Dailydave mailing list archives
Re: Strcpy
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Thu, 10 Aug 2006 13:36:50 -0500
There are (at least) three ways to exploit MS06-040: 1) Start path with \\ (unicode) and trigger plain stack overflow 2) Start path without \\ and trigger stack overflow elsewhere 3) Start path without \\ and trigger a wcscpy() call that writes our shellcode into a location and then returns using a corrupted address. Case 1 and 2 work fine for NT 4.0 -> XP SP1/2003 SP0. Case 3 is much more reliable, since you tell it where to put your shellcode and then ask it to return to where it put it. This what the most (all?) of the exploit frameworks are using. The problem with XP SP2/2003 SP1 is that the modules were compiled with /GS, which blocks the return address part. The wcscpy() call (should) allow you to overwrite any writable memory area with your choice of data. If you can find a pointer in memory (say, ws2_32 .data, the VEH, etc) and overwrite this, you can probably get code execution on these platforms. If you are developing an IDS/IPS signature, you should crack open IDA Pro and look for Xrefs to NetpIsRemote() in netapi32.dlll. Most of the functions starting with I_* are accessible via the SRVSVC/WKSSVC RPC interfaces. Anyone checking for 4b324fc8-1670-01d3-1278-5a47bf6ee188 and function 0x1F is going to get made fun of once I get some free. The Metasploit module is broken in its current form -- it happened to work great on all of my VMs and not at all on everyone else's. This should be addressed in the near future... -HD On Thursday 10 August 2006 11:55, Danett song wrote:
don't have idea about you are speaking... the title say strcpy() in the body you say wcscpy() and a new way to worms, a technique to bypass most new windows protection... what is this? a new method of exploitation? or a specific vulnerability? some link?
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Strcpy Dave Aitel (Aug 10)
- Re: Strcpy Halvar Flake (Aug 10)
- Re: Strcpy Halvar Flake (Aug 10)
- Re: Strcpy Danett song (Aug 10)
- Re: Strcpy Dave Korn (Aug 10)
- Re: Strcpy H D Moore (Aug 10)
- Re: Strcpy H D Moore (Aug 10)
- Re: Strcpy (RPC exploits, IE exploits and more) Danett song (Aug 10)
- Re: Strcpy (RPC exploits, IE exploits and more) Alexander Sotirov (Aug 10)
- Re: Strcpy (RPC exploits, IE exploits and more) Danett song (Aug 15)