Metasploit mailing list archives

ms06-040 ETA?

From: tomb at byrneit.net (Tomas L. Byrnes)
Date: Wed, 9 Aug 2006 19:06:34 -0700

Does Hardware DEP prevent it, or does it overflow in the code segment?

-----Original Message-----
From: H D Moore [mailto:hdm at metasploit.com] 
Sent: Wednesday, August 09, 2006 6:44 PM
To: framework at metasploit.com
Subject: Re: [framework] ms06-040 ETA?

This is a plain old stack overflow actually, the tricky part is that
exploiting XP and 2003 requires you bypass /GS protection. What bothers
me the most about this bug is that I had a PoC for it six months ago,
but overlooked an NDR encoding issue and couldn't reproduce it...

-HD

On Wednesday 09 August 2006 20:27, Rhys Kidd wrote:

Give HD and the other devs the time they need to get it working 
reliably :)

Although I haven't played with this bug, I'd assume the exploit will 
be a bit different to the usual win32 ones, as it almost certainly 
overflows in kernel space, and will require a new payload once EIP is 
controlled.

Although there has been a few papers on kernel shellcode, notably from

eEye's Barnaby Jack, there hasn't been much further public 
demonstration of kernel space exploitation techniques.

Should be interesting!

Current thread:

ms06-040 ETA? Exibar (Aug 09)
- ms06-040 ETA? H D Moore (Aug 09)
  - ms06-040 ETA? dajackman (Aug 09)
    - ms06-040 ETA? Rhys Kidd (Aug 09)
    - ms06-040 ETA? H D Moore (Aug 09)
    - ms06-040 ETA? Tomas L. Byrnes (Aug 09)
    - ms06-040 ETA? Rhys Kidd (Aug 09)
  - ms06-040 ETA? tomb at accessitgroup.com (Aug 09)