Re[2]: ms03-043 questions

From: einstein, dhtm (einstein_dhtm_at_front.ru)
Date: 11/06/03

Next message: Odhner, Christian: "RE: WTMP file"

Previous message: BORJA RUIZ CASTRO MORON: "WTMP file"
Maybe in reply to: wirepair: "ms03-043 questions"
Next in thread: A***: "Re[3]: ms03-043 questions"
Reply: A***: "Re[3]: ms03-043 questions"
Maybe reply: Dave Korn: "Re: Re[2]: ms03-043 questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 5 Nov 2003 22:03:57 -0800
To: vuln-dev@securityfocus.com

Здравствуйте, A***.

Вы писали 3 ноября 2003 г., 12:29:19:

A> Hello wirepair,

A> Monday, November 3, 2003, 9:12:54 AM, you wrote:

w>> lo all,
w>> I was just curious if anyone has been able to get this to execute code. I've been playing with it the last couple of days and I've
w>> only managed to get invalid read attempts. I've narrowed it down to requiring at least 584 0x14 characters (a length of 3992
w>> appears
w>> to be required to cause the exception). Placement within the buffer of the 0x14 characters does not seem to matter. Thanks for
w>> any
w>> information you can provide.
w>> -wire
w>> --
w>> Visit Things From Another World for the best
w>> comics, movies, toys, collectibles and more.
w>> http://www.tfaw.com/?qt=wmf

A> my exploit for MS03-043 takes advantage of global SEH. I overwrote it
A> with a pointer to my shellcode. make sure ur message body size is
A> somewhere around 3656. works fine for win2k and winxp. btw u need to
A> send packet 2 times on win2k, on winxp access violation exception is triggered
A> only with 1 packet send. my exploit executes successfully but its not
A> 100% reliable. try experimenting with message size. u might get
A> different results

Do you mean the "final" exception handler (which is usually set by
SetUnhandledExceptionFilter) or per-thread handler at fs:[0] ?
This article: http://www.jorgon.freeserve.co.uk/ExceptFrame.htm
explains SEH in detail but the main difference of Heap based overflows
is that it's usually not easy to locate you shellcode in memory (like
in stack-based overflows). How do you overcome this difficulty ?

On win2k 2 packets are a need for sure on my system too, and the
service crashes if you don't debug it, and on WinXP it doesn't.

-- 
Best regards,
 dhtm                          mailto:einstein_dhtm@front.ru

Next message: Odhner, Christian: "RE: WTMP file"

Previous message: BORJA RUIZ CASTRO MORON: "WTMP file"
Maybe in reply to: wirepair: "ms03-043 questions"
Next in thread: A***: "Re[3]: ms03-043 questions"
Reply: A***: "Re[3]: ms03-043 questions"
Maybe reply: Dave Korn: "Re: Re[2]: ms03-043 questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]