Dailydave mailing list archives
Re: rpc_srvsvc_mmallocdos.rar
From: scz <scz () nsfocus com>
Date: Thu, 24 Nov 2005 09:32:28 +0800
Dave Aitel <dave () immunitysec com> wrote: scz wrote:Dave Aitel daveaitel at tmail.comI'm guessing you send a large integer to function 0x30 in srvsvc via \\browser, and xpsp2 falls to basically the same bug. I haven't had time to test it yet though.This is PoC from hume@nsfocus: net use \\<target>\ipc$ "" /user:"" <this exe> -n <target> -x <0xb000000(size)> That's all.Looks good - I've found a sorta logarithmic stepdown on the memory works best... Are you making <this exe> public? :> -dave
I attached the rar to the first Email, but your list reject it. Now get it from http://www.opencjk.org/~scz/rpc_srvsvc_mmallocdos.rar I'll delete it after one week. By the way, FC_HARD_STRUCTURE should be FC_LGVARRAY, look MSDN. No matter how, you do a great work. scz <scz () nsfocus com> 2005-11-24 9:16:54 ----
Current thread:
- rpc_srvsvc_mmallocdos.rar scz (Nov 22)
- Re: rpc_srvsvc_mmallocdos.rar Dave Aitel (Nov 23)
- Re: rpc_srvsvc_mmallocdos.rar scz (Nov 23)
- Re: rpc_srvsvc_mmallocdos.rar Dave Aitel (Nov 23)