Full Disclosure mailing list archives
Re: Windows .ANI LoadAniIcon Stack Overflow
From: "dev code" <devcode29 () hotmail com>
Date: Sun, 01 Apr 2007 15:05:37 +0000
I made a mistake in including "jmp esp" for XP SP2 because the stack cannot be executed (due to DEP of course :P). It is completely possible to execute shellcode if we can do some DEP bypass (ie. ret2libc attack, etc..) to add execute access to the stack and jmp to our code. My PoC i updated yesterday (added as an attachment to the full disclosure post) returns to ExitProcess() and closes explorer.exe upon viewing the .ani file, just to show that it is possible to do our own shiznat in SP2.
From: "Larry Seltzer" <Larry () larryseltzer com> To: <full-disclosure () lists grok org uk> Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow Date: Sun, 1 Apr 2007 07:49:58 -0400The issue is that this only works with DEP turned off!Interesting point. I haven't seen this mentioned anywhere, including the Microsoft advisory (http://www.microsoft.com/technet/security/advisory/935423.mspx). Has anyone actually tested this with DEP on/off to be sure? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry_seltzer/ Contributing Editor, PC Magazine larryseltzer () ziffdavis com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_________________________________________________________________ Exercise your brain! Try Flexicon. http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglinemarch07 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow dev code (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow ad () heapoverflow com (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow ad () heapoverflow com (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow -> Its ok, its in IE Protected Mode Haroon Meer (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow Dave Aitel (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow Alexander Sotirov (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow Thierry Zoller (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow Jason Areff (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow dev code (Apr 01)