Metasploit mailing list archives
ms06-040 ETA?
From: hdm at metasploit.com (H D Moore)
Date: Wed, 9 Aug 2006 20:44:14 -0500
This is a plain old stack overflow actually, the tricky part is that exploiting XP and 2003 requires you bypass /GS protection. What bothers me the most about this bug is that I had a PoC for it six months ago, but overlooked an NDR encoding issue and couldn't reproduce it... -HD On Wednesday 09 August 2006 20:27, Rhys Kidd wrote:
Give HD and the other devs the time they need to get it working reliably :) Although I haven't played with this bug, I'd assume the exploit will be a bit different to the usual win32 ones, as it almost certainly overflows in kernel space, and will require a new payload once EIP is controlled. Although there has been a few papers on kernel shellcode, notably from eEye's Barnaby Jack, there hasn't been much further public demonstration of kernel space exploitation techniques. Should be interesting!
Current thread:
- ms06-040 ETA? Exibar (Aug 09)
- ms06-040 ETA? H D Moore (Aug 09)
- ms06-040 ETA? dajackman (Aug 09)
- ms06-040 ETA? Rhys Kidd (Aug 09)
- ms06-040 ETA? H D Moore (Aug 09)
- ms06-040 ETA? Tomas L. Byrnes (Aug 09)
- ms06-040 ETA? Rhys Kidd (Aug 09)
- ms06-040 ETA? dajackman (Aug 09)
- ms06-040 ETA? H D Moore (Aug 09)