> exploitation? or a specific vulnerability? some link?
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave