Dailydave mailing list archives
Re: Strcpy
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Thu, 10 Aug 2006 16:49:39 -0500
Time to eat my words. The wcscpy() destination pointer trick doesn't seem doable on XP SP2 or 2003 SP1. I don't believe you can exploit this bug for more than a DoS on 2003 SP2/XP SP1. If you have information to the contrary, please share. Microsoft made a statement to the effect that the "public" code is denial of service only. Strange that "public" doesn't include any member of the public who purchased a copy from Core or Immunity. The Metasploit module has been updated and should reliably exploit NT 4.0, all versions of Windows 2000, and Windows XP SP0/SP1 using the default target. I included an example of a non-wcscpy() target in case anyone wants to play with it. A quick link for those who don't use msfupdate: http://metasploit.com/projects/Framework/modules/exploits/netapi_ms06_040.pm -HD On Thursday 10 August 2006 13:36, H D Moore wrote:
There are (at least) three ways to exploit MS06-040: 1) Start path with \\ (unicode) and trigger plain stack overflow 2) Start path without \\ and trigger stack overflow elsewhere 3) Start path without \\ and trigger a wcscpy() call that writes our shellcode into a location and then returns using a corrupted address.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Strcpy Dave Aitel (Aug 10)
- Re: Strcpy Halvar Flake (Aug 10)
- Re: Strcpy Halvar Flake (Aug 10)
- Re: Strcpy Danett song (Aug 10)
- Re: Strcpy Dave Korn (Aug 10)
- Re: Strcpy H D Moore (Aug 10)
- Re: Strcpy H D Moore (Aug 10)
- Re: Strcpy (RPC exploits, IE exploits and more) Danett song (Aug 10)
- Re: Strcpy (RPC exploits, IE exploits and more) Alexander Sotirov (Aug 10)
- Re: Strcpy (RPC exploits, IE exploits and more) Danett song (Aug 15)