Windows 2000 Remote Buffer Overflow by class101

[<sk3tch () sk3tch net>]

Posted here:

http://dfind.kd-team.com/36/55/op.php

"Stack based overflow, bug discovered by Luigi Auriemma
aluigi.altervista.org
Tested working on Win2K, This public version crash on any WinXP, read
the code why.
The exploit bind a shellcode on the victim port 101."

> From the code:

"Why Win2k only?
 After some days of debugging on it , I finally figured out how to
exploit this 
hole, this public overflow method works only on Win2k, using the 
JMP EBX from comdlg32.dll from Win2k SP4 english.
Because on WinXP , the register EBX points to a NULL address, this is
not exploitable
even if you update the JMP EBX, not exploitable VIA THIS WAY on XP I
mean OK!.

How do I did then on Win2k?
 I overwritte EIP with a JMP EBX, EBX is a perfect register because it
points directly
to my buffer, but problem, it points 4 bytes only before EIP, quite
short...
But enough to say him to jump ~80 bytes higher.
Now i have enough space to adjust my shellcode to ESI and to finally
jump to it...
That's why on WinXP (and maybe others , havent tested) this doesnt works
because EBX isnt 
available.
Not happy? code yours or get a pvt version ;p

How do I update to Win2k SP1 Dutch for example ?
 Grab a JMP EBX address in comdlg32.dll from this OS and update the
code."

 

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html