Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] MS05_039 Exploitation (different languages)

from [Roman Medina-Heigl Hernandez] Network Security [Permanent Link]
Subject: [Full-disclosure] MS05_039 Exploitation (different languages)
Date: Thu, 25 Aug 2005 18:36:59 +0200 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I tested existing exploits for PnP bug on my W2k SP4 machine (Spanish)
and they didn't work ("services" process is crashing but I got no
shell). So I did a quick review with Olly and I realized that
umpnpmgr.dll is being loaded at a different base address. In Spanish
systems this base address is 0x76770000 but current exploits are
assumming (I guess) 0x767a0000. Then I did a quick hack to HOD's exploit
and it worked perfectly. I also modified Metasploit's module and
included a target for Spanish systems. I've attached resulting exploits
(they are trivial, though).

Is it usual that Windows DLLs have different base address across same
Windows/SP versions (but different languages)?


- --

Cheers,
- -Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDDfOr5H+KferVZ0IRAiZKAKDJ0A1RT+iyFcJipN3k56YEmzctqACePS5e
aUJNlnMEsftew1Yn993iGJY=
=XE3r
-----END PGP SIGNATURE-----

Attachment: ms05_039_spanish.tgz
Description: GNU Unix tar archive

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] Advisory: iTAN not as secure as claimed, release
Next by Date:  Re: unload event in ie/mozilla/opera, Drew Haven
Previous by Thread:  [Full-disclosure] Advisory: iTAN not as secure as claimed, release
Next by Thread:  Re: [Full-disclosure] MS05_039 Exploitation (different languages), ad
Indexes:  [Date] [Thread] [Top] [All Lists]