Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] MS05_039 Exploitation (different languages)

from [ad] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] MS05_039 Exploitation (different languages)
Date: Thu, 25 Aug 2005 23:29:28 +0200 
for the MS holes such this, yeah this is always like this because all
windows are differents, and about the langages if I remember the french
offets are like the deutsch, nl, etc , when you have a lot of free time you
can find out some OS langages using the same offsets.

****************************************************************
KEY: 0xA7C69C5F
PRINT: 694C 3495 BCC4 2F8B D794  6BD4 AF8B 457B A7C6 9C5F
****************************************************************


----- Original Message ----- 
From: "Roman Medina-Heigl Hernandez" <roman@rs-labs.com>
To: <full-disclosure@lists.grok.org.uk>
Cc: <bugtraq@securityfocus.com>
Sent: Thursday, August 25, 2005 6:36 PM
Subject: [Full-disclosure] MS05_039 Exploitation (different languages)


| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| Hi,
|
| I tested existing exploits for PnP bug on my W2k SP4 machine (Spanish)
| and they didn't work ("services" process is crashing but I got no
| shell). So I did a quick review with Olly and I realized that
| umpnpmgr.dll is being loaded at a different base address. In Spanish
| systems this base address is 0x76770000 but current exploits are
| assumming (I guess) 0x767a0000. Then I did a quick hack to HOD's exploit
| and it worked perfectly. I also modified Metasploit's module and
| included a target for Spanish systems. I've attached resulting exploits
| (they are trivial, though).
|
| Is it usual that Windows DLLs have different base address across same
| Windows/SP versions (but different languages)?
|
|
| - --
|
| Cheers,
| - -Roman
|
| PGP Fingerprint:
| 09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
| [Key ID: 0xEAD56742. Available at KeyServ]
| -----BEGIN PGP SIGNATURE-----
| Version: GnuPG v1.4.0 (MingW32)
|
| iD8DBQFDDfOr5H+KferVZ0IRAiZKAKDJ0A1RT+iyFcJipN3k56YEmzctqACePS5e
| aUJNlnMEsftew1Yn993iGJY=
| =XE3r
| -----END PGP SIGNATURE-----
|


----------------------------------------------------------------------------
----


| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.grok.org.uk/full-disclosure-charter.html
| Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: unload event in ie/mozilla/opera, Early, Clint
Next by Date:  Re: [NOBYTES.COM: #8] Naxtor Shopping Cart 1.0 - Information Disclosure & Possible SQL Injection, devfreedom
Previous by Thread:  [Full-disclosure] MS05_039 Exploitation (different languages), Roman Medina-Heigl Hernandez
Next by Thread:  [Full-disclosure] Re: MS05_039 Exploitation (different languages), Fabrice MOURRON
Indexes:  [Date] [Thread] [Top] [All Lists]