Hey IZan, there are numerous points in your post which need commenting. First off, please do not be offended by anything I might post regarding your publication, I seriously like it and have to admit it is quite a bit better than your average post on these mailing lists :) Z> Team" and another BugTraq's "exiled" friends then i'd like to know what's Z> happening here and if BugTraq and the Underground Security Comunity are being Z> infected by Microsoft and the war by "third partys" to get "security bussiness". Unfortunately it is true that the technicality and quality of the lists has decreased by more and more technical readers moving away/underground while companies send more advisories containing little information. Ahwell, such is life -- I heard once that as a rule of thumb any good forum/meeting place turns crap after 2-3 years. Z> Brute-forcing. What Service Pack is installed ? The technique you describe here is not very well thought-out. First off, let's assume you're dealing with a system which is Windows(NT/2k/XP) and we do not know much more. NMAPing or XProbing is not possible due to correct filtering before our data actually hits the host. You have no way to fingerprint here. Of course, as dying processes/services are restarted under 2k/XP, you can try all possible offsets you have collected, but at worst you'll crash the service once for every failed guess (let's say you have a choice between NT4SP5/NT4SP6/W2kSp0/W2kSp1/W2kSp2/XP, that means in the worst case 5 server crashes) times, each time generating lot's of Event Log entries. In the worst scenario, your attacked process doesn't die but hangs in a loop somewhere - which is certain to attract the sysadmins. Under NT you don't even have that luck - one missed shot and you're out. You're claiming that exception handlers can be used to increase stability of exploits - by using them inside the injected code one can prevent segfaults due to nonpaged pages etc. While this is partially not a bad idea, it completely misses the point. Using SEH in hostile code is an old and boring technique. To be quite frank, most people didn't realize SEH existed before Win32.Cabanas by Jacky Qwerty/29A. But the main problem, not knowing which addresses to use to return to, can not be easily solved that way. All in all the paper is a nice review of tricks one can play in multi-threaded environments -- not necessarily only under NT but under any OS providing kernel-supported threads. But I'd recommend removing the 'revolutionary new technology'-style from the document :) The document is good & technical enough not to require the stupid bragging the security industry is so full of these days. Greetings, (and keep up the good work) dullienat_private
This archive was generated by hypermail 2b30 : Sat Dec 22 2001 - 15:16:27 PST