Dailydave mailing list archives
Re: A 3 a.m. Riddle
From: "Brett Moore" <brett.moore () security-assessment com>
Date: Thu, 31 May 2007 12:22:59 +1200
The riddle: Let said you are trying to exploit a remote service on an old Windows 2000 (whatever SP you want) and the primitive is the
following
inc [edi] // you control edi What would be the best option for edi?
* You can only do it one time. * Note: The riddle is taken from an old silenty patched bug on WINS.
nico, you say you can only do it once. Does the service crash,handle an exception, or nothing after this one increment? Stating the obivous here, but does using a writable vs a non-writeble address make any difference. Also does using different bit values for EDI make any difference to code path execution. If you can do 1 increment, and the service continues to operate, then you are needing to modify a value that is then used later, to somehow get other data under your control to be used.'' Maybe combining a couple of the already suggested ideas, and hit some values in known static locations on win2k. like the PEB? or TIB? http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT %20Objects/Process/PEB.html http://en.wikipedia.org/wiki/Win32_Thread_Information_Block As already noted by misaligning the word you can affect different bytes. So maybe adjust the thread SEH chain ptr to something else on the stack. Be interesting to see what you come up with. Brett -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Nicolas Waisman Sent: Thursday, 31 May 2007 3:04 a.m. To: Dave Korn Cc: dailydave () lists immunitysec com Subject: Re: [Dailydave] A 3 a.m. Riddle You can only do it one time. Note: The riddle is taken from an old silenty patched bug on WINS. Nico On Wed, May 30, 2007 at 03:15:13PM +0100, Dave Korn wrote:
On 30 May 2007 07:13, Nicolas Waisman wrote:Lets have a fun riddle to cheer up the spirit ( Mate at 11pm, its
all
night insomnia.) The riddle: Let said you are trying to exploit a remote service on
an
old Windows 2000 (whatever SP you want) and the primitive is the
following
inc [edi] // you control edi What would be the best option for edi?Depends what else you control apart from edi, and whether you can do
it more
than once. If you can overwrite an SEH handler, point edi at an
illegal
address to invoke your code. If you can do it multiple times, perhaps
you can
point edi somewhere on the stack and increment a stored ebp to point
at data
you control. Don't forget the possibility of pointing it at a non-word-aligned address to e.g increment just the high byte of a
stored
pointer. cheers, DaveK -- Can't think of a witty .sigline today....
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- A 3 a.m. Riddle Nicolas Waisman (May 30)
- Message not available
- Fwd: A 3 a.m. Riddle Isaac Dawson (May 30)
- Message not available
- Re: A 3 a.m. Riddle Dave Korn (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)
- Re: A 3 a.m. Riddle Matt Conover (May 30)
- Re: A 3 a.m. Riddle jf (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)
- Re: A 3 a.m. Riddle Dave Aitel (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)
- Re: A 3 a.m. Riddle Brett Moore (May 30)
- <Possible follow-ups>
- Re: A 3 a.m. Riddle Piotr Bania (May 30)
- Re: A 3 a.m. Riddle Chris Anley (May 30)
- Re: A 3 a.m. Riddle Nicolas Waisman (May 30)