Full Disclosure mailing list archives
Windows 2000 Remote Buffer Overflow by class101
From: <sk3tch () sk3tch net>
Date: Fri, 22 Oct 2004 13:20:36 -0500
Posted here: http://dfind.kd-team.com/36/55/op.php "Stack based overflow, bug discovered by Luigi Auriemma aluigi.altervista.org Tested working on Win2K, This public version crash on any WinXP, read the code why. The exploit bind a shellcode on the victim port 101."
From the code:
"Why Win2k only? After some days of debugging on it , I finally figured out how to exploit this hole, this public overflow method works only on Win2k, using the JMP EBX from comdlg32.dll from Win2k SP4 english. Because on WinXP , the register EBX points to a NULL address, this is not exploitable even if you update the JMP EBX, not exploitable VIA THIS WAY on XP I mean OK!. How do I did then on Win2k? I overwritte EIP with a JMP EBX, EBX is a perfect register because it points directly to my buffer, but problem, it points 4 bytes only before EIP, quite short... But enough to say him to jump ~80 bytes higher. Now i have enough space to adjust my shellcode to ESI and to finally jump to it... That's why on WinXP (and maybe others , havent tested) this doesnt works because EBX isnt available. Not happy? code yours or get a pvt version ;p How do I update to Win2k SP1 Dutch for example ? Grab a JMP EBX address in comdlg32.dll from this OS and update the code." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Windows 2000 Remote Buffer Overflow by class101 sk3tch (Oct 22)
- Re: Windows 2000 Remote Buffer Overflow by class101 Danny (Oct 22)
- Re: Windows 2000 Remote Buffer Overflow by class101 J.A. Terranson (Oct 23)
- Re: Windows 2000 Remote Buffer Overflow by class101 kf_lists (Oct 22)
- <Possible follow-ups>
- Re: Windows 2000 Remote Buffer Overflow by class101 class 101 (Oct 22)
- Re: Windows 2000 Remote Buffer Overflow by class101 Danny (Oct 22)