Vulnerability Development mailing list archives
ms03-049 exploit xp sp0
From: "wirepair" <wirepair () roguemail net>
Date: Wed, 12 Nov 2003 13:03:03 -0800
lo all,Well I got xp sp0 to execute my code, but sp1 has a different stack layout. after the return address data only has about 4 or 8 bytes (I can't remember and i'm too lazy to check because i've been messing with this for he past 7 hours). Since I have 4/8 bytes to work with i'm contemplating doing some sort of jmp / call and stuff my shellcode in the beginning of the buffer instead of tacking it on to the end like my current exploit. Unfortunately my asm is lacking still and I am unsure about the best way of making it jmp/call the address (without nulls and without hardset stack addresses). If you can offer any suggestions I would *greatly* appreciate it.
Anyways here's my code http://sh0dan.org/files/0349.cpp or the exe: http://sh0dan.org/files/0349.exe. Remember this is SP0 only, sp1 will definitly crash. Thanks, -wire -- Visit Things From Another World for the best comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf
Current thread:
- ms03-049 exploit xp sp0 wirepair (Nov 12)
- Re: ms03-049 exploit xp sp0 upb (Nov 12)
- <Possible follow-ups>
- Re: ms03-049 exploit xp sp0 upb (Nov 12)
- Re: ms03-049 exploit xp sp0 dave (Nov 13)