RE: WebDav Exploit ffs

From: Exurity Debugs (exbugsat_private)
Date: Thu Mar 27 2003 - 14:02:53 PST

Next message: Immunix Security Team: "Immunix Secured OS 7+ openssl update"

Previous message: Trustix Secure Linux Advisor: "TSLSA-2003-0014 - glibc"
In reply to: NetBSD Security Officer: "NetBSD Security Advisory 2003-008: faulty length checks in xdrmem_getbytes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I don't believe your shell code will work on other Kernel32.dll than the
version with the following ImageBase:
"\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver..

Because your code is reversed as:

loc_8F:
    mov     eax, [esi]
    add     eax, ebp
    cmp     dword ptr [eax], 50746547h
    jnz     short loc_C0
    cmp     dword ptr [eax+4], 41636F72h
    jnz     short loc_C0
    cmp     dword ptr [eax+8], 65726464h
    jnz     short loc_C0
    mov     eax, [edi+24h]
    add     eax, ebp
    movzx   ebx, word ptr [eax+edx*2]
    mov     eax, [edi+1Ch]
    add     eax, ebp
    mov     ebx, [eax+ebx*4]
    add     ebx, ebp

        ; should jump to found
loc_C0:
    add     esi, 4
    inc     edx
    cmp     edx, [edi+18h]
    jnz     short loc_8F
        ; then reached all and could not find, so find another version
So, if the Kernel32.dll happens to be different than the default, it will
simply crash without going too far.
Best regards
Peter Huang
Jumpable, Callable & Overflowing XPoson, New Exploitation Technology on the
way

Next message: Immunix Security Team: "Immunix Secured OS 7+ openssl update"
Previous message: Trustix Secure Linux Advisor: "TSLSA-2003-0014 - glibc"
In reply to: NetBSD Security Officer: "NetBSD Security Advisory 2003-008: faulty length checks in xdrmem_getbytes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 27 2003 - 15:45:11 PST