Metasploit mailing list archives
Any hints for this port (Zenworks sploit) ?
From: jerome.athias at free.fr (Jerome Athias)
Date: Thu, 23 Aug 2007 16:56:30 +0200
Salut Gabriel ;-) I don't really know more about this vulnerability... sorry Btw, I think that you want/need an egghunter. http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf http://www.metasploit.com/confs/recon2005/recent_shellcode_developments-recon05.pdf PS: note that searching for "hunter" and "egg" in the exploit modules directory of the Metasploit framework should reveal some nice examples This was discussed in some messages in the Metasploit Framework's mailing-lists. I hope that it can help you. Voil? /JA nowwhat at free.fr a ?crit :
Hi, I am trying to port "Novell ZENworks 6.5 Desktop/Server Management Overflow" to my version of ZenWorks agent (4.0.X) which is vulnerable according to the references. I have a couple problemes though. I would appreciate if someone could correct me on the following : The exploit is triggered by sending two inputs to the server (possible user then password, although I would doubt it knowing Novell's architecture - but its out of scope) First input is a fairly large amount of bytes - ~32k which will include payload. Second input is much smaller and included in original exploit the return adress. When both 'packet' made it to the server, it starts moving the first chunk of data to another place in memory, until it tries to write into another modules' code segment which trigger an access violation. The bytes that were successfully copied overwrote part of another module's (ntdll) stacks (is that possible? can't quite understand there). The access violation make the process jumps into ntdll's code and run until it pop something off of the corrupted stack (which is not completely corrupted btw). I tried to figure out where to put my return adress using the offset tools of the framework; The chunk of data that gets poped is not consistant accross execution (ranges somewhere between offset 16000 and 20000 in my load). I had the rather stupid idea to fill this area with my return address so that it gets poped whatever happens. But the server just resets the connexion - possibly because the return address contains 0x00 that justs make the proc stops the buffer copy? Do you feel this is exploitable? PS : I would also apreciate if someone had the original white paper of this vulnerability - I have been unable to find it. Regards, Gabriel
-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3253 bytes Desc: S/MIME Cryptographic Signature URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070823/d03dd129/attachment.bin>
Current thread:
- Any hints for this port (Zenworks sploit) ? nowwhat at free.fr (Aug 23)
- Any hints for this port (Zenworks sploit) ? Jerome Athias (Aug 23)
- Any hints for this port (Zenworks sploit) ? nowwhat at free.fr (Aug 23)
- Any hints for this port (Zenworks sploit) ? Jerome Athias (Aug 23)
- Any hints for this port (Zenworks sploit) ? nowwhat at free.fr (Aug 24)
- Any hints for this port (Zenworks sploit) ? nowwhat at free.fr (Aug 23)
- Any hints for this port (Zenworks sploit) ? Jerome Athias (Aug 23)