Full Disclosure mailing list archives
Re: MS05_039 Exploitation (different languages)
From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Fri, 26 Aug 2005 14:36:21 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sanjay Rawat wrote:
I too observed the same thing. i am running a windows 2K, SP4. i found that base address of UMPNPMGR.DLL is 0x767a0000. however, when i run the attack with this address, the target machine got rebooted (a crash). this may be, because umpnpmgr.dll is a part of "service.exe", therefore, on failure, it reboots. but with the unchanged base address, it worked perfectly. so now the same code can be used for DoS also!!!
You are simply crashing "services" proccess because EIP is not reaching the right instructions (eg: pop;pop;ret) or (depending on process' memory layout) it's referencing an invalid address. When Windows detects the crash, it reboots (since it lacks an important system component). This is a side effect. Anyway, if you have a shell, why do you want a simple DoS? :) In order to clarify: - - my hacked hod's exploit changed "destination EIP" to match Spanish systems. So it will NOT work on English systems (call it "DoS"; I prefer to name it "didn't work" ;-)). And that's why appended "-spanish" to filename. - - for Metasploit module, I simply added a new "target", so it supports both English (target 0) and Spanish (target 1). It can be directly copied to "exploits" directory on Metasploit source-tree. That's the reason I didn't change filename in this case (hdm: feel free to add it to Metasploit). Finally, the purpose of my post was not only to add a new target to an exploit (ml would be fastly flooded with tons of similar mails, if every people did it... so please, don't do it, I'm a bad example :-(), but to bring attention over the base address issue and try to learn from you, guys :). Indeed, I still have some questions: - - which is the connection between different languages' Windows, if there is any? (for instance, ad () class101 org suggested that "french offets are like the deutsch") (btw, I didn't change the offset but the base address, which is a different thing) - - any more or less accurate list of connections/links in Windows across different languages? Or perhaps it's something fairly random? PS: You could write directly to me and I'll summarize responses (different base addresses for the exploit are welcome; I don't think it's appropiate to flood the mailing-list with this...). - -- Regards, - -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFDDwzF5H+KferVZ0IRAu65AKCQC9nsb1VjzmooamBTWKZeEUS7sgCgjTwe BAz1iweHkMIgPq0pQaCW99s= =4fg1 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- MS05_039 Exploitation (different languages) Roman Medina-Heigl Hernandez (Aug 25)
- Re: MS05_039 Exploitation (different languages) ad (Aug 25)
- Re: MS05_039 Exploitation (different languages) Fabrice MOURRON (Aug 25)
- Re: MS05_039 Exploitation (different languages) Sanjay Rawat (Aug 26)
- Re: MS05_039 Exploitation (different languages) Roman Medina-Heigl Hernandez (Aug 26)