ms03-049 exploit xp sp0
From: wirepair (wirepair_at_roguemail.net)
Date: 11/12/03
- Previous message: Ben Greenberg: "New mac-10.3 vulnerable to a fork bomb"
- Next in thread: upb: "Re: ms03-049 exploit xp sp0"
- Reply: upb: "Re: ms03-049 exploit xp sp0"
- Maybe reply: upb: "Re: ms03-049 exploit xp sp0"
- Maybe reply: dave_at_immunitysec.com: "Re: ms03-049 exploit xp sp0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: vuln-dev@securityfocus.com Date: Wed, 12 Nov 2003 13:03:03 -0800
lo all,
Well I got xp sp0 to execute my code, but sp1 has a different stack layout. after the return address data only has about 4 or 8
bytes (I can't remember and i'm too lazy to check because i've been messing with this for he past 7 hours).
Since I have 4/8 bytes to work with i'm contemplating doing some sort of jmp / call and stuff my shellcode in the beginning of the
buffer instead of tacking it on to the end like my current exploit. Unfortunately my asm is lacking still and I am unsure about
the best way of making it jmp/call the address (without nulls and without hardset stack addresses).
If you can offer any suggestions I would *greatly* appreciate it.
Anyways here's my code http://sh0dan.org/files/0349.cpp
or the exe: http://sh0dan.org/files/0349.exe. Remember this is SP0 only, sp1 will definitly crash.
Thanks,
-wire
-- Visit Things From Another World for the best comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf
- Previous message: Ben Greenberg: "New mac-10.3 vulnerable to a fork bomb"
- Next in thread: upb: "Re: ms03-049 exploit xp sp0"
- Reply: upb: "Re: ms03-049 exploit xp sp0"
- Maybe reply: upb: "Re: ms03-049 exploit xp sp0"
- Maybe reply: dave_at_immunitysec.com: "Re: ms03-049 exploit xp sp0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
