.ida vulnerability..

[Joakim Sandström <jode () tribalstorm com>]

Hi Folks,

I had some time off work last weekend so I took a look at the new .ida
vulnerability. I was debugging
a win2k adv server with sp2 installed. First of all I tried to get eip over
run and successfully did
that after trying out different params. The first thing I noticed was that
(as stated on eeye's pages) that
the buffer get's converted to wide character (which makes this really
tricky) .. But according to
eeye's description about the vuln I should be able to push in more stuff and
make the heap (or whatever)grow larger so I could produce some of my own
input data to appear in mem locations as 00430043.
First of all I must admit I didn't succeed. Seems to me that the exceptions
from the overflow occur before the "payload" get's parsed into the memory. I
can't locate the payload anywhere.. (and in some occasions the actual
buffer).
> From what I know.. I see this as a deadlock situation.. Maybe it's doable..
Though I don't have time
to further investigate the vuln. Has anyone else tried it out? Results? Any
certain combinations of payloads and overflow size which produces a good
result? I bet this all varies allot form win2k version and sp versions?
Another thing that wonders me.. Why haven't eeye released the proof of
concept they are promising on their website? I'd really like to see (follow
the flow) how you can get all this together. The exploit eeye had sent to
microsoft  was based on win2k prof.and sp1. Is this because it was un-doable
on win2k servers?



thanks,
      JODE