Re: ms03-049 exploit xp sp0

dave_at_immunitysec.com
Date: 11/13/03

  • Next message: xenophi1e: "Reversing Code Coverage Tool" 
    Date: 13 Nov 2003 21:28:11 -0000
To: vuln-dev@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <web-21415425@gator.darkhorse.com>

    I didn't run into this problem in my version of the (XP SP1) attack, btw. Perhaps if you feel squeezed you can simply make your string bigger?

    Most curious is the Unicode encoding differences between SP0 and SP1. Maybe something there is your problem?

    Dave Aitel
    Immunity, Inc.
    http://www.immunitysec.com/CANVAS/

    >From: "wirepair" <wirepair@roguemail.net>
    >Subject: ms03-049 exploit xp sp0
    >To: vuln-dev@securityfocus.com
    >X-Mailer: CommuniGate Pro WebUser Interface v.4.1.5
    >Date: Wed, 12 Nov 2003 13:03:03 -0800
    >Message-ID: <web-21415425@gator.darkhorse.com>
    >MIME-Version: 1.0
    >Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
    >Content-Transfer-Encoding: 8bit
    >
    >lo all,
    >Well I got xp sp0 to execute my code, but sp1 has a different stack layout. after the return address data only has about 4 or 8
    >bytes (I can't remember and i'm too lazy to check because i've been messing with this for he past 7 hours).
    >Since I have 4/8 bytes to work with i'm contemplating doing some sort of jmp / call and stuff my shellcode in the beginning of the
    >buffer instead of tacking it on to the end like my current exploit. Unfortunately my asm is lacking still and I am unsure about
    >the best way of making it jmp/call the address (without nulls and without hardset stack addresses).
    >If you can offer any suggestions I would *greatly* appreciate it.
    >Anyways here's my code http://sh0dan.org/files/0349.cpp
    >or the exe: http://sh0dan.org/files/0349.exe. Remember this is SP0 only, sp1 will definitly crash.
    >Thanks,
    >-wire
    >--
    >Visit Things From Another World for the best
    >comics, movies, toys, collectibles and more.
    >http://www.tfaw.com/?qt=wmf
    >

  • Next message: xenophi1e: "Reversing Code Coverage Tool"