Re: ms03-049 exploit xp sp0

[<dave () immunitysec com>]

In-Reply-To: <web-21415425 () gator darkhorse com>

I didn't run into this problem in my version of the (XP SP1) attack, btw. Perhaps if you feel squeezed you can simply 
make your string bigger?

Most curious is the Unicode encoding differences between SP0 and SP1. Maybe something there is your problem?

Dave Aitel
Immunity, Inc.
http://www.immunitysec.com/CANVAS/ 


> From: "wirepair" <wirepair () roguemail net>
> Subject: ms03-049 exploit xp sp0
> To: vuln-dev () securityfocus com
> X-Mailer: CommuniGate Pro WebUser Interface v.4.1.5
> Date: Wed, 12 Nov 2003 13:03:03 -0800
> Message-ID: <web-21415425 () gator darkhorse com>
> MIME-Version: 1.0
> Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
> Content-Transfer-Encoding: 8bit
>
> lo all,
> Well I got xp sp0 to execute my code, but sp1 has a different stack layout. after the return address data only has 
> about 4 or 8 
> bytes (I can't remember and i'm too lazy to check because i've been messing with this for he past 7 hours). 
> Since I have 4/8 bytes to work with i'm contemplating doing some sort of jmp / call and stuff my shellcode in the 
> beginning of the 
> buffer instead of tacking it on to the end like my current exploit. Unfortunately my asm is lacking still and I am 
> unsure about
> the best way of making it jmp/call the address (without nulls and without hardset stack addresses). 
> If you can offer any suggestions I would *greatly* appreciate it.
> Anyways here's my code http://sh0dan.org/files/0349.cpp
> or the exe: http://sh0dan.org/files/0349.exe. Remember this is SP0 only, sp1 will definitly crash.
> Thanks,
> -wire
> --
> Visit Things From Another World for the best
> comics, movies, toys, collectibles and more.
> http://www.tfaw.com/?qt=wmf