Metasploit mailing list archives
ms06-040 ETA?
From: tomb at byrneit.net (Tomas L. Byrnes)
Date: Wed, 9 Aug 2006 19:06:34 -0700
Does Hardware DEP prevent it, or does it overflow in the code segment? -----Original Message----- From: H D Moore [mailto:hdm at metasploit.com] Sent: Wednesday, August 09, 2006 6:44 PM To: framework at metasploit.com Subject: Re: [framework] ms06-040 ETA? This is a plain old stack overflow actually, the tricky part is that exploiting XP and 2003 requires you bypass /GS protection. What bothers me the most about this bug is that I had a PoC for it six months ago, but overlooked an NDR encoding issue and couldn't reproduce it... -HD On Wednesday 09 August 2006 20:27, Rhys Kidd wrote:
Give HD and the other devs the time they need to get it working reliably :) Although I haven't played with this bug, I'd assume the exploit will be a bit different to the usual win32 ones, as it almost certainly overflows in kernel space, and will require a new payload once EIP is controlled. Although there has been a few papers on kernel shellcode, notably from
eEye's Barnaby Jack, there hasn't been much further public demonstration of kernel space exploitation techniques. Should be interesting!
Current thread:
- ms06-040 ETA? Exibar (Aug 09)
- ms06-040 ETA? H D Moore (Aug 09)
- ms06-040 ETA? dajackman (Aug 09)
- ms06-040 ETA? Rhys Kidd (Aug 09)
- ms06-040 ETA? H D Moore (Aug 09)
- ms06-040 ETA? Tomas L. Byrnes (Aug 09)
- ms06-040 ETA? Rhys Kidd (Aug 09)
- ms06-040 ETA? dajackman (Aug 09)
- ms06-040 ETA? H D Moore (Aug 09)