Full Disclosure mailing list archives
RE: Allchin bug p-o-c.
From: Andrew.Berges () everestre com
Date: Tue, 7 Oct 2003 11:02:13 -0400
Hi, I'm rather new to this list, and I think I may have missed some of the background on this - could someone bring me up to speed as to what is happening here? Thanks for the help, Andrew Berges - Associate Manager, Systems Everest Global Services 908.604.3020 andrew.berges () everestre com -----Original Message----- From: Dave Korn [mailto:davek_throwaway () hotmail com] Sent: Tuesday, October 07, 2003 6:56 AM To: vuln-dev () securityfocus com; full-disclosure () lists netsys com Subject: [Full-disclosure] Allchin bug p-o-c. Here's p-o-c code for the allchin vulnerability. It allows you to write a (fairly) arbitrary DWORD to a (also fairly) arbitrary address in the memory space of mqsvc.exe on a remote w2k server. It should be straightforward enough to turn that into any kind of remote shell sploit using the standard well known techniques (e.g. overwrite an exception handler) but I haven't done so yet. Interestingly enough, this works on sp2 but sp4 seems to be immune; I haven't tested sp3. I say 'interesting', because I can't find any reference to this bug having been fixed in the lists of bugs fixed in those service packs, but it's definitely been whacked in some way by sp4.... cheers, DaveK _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Allchin bug p-o-c. Dave Korn (Oct 07)
- <Possible follow-ups>
- RE: Allchin bug p-o-c. Andrew . Berges (Oct 07)
- Re: Allchin bug p-o-c. Valdis . Kletnieks (Oct 09)
- RE: Allchin bug p-o-c. Andrew . Berges (Oct 07)
- Re: Allchin bug p-o-c. Dave Korn (Oct 08)