Vulnerability Development mailing list archives
Re[2]: ms03-043 questions
From: "einstein, dhtm" <einstein_dhtm () front ru>
Date: Wed, 5 Nov 2003 22:03:57 -0800
Здравствуйте, Adik. Вы писали 3 ноября 2003 г., 12:29:19: A> Hello wirepair, A> Monday, November 3, 2003, 9:12:54 AM, you wrote: w>> lo all, w>> I was just curious if anyone has been able to get this to execute code. I've been playing with it the last couple of days and I've w>> only managed to get invalid read attempts. I've narrowed it down to requiring at least 584 0x14 characters (a length of 3992 w>> appears w>> to be required to cause the exception). Placement within the buffer of the 0x14 characters does not seem to matter. Thanks for w>> any w>> information you can provide. w>> -wire w>> -- w>> Visit Things From Another World for the best w>> comics, movies, toys, collectibles and more. w>> http://www.tfaw.com/?qt=wmf A> my exploit for MS03-043 takes advantage of global SEH. I overwrote it A> with a pointer to my shellcode. make sure ur message body size is A> somewhere around 3656. works fine for win2k and winxp. btw u need to A> send packet 2 times on win2k, on winxp access violation exception is triggered A> only with 1 packet send. my exploit executes successfully but its not A> 100% reliable. try experimenting with message size. u might get A> different results Do you mean the "final" exception handler (which is usually set by SetUnhandledExceptionFilter) or per-thread handler at fs:[0] ? This article: http://www.jorgon.freeserve.co.uk/ExceptFrame.htm explains SEH in detail but the main difference of Heap based overflows is that it's usually not easy to locate you shellcode in memory (like in stack-based overflows). How do you overcome this difficulty ? On win2k 2 packets are a need for sure on my system too, and the service crashes if you don't debug it, and on WinXP it doesn't. -- Best regards, dhtm mailto:einstein_dhtm () front ru
Current thread:
- ms03-043 questions wirepair (Nov 03)
- Re: ms03-043 questions Adik (Nov 03)
- Re: ms03-043 questions upb (Nov 05)
- <Possible follow-ups>
- Re[2]: ms03-043 questions einstein, dhtm (Nov 05)
- Re[3]: ms03-043 questions Adik (Nov 06)
- Re: Re[2]: ms03-043 questions Dave Korn (Nov 12)