Dailydave mailing list archives
Re: Strcpy (RPC exploits, IE exploits and more)
From: Danett song <danett18 () yahoo com br>
Date: Thu, 10 Aug 2006 19:26:51 -0300 (ART)
Hi HD Moore and all guys Well, sorry for hijack this thread :) 1) Thank you for reply. I looked for this MS06-040 in securtiteam and frsirt but only found non technical advisorys like the Microsoft one who doesn't provide technical details of vulnerability. Where do you costume to look for technical advisorys (for example the MS06-040, MS06-021, MS06-047, MS06-046, MS06-044)? 2) I seen this flaw appear be from a 0day that a CERT caught in NetpIsRemote(), but this doesn't have any documentation in MSDN, where do you costume to look for prototype of this undocumented functions? 3) I notted that recent many exploits attacked Windows RPC, someone can suggest me a great paper explain the basic of how this communication work and how to create program (in C, perl or python) to connect with it (I would like to learn how to exploit it too:))? 4) I had seen that H D Moore and other researchers have found many vulnerabilitys in Internet Explorer. How do you list all active X that a machine have and cab be instanceated by a html code? Also, how do you list all the functions and prototypes of a given Active X component (that is a DLL) ? Well, maybe it can be doubt of other users, so maybe it can be a intersting thread. Thank you and sorry for n00b questions --- H D Moore <hdm-daily-dave () digitaloffense net> escreveu:
There are (at least) three ways to exploit MS06-040: 1) Start path with \\ (unicode) and trigger plain stack overflow 2) Start path without \\ and trigger stack overflow elsewhere 3) Start path without \\ and trigger a wcscpy() call that writes our shellcode into a location and then returns using a corrupted address. Case 1 and 2 work fine for NT 4.0 -> XP SP1/2003 SP0. Case 3 is much more reliable, since you tell it where to put your shellcode and then ask it to return to where it put it. This what the most (all?) of the exploit frameworks are using. The problem with XP SP2/2003 SP1 is that the modules were compiled with /GS, which blocks the return address part. The wcscpy() call (should) allow you to overwrite any writable memory area with your choice of data. If you can find a pointer in memory (say, ws2_32 .data, the VEH, etc) and overwrite this, you can probably get code execution on these platforms. If you are developing an IDS/IPS signature, you should crack open IDA Pro and look for Xrefs to NetpIsRemote() in netapi32.dlll. Most of the functions starting with I_* are accessible via the SRVSVC/WKSSVC RPC interfaces. Anyone checking for 4b324fc8-1670-01d3-1278-5a47bf6ee188 and function 0x1F is going to get made fun of once I get some free. The Metasploit module is broken in its current form -- it happened to work great on all of my VMs and not at all on everyone else's. This should be addressed in the near future... -HD On Thursday 10 August 2006 11:55, Danett song wrote:don't have idea about you are speaking... thetitlesay strcpy() in the body you say wcscpy() and anewway to worms, a technique to bypass most newwindowsprotection... what is this? a new method of exploitation? or a specific vulnerability? somelink? _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________________ Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular. Registre seu aparelho agora! http://br.mobile.yahoo.com/mailalertas/ _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Strcpy Dave Aitel (Aug 10)
- Re: Strcpy Halvar Flake (Aug 10)
- Re: Strcpy Halvar Flake (Aug 10)
- Re: Strcpy Danett song (Aug 10)
- Re: Strcpy Dave Korn (Aug 10)
- Re: Strcpy H D Moore (Aug 10)
- Re: Strcpy H D Moore (Aug 10)
- Re: Strcpy (RPC exploits, IE exploits and more) Danett song (Aug 10)
- Re: Strcpy (RPC exploits, IE exploits and more) Alexander Sotirov (Aug 10)
- Re: Strcpy (RPC exploits, IE exploits and more) Danett song (Aug 15)