Re: Strcpy (RPC exploits, IE exploits and more)

[Danett song <danett18 () yahoo com br>]

Hi HD Moore and all guys

Well, sorry for hijack this thread :)

1) Thank you for reply. I looked for this MS06-040 in
securtiteam and frsirt but only found non technical
advisorys like the Microsoft one who doesn't provide
technical details of vulnerability. Where do you
costume to look for technical advisorys (for example
the MS06-040, MS06-021, MS06-047, MS06-046, MS06-044)?

2) I seen this flaw appear be from a 0day that a CERT
caught in NetpIsRemote(), but this doesn't have any
documentation in MSDN, where do you costume to look
for prototype of this undocumented functions?

3) I notted that recent many exploits attacked Windows
RPC, someone can suggest me a great paper explain the
basic of how this communication work and how to create
program (in C, perl or python) to connect with it (I
would like to learn how to exploit it too:))?

4) I had seen that H D Moore and other researchers
have found many vulnerabilitys in Internet Explorer.
How do you list all active X that a machine have and
cab be instanceated by a html code? Also, how do you
list all the functions and prototypes of a given
Active X component (that is a DLL) ?

Well, maybe it can be doubt of other users, so maybe
it can be a intersting thread.

Thank you and sorry for n00b questions

--- H D Moore <hdm-daily-dave () digitaloffense net>
escreveu:

> There are (at least) three ways to exploit MS06-040:
>
> 1) Start path with \\ (unicode) and trigger plain
> stack overflow
> 2) Start path without \\ and trigger stack overflow
> elsewhere
> 3) Start path without \\ and trigger a wcscpy() call
> that writes our 
> shellcode into a location and then returns using a
> corrupted address.
>
> Case 1 and 2 work fine for NT 4.0 -> XP SP1/2003
> SP0. Case 3 is much more 
> reliable, since you tell it where to put your
> shellcode and then ask it 
> to return to where it put it. This what the most
> (all?) of the exploit 
> frameworks are using. The problem with XP SP2/2003
> SP1 is that the 
> modules were compiled with /GS, which blocks the
> return address part. The 
> wcscpy() call (should) allow you to overwrite any
> writable memory area 
> with your choice of data. If you can find a pointer
> in memory (say, 
> ws2_32 .data, the VEH, etc) and overwrite this, you
> can probably get code 
> execution on these platforms.
>
> If you are developing an IDS/IPS signature, you
> should crack open IDA Pro 
> and look for Xrefs to NetpIsRemote() in
> netapi32.dlll. Most of the 
> functions starting with I_* are accessible via the
> SRVSVC/WKSSVC RPC 
> interfaces. Anyone checking for
> 4b324fc8-1670-01d3-1278-5a47bf6ee188 and 
> function 0x1F is going to get made fun of once I get
> some free.
>
> The Metasploit module is broken in its current form
> -- it happened to work 
> great on all of my VMs and not at all on everyone
> else's. This should be 
> addressed in the near future...
>
> -HD
>
> On Thursday 10 August 2006 11:55, Danett song wrote:
> > don't have idea about you are speaking... the
> title
> > say strcpy() in the body you say wcscpy() and a
> new
> > way to worms, a technique to bypass most new
> windows
> > protection... what is this? a new method of
> > exploitation? or a specific vulnerability? some
> link?
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave



                
_______________________________________________________ 
Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular. Registre seu aparelho agora! 
http://br.mobile.yahoo.com/mailalertas/ 
 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave