Dailydave mailing list archives

Re: ID, Apples

From: Joel Eriksson <je () bitnux com>
Date: Thu, 25 May 2006 14:11:02 +0200

Hah, my buddy Karl Janmar beat you both. As far as I know he found
the first publicly disclosed remote & WIRELESS ring 0-flaw. ;)
(In the BSD 802.11 protocol stack)

http://www.signedness.org/advisories/sps-0x1.txt

Our current exploit for it embeds the contents of an arbitrary file,
like /etc/wpa.conf for instance, in a probereq packet. At the
moment the exploit is target-based though, since Karl hasn't
bothered to use the resolve-syms-via-the-dynsym-section payload
I hacked up yet. ;)

Ring 0-bugs are always a lot of fun, keep up the good work. :)

Best Regards,
   Joel Eriksson

On Wed, May 24, 2006 at 09:41:24PM -0700, Marc Maiffret wrote:

Remote windows kernel exploits were demonstrated in 2004 by Barnaby Jack
and within the same year by Flashsky. They both did extensive
presentations also in 2005 showing specifically how to exploit remote
kernel vulnerabilities.

Symantec Multiple Firewall Remote DNS KERNEL Overflow (April 19, 2004)
http://www.eeye.com/html/research/advisories/AD20040512D.html 
Conference: Remote Windows Kernel Exploitation - Step In To the Ring 0
(2005)
http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html
Paper: Remote Windows Kernel Exploitation - Step into the Ring 0 (2005)
http://www.eeye.com/~data/publish/whitepapers/research/OT20050205.FILE.p
df

-Marc

-----Original Message-----
From: Dave Aitel [mailto:dave () immunityinc com] 
Sent: Sunday, May 21, 2006 5:08 PM
To: dailydave
Subject: [Dailydave] ID, Apples

<snip>

Sinan Eren wrote a working version of GREENAPPLE, a remote 
kernel overflow in SMB for Windows 2000. It's available now 
to Immunity Partners, but it will be in the June Immunity 
CANVAS release, which will be interesting. Essentially it's 
the first remote kernel overflow I've ever seen - maybe 
someone knows of one I don't?

-dave


-- 
Best Regards,
   Joel Eriksson
-------------------------------------------------
Cellphone: +46-70 228 64 16 Home: +46-18-30 35 55
Security Research & Systems Development at Bitnux
PGP Key Server pgp.mit.edu, PGP Key ID 0x08811B44
DF38 5806 0EFB 196E E4B6 34B5 4C01 73BB 0881 1B44
-------------------------------------------------

Current thread:

ID, Apples Dave Aitel (May 24)
- <Possible follow-ups>
- RE: ID, Apples Marc Maiffret (May 25)
  - Re: ID, Apples Joel Eriksson (May 26)
  - Re: ID, Apples Matt Conover (May 26)
  - RE: ID, Apples sinan . eren (May 26)
- Re: ID, Apples Piotr Bania (May 26)