Vulnerability Development mailing list archives
Re: ms03-049 exploit xp sp0
From: <dave () immunitysec com>
Date: 13 Nov 2003 21:28:11 -0000
In-Reply-To: <web-21415425 () gator darkhorse com> I didn't run into this problem in my version of the (XP SP1) attack, btw. Perhaps if you feel squeezed you can simply make your string bigger? Most curious is the Unicode encoding differences between SP0 and SP1. Maybe something there is your problem? Dave Aitel Immunity, Inc. http://www.immunitysec.com/CANVAS/
From: "wirepair" <wirepair () roguemail net> Subject: ms03-049 exploit xp sp0 To: vuln-dev () securityfocus com X-Mailer: CommuniGate Pro WebUser Interface v.4.1.5 Date: Wed, 12 Nov 2003 13:03:03 -0800 Message-ID: <web-21415425 () gator darkhorse com> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1"; format="flowed" Content-Transfer-Encoding: 8bit lo all, Well I got xp sp0 to execute my code, but sp1 has a different stack layout. after the return address data only has about 4 or 8 bytes (I can't remember and i'm too lazy to check because i've been messing with this for he past 7 hours). Since I have 4/8 bytes to work with i'm contemplating doing some sort of jmp / call and stuff my shellcode in the beginning of the buffer instead of tacking it on to the end like my current exploit. Unfortunately my asm is lacking still and I am unsure about the best way of making it jmp/call the address (without nulls and without hardset stack addresses). If you can offer any suggestions I would *greatly* appreciate it. Anyways here's my code http://sh0dan.org/files/0349.cpp or the exe: http://sh0dan.org/files/0349.exe. Remember this is SP0 only, sp1 will definitly crash. Thanks, -wire -- Visit Things From Another World for the best comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf
Current thread:
- ms03-049 exploit xp sp0 wirepair (Nov 12)
- Re: ms03-049 exploit xp sp0 upb (Nov 12)
- <Possible follow-ups>
- Re: ms03-049 exploit xp sp0 upb (Nov 12)
- Re: ms03-049 exploit xp sp0 dave (Nov 13)