Re: Strcpy

[H D Moore <hdm-daily-dave () digitaloffense net>]

Time to eat my words. The wcscpy() destination pointer trick doesn't seem 
doable on XP SP2 or 2003 SP1. I don't believe you can exploit this bug 
for more than a DoS on 2003 SP2/XP SP1. If you have information to the 
contrary, please share.

Microsoft made a statement to the effect that the "public" code is denial 
of service only. Strange that "public" doesn't include any member of the 
public who purchased a copy from Core or Immunity. The Metasploit module 
has been updated and should reliably exploit NT 4.0, all versions of 
Windows 2000, and Windows XP SP0/SP1 using the default target. I included 
an example of a non-wcscpy() target in case anyone wants to play with it.

A quick link for those who don't use msfupdate:
http://metasploit.com/projects/Framework/modules/exploits/netapi_ms06_040.pm

-HD

On Thursday 10 August 2006 13:36, H D Moore wrote:
> There are (at least) three ways to exploit MS06-040:
>
> 1) Start path with \\ (unicode) and trigger plain stack overflow
> 2) Start path without \\ and trigger stack overflow elsewhere
> 3) Start path without \\ and trigger a wcscpy() call that writes our
> shellcode into a location and then returns using a corrupted address.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave