Fw: [Full-disclosure] 2 nice pop/pop/ret :) (update)
From: class 101 (class101_at_gmail.com)
Date: 03/11/05
- Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-disclosure] Reverse dns"
- Maybe in reply to: class 101: "[Full-disclosure] 2 nice pop/pop/ret :) (update)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Dave Korn" <davek_throwaway@hotmail.com>, "Full-Disclosure" <Full-Disclosure@lists.grok.org.uk> Date: Fri, 11 Mar 2005 00:14:59 +0100
and the XP SP2 english:
File Version: 0x000500010a280884
Product Version: 0x000500010a280884
File Flags:
File OS: NT WINDOWS32
File Type: DLL
File Subtype: Not currently supported
File Date: 0x0000000000000000
Translation table:
-----------------
0409 04b0
CompanyName: Microsoft Corporation
FileDescription: Windows NT BASE API Client DLL
FileVersion: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
InternalName: kernel32
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFilename: kernel32
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.2180
-------------------------------------------------------------
class101
Jr. Researcher
Hat-Squad.com
-------------------------------------------------------------
----- Original Message -----
From: "class 101" <class101@gmail.com>
To: "Dave Korn" <davek_throwaway@hotmail.com>; "Full-Disclosure"
<Full-Disclosure@lists.grok.org.uk>
Sent: Friday, March 11, 2005 12:07 AM
Subject: re: [Full-disclosure] 2 nice pop/pop/ret :) (update)
> sorry, got a problem to copy paste
>
> as I have said I think we have 2 different versions, mine is
>
> File Version: 0x000500010a280452
> Product Version: 0x000500010a280452
> File Flags:
> File OS: NT WINDOWS32
> File Type: DLL
> File Subtype: Not currently supported
> File Date: 0x0000000000000000
>
> Translation table:
> -----------------
> 0409 04b0
>
> CompanyName: Microsoft Corporation
> FileDescription: Windows NT BASE API Client DLL
> FileVersion: 5.1.2600.1106 (xpsp1.020828-1920)
> InternalName: kernel32
> LegalCopyright: © Microsoft Corporation. All rights reserved.
> OriginalFilename: kernel32
> ProductName: Microsoft® Windows® Operating System
> ProductVersion: 5.1.2600.1106
>
> -------------------------------------------------------------
> class101
> Jr. Researcher
> Hat-Squad.com
> -------------------------------------------------------------
> ----- Original Message -----
> From: "class 101" <class101@gmail.com>
> To: "Dave Korn" <davek_throwaway@hotmail.com>; "Full-Disclosure"
> <Full-Disclosure@lists.grok.org.uk>
> Sent: Thursday, March 10, 2005 11:33 PM
> Subject: Re: [Full-disclosure] 2 nice pop/pop/ret :) (update)
>
>
> > > I had the same problem with that universal w2k offset you posted about
> on
> > > 9th Feb (Subject: Nice call to ebx found). I went and looked for it
on
> my
> > > W2k Pro Sp2 system at home. It wasn't there :-(
> >
> > Yep normal, because if I remember , I have mentionned that it was for
w2k
> > pro&srv , SP4's series for all langages, but I guess its not the same
for
> > sp3-2-1-0
> >
> > > but the kernel32 one just isn't there:
> > >
> > > 0:003> u 0x77E7F69E
> > > kernel32!BasepShimCacheSearch+0x1d:
> > > 77e7f69e c02802 shr byte ptr [eax],0x2
> >
> > ha shit ;( but looks like we have 2 different versions, the one where I
> have
> > tried is:
> >
> > File Version: 0x000500010a280452
> > Product Version: 0x000500010a280452
> > File Flags:
> > File OS: NT WINDOWS32
> > File Type: DLL
> > File Subtype: Not currently supported
> > File Date: 0x0000000000000000
> >
> > Translation table:
> > -----------------
> > 0409 04b0
> >
> > CompanyName: Microsoft Corporation
> >
> > -------------------------------------------------------------
> > class101
> > Jr. Researcher
> > Hat-Squad.com
> > -------------------------------------------------------------
> > ----- Original Message -----
> > From: "Dave Korn" <davek_throwaway@hotmail.com>
> > To: <class101@hat-squad.com>; <Full-Disclosure@lists.grok.org.uk>
> > Sent: Thursday, March 10, 2005 8:05 PM
> > Subject: RE: [Full-disclosure] 2 nice pop/pop/ret :) (update)
> >
> >
> > > >From: "class 101" Date: Wed, 9 Mar 2005 10:01:57 +0100
> > >
> > > Hi there class 101!
> > >
> > > > Here is the result of comparing some huge list of pop/pop/ret of XP
> > SP1,
> > > >SP1a, SP2 ENGLISH
> > > >
> > > >I got 2 universal offsets accross those 3 Os
> > > >
> > > >SP2 ENGLISH
> > > >
> > > >0x71ABE325 pop esi - pop - retbis - WS2_32.DLL
> > > >0x77E7F69E pop ebx - pop - retbis - RPCRT4.DLL
> > > >
> > > >SP1a ENGLISH
> > > >
> > > >0x71ABE325 pop edi - pop - retbis - WS2_32.DLL
> > > >0x77E7F69E pop ebx - pop - retbis - KERNEL32.DLL
> > > >
> > > >SP1 ENGLISH
> > > >
> > > >0x71ABE325 pop edi - pop - retbis - WS2_32.DLL
> > > >0x77E7F69E pop ebx - pop - retbis - KERNEL32.DLL
> > > >
> > > >
> > > >enjoy :)
> > >
> > >
> > > That's interesting: on my sp1 english system, only one of those
> > addresses
> > > works. The winsock one is good:
> > >
> > > 0:003> u 0x71ABE325
> > > WS2_32!CopyBlobIndirect+0x71:
> > > 71abe325 5f pop edi
> > > 71abe326 5e pop esi
> > > 71abe327 c20400 ret 0x4
> > >
> > > but the kernel32 one just isn't there:
> > >
> > > 0:003> u 0x77E7F69E
> > > kernel32!BasepShimCacheSearch+0x1d:
> > > 77e7f69e c02802 shr byte ptr [eax],0x2
> > > 77e7f6a1 0000 add [eax],al
> > > 77e7f6a3 03442414 add eax,[esp+0x14]
> > > 77e7f6a7 66833800 cmp word ptr [eax],0x0
> > > 77e7f6ab 7415 jz kernel32!BasepShimCacheSearch+0x3d
> > > (77e7f6c2)
> > > 77e7f6ad 50 push eax
> > > 77e7f6ae ff74241c push dword ptr [esp+0x1c]
> > >
> > > I had the same problem with that universal w2k offset you posted
about
> > on
> > > 9th Feb (Subject: Nice call to ebx found). I went and looked for it
on
> my
> > > W2k Pro Sp2 system at home. It wasn't there :-(
> > >
> > > What do you suppose could be the reason why we find different
results?
> > > Hotfixes perhaps? How does the version info look like from _your_
copy
> of
> > > kernel32.dll? Mine says
> > >
> > > 0:003> lm v mkernel32
> > > start end module name
> > > 77e60000 77f46000 kernel32 (pdb symbols)
> > > C:\symcache\kernel32.pdb\40D1D0C52\kernel32.pdb
> > > Loaded symbol image file: C:\WINDOWS\system32\kernel32.dll
> > > Image path: C:\WINDOWS\system32\kernel32.dll
> > > Image name: kernel32.dll
> > > Timestamp: Thu Jun 17 18:58:35 2004 (40D1DBCB)
> > > CheckSum: 000EC3A9
> > > ImageSize: 000E6000
> > > File version: 5.1.2600.1560
> > > Product version: 5.1.2600.1560
> > > File flags: 0 (Mask 3F)
> > > File OS: 40004 NT Win32
> > > File type: 2.0 Dll
> > > File date: 00000000.00000000
> > > Translations: 0409.04b0
> > > CompanyName: Microsoft Corporation
> > > ProductName: Microsoft® Windows® Operating System
> > > InternalName: kernel32
> > > OriginalFilename: kernel32
> > > ProductVersion: 5.1.2600.1560
> > > FileVersion: 5.1.2600.1560 (xpsp2_gdr.040517-1325)
> > > FileDescription: Windows NT BASE API Client DLL
> > > LegalCopyright: © Microsoft Corporation. All rights reserved.
> > >
> > >
> > > cheers,
> > > DaveK
> > > --
> > > Can't think of a witty .sigline today....
> > >
> > >
> > >
> > >
> >
> >
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
- Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-disclosure] Reverse dns"
- Maybe in reply to: class 101: "[Full-disclosure] 2 nice pop/pop/ret :) (update)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
