Dailydave mailing list archives
Re: Strcpy (RPC exploits, IE exploits and more)
From: "Jeremy Richards" <jrichards () ncircle com>
Date: Thu, 10 Aug 2006 17:38:04 -0700
It's been a long day and I need a break from work so I'll hop on this thread and give my two cents. 1.) I think you're asking for technical details of vulnerabilities... these aren't normally released to the public unless the vuln was found by a researcher attempting to make a name for himself... or they have too much time on their hands. In either case, the best way to get a good technical feel is to download the patches, throw them into IDA, bindiff and check out the changed functions. NetpIsRemote() is one of the few (this time) changed functions and the change is pretty obvious. 2) There are a number of functions exposed via the SRVSVC/WKSSVC RPC interfaces... this is one of them... PathCanoncalization was another interesting one for signature writers. 3.) If you want to learn about reversing DCE RPC go here: http://www.codeproject.com/internet/rpcintro1.asp and http://www.codeproject.com/internet/rpcintro2.asp throw the samples into IDA to see what a simple RPC interface looks like. Download mida and play... http://cgi.tenablesecurity.com/tenable/mida.php *note -- its not perfect but it will identify RPC interfaces and attempt to reverse the expected stub data so your fuzzing doesn't get sent to NDR hell. Oh reading the RFC's wouldn't hurt but remember how Microsoft likes to pervert RFC's and make their own standards. In python., connecting to RPC services has been made pretty simple by the folks at CORE... check out Impacket: http://oss.coresecurity.com/projects/impacket.html It takes care of a lot of the lower level BS. Make sure you have the crypto lib's for python... its required for NTLM auth... 4.) I'll leave that one for HD.. Best of luck Dyngnosis -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Danett song Sent: Thursday, August 10, 2006 6:27 PM To: H D Moore; dailydave () lists immunitysec com Subject: Re: [Dailydave] Strcpy (RPC exploits, IE exploits and more) Hi HD Moore and all guys Well, sorry for hijack this thread :) 1) Thank you for reply. I looked for this MS06-040 in securtiteam and frsirt but only found non technical advisorys like the Microsoft one who doesn't provide technical details of vulnerability. Where do you costume to look for technical advisorys (for example the MS06-040, MS06-021, MS06-047, MS06-046, MS06-044)? 2) I seen this flaw appear be from a 0day that a CERT caught in NetpIsRemote(), but this doesn't have any documentation in MSDN, where do you costume to look for prototype of this undocumented functions? 3) I notted that recent many exploits attacked Windows RPC, someone can suggest me a great paper explain the basic of how this communication work and how to create program (in C, perl or python) to connect with it (I would like to learn how to exploit it too:))? 4) I had seen that H D Moore and other researchers have found many vulnerabilitys in Internet Explorer. How do you list all active X that a machine have and cab be instanceated by a html code? Also, how do you list all the functions and prototypes of a given Active X component (that is a DLL) ? Well, maybe it can be doubt of other users, so maybe it can be a intersting thread. Thank you and sorry for n00b questions --- H D Moore <hdm-daily-dave () digitaloffense net> escreveu:
There are (at least) three ways to exploit MS06-040: 1) Start path with \\ (unicode) and trigger plain stack overflow 2) Start path without \\ and trigger stack overflow elsewhere 3) Start path without \\ and trigger a wcscpy() call that writes our shellcode into a location and then returns using a corrupted address. Case 1 and 2 work fine for NT 4.0 -> XP SP1/2003 SP0. Case 3 is much more reliable, since you tell it where to put your shellcode and then ask it to return to where it put it. This what the most (all?) of the exploit frameworks are using. The problem with XP SP2/2003 SP1 is that the modules were compiled with /GS, which blocks the return address part. The wcscpy() call (should) allow you to overwrite any writable memory area with your choice of data. If you can find a pointer in memory (say, ws2_32 .data, the VEH, etc) and overwrite this, you can probably get code execution on these platforms. If you are developing an IDS/IPS signature, you should crack open IDA Pro and look for Xrefs to NetpIsRemote() in netapi32.dlll. Most of the functions starting with I_* are accessible via the SRVSVC/WKSSVC RPC interfaces. Anyone checking for 4b324fc8-1670-01d3-1278-5a47bf6ee188 and function 0x1F is going to get made fun of once I get some free. The Metasploit module is broken in its current form -- it happened to work great on all of my VMs and not at all on everyone else's. This should be addressed in the near future... -HD On Thursday 10 August 2006 11:55, Danett song wrote:don't have idea about you are speaking... thetitlesay strcpy() in the body you say wcscpy() and anewway to worms, a technique to bypass most newwindowsprotection... what is this? a new method of exploitation? or a specific vulnerability? somelink? _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________________ Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular. Registre seu aparelho agora! http://br.mobile.yahoo.com/mailalertas/ _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Strcpy (RPC exploits, IE exploits and more) Jeremy Richards (Aug 10)