Re[3]: ms03-043 questions

From: A*** (netninja_at_hotmail.kg)
Date: 11/05/03

Next message: Dan Yefimov: "Re: WTMP file"

Previous message: Valdis.Kletnieks_at_vt.edu: "Re: WTMP file"
In reply to: einstein, dhtm: "Re[2]: ms03-043 questions"
Next in thread: Dave Korn: "Re: Re[2]: ms03-043 questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 6 Nov 2003 03:48:48 +0600
To: "einstein, dhtm" <einstein_dhtm@front.ru>

Hello dhtm,

Thursday, November 6, 2003, 12:03:57 PM, you wrote:

ed> Здравствуйте, A***.

ed> Вы писали 3 ноября 2003 г., 12:29:19:

A>> Hello wirepair,

A>> Monday, November 3, 2003, 9:12:54 AM, you wrote:

w>>> lo all,
w>>> I was just curious if anyone has been able to get this to execute code. I've been playing with it the last couple of days and I've
w>>> only managed to get invalid read attempts. I've narrowed it down to requiring at least 584 0x14 characters (a length of 3992
w>>> appears
w>>> to be required to cause the exception). Placement within the buffer of the 0x14 characters does not seem to matter. Thanks for
w>>> any
w>>> information you can provide.
w>>> -wire
w>>> --
w>>> Visit Things From Another World for the best
w>>> comics, movies, toys, collectibles and more.
w>>> http://www.tfaw.com/?qt=wmf

A>> my exploit for MS03-043 takes advantage of global SEH. I overwrote it
A>> with a pointer to my shellcode. make sure ur message body size is
A>> somewhere around 3656. works fine for win2k and winxp. btw u need to
A>> send packet 2 times on win2k, on winxp access violation exception is triggered
A>> only with 1 packet send. my exploit executes successfully but its not
A>> 100% reliable. try experimenting with message size. u might get
A>> different results

ed> Do you mean the "final" exception handler (which is usually set by
ed> SetUnhandledExceptionFilter) or per-thread handler at fs:[0] ?

By global SEH i meant UnhandledExceptionFilter. U can overwrite per
thread handler at fs:[0] in stack overflows, but usually in heap
overflows its useless.
ed> is that it's usually not easy to locate you shellcode in memory (like
ed> in stack-based overflows). How do you overcome this difficulty ?
try searching for pointer to ur shellcode in the stack, if u lucky u might find one

-- 
Best regards,
 A***                            mailto:netninja@hotmail.kg

Next message: Dan Yefimov: "Re: WTMP file"

Previous message: Valdis.Kletnieks_at_vt.edu: "Re: WTMP file"
In reply to: einstein, dhtm: "Re[2]: ms03-043 questions"
Next in thread: Dave Korn: "Re: Re[2]: ms03-043 questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]