RE: ID, Apples

[sinan.eren () immunitysec com]

yeah, I agree. Barnaby's paper was the first public discussion about the 
topic but couple of years before that, there was the private PPTP 
kernel exploit for Windows 2000 circulating around, which was a bit 
primitive on the payload side of things (mostly ZwXXX's doing file and 
registry IO), nevertheless the first remote win32 kernel exploit I saw 
was that... anyhow, I think Dave must have meant first in an 
"exploitation framework" since as you all know there is fierce competition 
even in this small market ;)

cheers,
sinan


On Wed, 24 May 2006, Marc Maiffret wrote:

> Remote windows kernel exploits were demonstrated in 2004 by Barnaby Jack
> and within the same year by Flashsky. They both did extensive
> presentations also in 2005 showing specifically how to exploit remote
> kernel vulnerabilities.
>
> Symantec Multiple Firewall Remote DNS KERNEL Overflow (April 19, 2004)
> http://www.eeye.com/html/research/advisories/AD20040512D.html
> Conference: Remote Windows Kernel Exploitation - Step In To the Ring 0
> (2005)
> http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html
> Paper: Remote Windows Kernel Exploitation - Step into the Ring 0 (2005)
> http://www.eeye.com/~data/publish/whitepapers/research/OT20050205.FILE.p
> df
>
> -Marc
>
> > -----Original Message-----
> > From: Dave Aitel [mailto:dave () immunityinc com]
> > Sent: Sunday, May 21, 2006 5:08 PM
> > To: dailydave
> > Subject: [Dailydave] ID, Apples
> <snip>
> > Sinan Eren wrote a working version of GREENAPPLE, a remote
> > kernel overflow in SMB for Windows 2000. It's available now
> > to Immunity Partners, but it will be in the June Immunity
> > CANVAS release, which will be interesting. Essentially it's
> > the first remote kernel overflow I've ever seen - maybe
> > someone knows of one I don't?
> >
> > -dave
> >
> > * Unknown Key
> > * 0xE3C0FA25 - unknown