Metasploit mailing list archives

ms06-040 ETA?

From: hdm at metasploit.com (H D Moore)
Date: Wed, 9 Aug 2006 20:44:14 -0500

This is a plain old stack overflow actually, the tricky part is that 
exploiting XP and 2003 requires you bypass /GS protection. What bothers 
me the most about this bug is that I had a PoC for it six months ago, but 
overlooked an NDR encoding issue and couldn't reproduce it...

-HD

On Wednesday 09 August 2006 20:27, Rhys Kidd wrote:

Give HD and the other devs the time they need to get it working
reliably :)

Although I haven't played with this bug, I'd assume the exploit will be
a bit different to the usual win32 ones, as it almost certainly
overflows in kernel space, and will require a new payload once EIP is
controlled.

Although there has been a few papers on kernel shellcode, notably from
eEye's Barnaby Jack, there hasn't been much further public
demonstration of kernel space exploitation techniques.

Should be interesting!

Current thread:

ms06-040 ETA? Exibar (Aug 09)
- ms06-040 ETA? H D Moore (Aug 09)
  - ms06-040 ETA? dajackman (Aug 09)
    - ms06-040 ETA? Rhys Kidd (Aug 09)
    - ms06-040 ETA? H D Moore (Aug 09)
    - ms06-040 ETA? Tomas L. Byrnes (Aug 09)
    - ms06-040 ETA? Rhys Kidd (Aug 09)
  - ms06-040 ETA? tomb at accessitgroup.com (Aug 09)