Dailydave mailing list archives

Re: non-SYSTEM to SYSTEM in one click or less

From: Joel Eriksson <je-dailydave () bitnux com>
Date: Tue, 13 Mar 2007 01:13:51 +0100

Hi Dave & the rest of the list,

On Mon, Mar 12, 2007 at 11:28:54AM -0400, Dave Aitel wrote:


I just finished converting Joel Eriksson's exploit into CANVAS/MOSDEF
and I have to admit, it was a fun one. You can grab it now from
Immunity Partners.  I can confirm, via my testing, that it is
extremely reliable. Assuming it gets cleaned up enough to go into
CANVAS by the 1st, that means every CANVAS customer will have the
ability to go from non-SYSTEM to SYSTEM on Windows 2000 and XP via a
nice unpatched bug. Gotta love that. :>


Enjoy. :> Congrats again on finishing the port to CANVAS/MOSDEF,
although it's a shame you didn't make it to the march-release. :)

For those interested, there's a screenshot of my original exploit
in action at:

   http://kernelwars.blogspot.com/

This exploit + probably a Metasploit meterpreter-addon for it will
be released in the end of april (Immunity bought the rights to it
for 60 days, starting from 22nd february or so).

During our Blackhat-talk I'll discuss the bug in general and the
process of making a reliable exploit for it, except for the minor
but crucial part that achieves the actual write-4-primitive. That
will be kept to CANVAS-customers for a while yet. ;)

For the other two kernel bugs we'll discuss during the talk full
exploits will be released directly afterwards, including Karl's
neat remote wireless and pure in-memory kernel backdoor for
FreeBSD which he made for his 802.11 exploit. :>

Regarding the 0-day NetBSD bug that Christer will be talking about
he will mention some new techniques that might come in handy for
exploiting other kernel bugs on BSD-derived systems too, when certain
types of structs / pointers are overflowed. :> The bug itself is in
certain "ancient" BSD-code that may very well still be used in some
of the commercial Unix-systems too.

URL to our talk:

   http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Eriksson

For those of you coming to BH Europe, see you there! :)

- -dave


-- 
Best Regards,
Joel Eriksson
CTO Bitsec
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

non-SYSTEM to SYSTEM in one click or less Dave Aitel (Mar 12)
- Re: non-SYSTEM to SYSTEM in one click or less Joel Eriksson (Mar 13)