Full Disclosure mailing list archives

Re: MS05_039 Exploitation (different languages)

From: Sanjay Rawat <sanjayr () intoto com>
Date: Fri, 26 Aug 2005 16:55:58 +0530

hi Roman:

I too observed the same thing. i am running a windows 2K, SP4. i found thatbase address of UMPNPMGR.DLL is 0x767a0000. however, when i run the attackwith this address, the target machine got rebooted (a crash). this may be,because umpnpmgr.dll is a part of "service.exe", therefore, on failure, itreboots. but with the unchanged base address, it worked perfectly. so nowthe same code can be used for DoS also!!!


--Sanjay

At 10:06 PM 8/25/2005, Roman Medina-Heigl Hernandez wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I tested existing exploits for PnP bug on my W2k SP4 machine (Spanish)
and they didn't work ("services" process is crashing but I got no
shell). So I did a quick review with Olly and I realized that
umpnpmgr.dll is being loaded at a different base address. In Spanish
systems this base address is 0x76770000 but current exploits are
assumming (I guess) 0x767a0000. Then I did a quick hack to HOD's exploit
and it worked perfectly. I also modified Metasploit's module and
included a target for Spanish systems. I've attached resulting exploits
(they are trivial, though).

Is it usual that Windows DLLs have different base address across same
Windows/SP versions (but different languages)?


- --

Cheers,
- -Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDDfOr5H+KferVZ0IRAiZKAKDJ0A1RT+iyFcJipN3k56YEmzctqACePS5e
aUJNlnMEsftew1Yn993iGJY=
=XE3r
-----END PGP SIGNATURE-----


Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
  Homepage: http://sanjay-rawat.tripod.com





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

MS05_039 Exploitation (different languages) Roman Medina-Heigl Hernandez (Aug 25)
- Re: MS05_039 Exploitation (different languages) ad (Aug 25)
- Re: MS05_039 Exploitation (different languages) Fabrice MOURRON (Aug 25)
- Re: MS05_039 Exploitation (different languages) Sanjay Rawat (Aug 26)
  - Re: MS05_039 Exploitation (different languages) Roman Medina-Heigl Hernandez (Aug 26)