Hi Roman,
I assure you that the address is also different for the French language.
With the similar review with ollydbg, the base address for me is
0x76740000. I've attached the resulting exploit and Metasploit's module
for french's system.
Regards,
--
Fabrice MOURRON ----- Consultant en sécurité des systèmes d'information
fmourron@exaprobe.com ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID: 20D22266
FingerPrint: 767E CB52 94D3 7AEF DD21 BD2F 4D5C 6E6D 20D2 2266
Le jeudi 25 août 2005 à 18:36 +0200, Roman Medina-Heigl Hernandez a
écrit :
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I tested existing exploits for PnP bug on my W2k SP4 machine (Spanish)
and they didn't work ("services" process is crashing but I got no
shell). So I did a quick review with Olly and I realized that
umpnpmgr.dll is being loaded at a different base address. In Spanish
systems this base address is 0x76770000 but current exploits are
assumming (I guess) 0x767a0000. Then I did a quick hack to HOD's exploit
and it worked perfectly. I also modified Metasploit's module and
included a target for Spanish systems. I've attached resulting exploits
(they are trivial, though).
Is it usual that Windows DLLs have different base address across same
Windows/SP versions (but different languages)?
- --
Cheers,
- -Roman
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFDDfOr5H+KferVZ0IRAiZKAKDJ0A1RT+iyFcJipN3k56YEmzctqACePS5e
aUJNlnMEsftew1Yn993iGJY=
=XE3r
-----END PGP SIGNATURE-----
ms05_039_pnp_french.pm
Description: Perl program
HOD-ms05039-pnp-expl-french.c
Description: Text Data
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
