Vulnerability Development mailing list archives
Re: ms03-043 questions
From: Adik <netninja () hotmail kg>
Date: Tue, 4 Nov 2003 02:29:19 +0600
Hello wirepair, Monday, November 3, 2003, 9:12:54 AM, you wrote: w> lo all, w> I was just curious if anyone has been able to get this to execute code. I've been playing with it the last couple of days and I've w> only managed to get invalid read attempts. I've narrowed it down to requiring at least 584 0x14 characters (a length of 3992 w> appears w> to be required to cause the exception). Placement within the buffer of the 0x14 characters does not seem to matter. Thanks for w> any w> information you can provide. w> -wire w> -- w> Visit Things From Another World for the best w> comics, movies, toys, collectibles and more. w> http://www.tfaw.com/?qt=wmf my exploit for MS03-043 takes advantage of global SEH. I overwrote it with a pointer to my shellcode. make sure ur message body size is somewhere around 3656. works fine for win2k and winxp. btw u need to send packet 2 times on win2k, on winxp access violation exception is triggered only with 1 packet send. my exploit executes successfully but its not 100% reliable. try experimenting with message size. u might get different results -- Best regards, Adik mailto:netninja () hotmail kg
Current thread:
- ms03-043 questions wirepair (Nov 03)
- Re: ms03-043 questions Adik (Nov 03)
- Re: ms03-043 questions upb (Nov 05)
- <Possible follow-ups>
- Re[2]: ms03-043 questions einstein, dhtm (Nov 05)
- Re[3]: ms03-043 questions Adik (Nov 06)
- Re: Re[2]: ms03-043 questions Dave Korn (Nov 12)