|
Dailydave
mailing list archives
Re: A 3 a.m. Riddle
From: "Brett Moore" <brett.moore () security-assessment com>
Date: Thu, 31 May 2007 12:22:59 +1200
The riddle: Let said you are trying to exploit a remote service on an
old Windows 2000 (whatever SP you want) and the primitive is the
following
inc [edi] // you control edi
What would be the best option for edi?
* You can only do it one time.
* Note: The riddle is taken from an old silenty patched bug on WINS.
nico, you say you can only do it once. Does the service crash,handle an
exception, or nothing after this one increment?
Stating the obivous here, but does using a writable vs a non-writeble
address make any difference.
Also does using different bit values for EDI make any difference to code
path execution.
If you can do 1 increment, and the service continues to operate, then
you are needing to modify a value that
is then used later, to somehow get other data under your control to be
used.''
Maybe combining a couple of the already suggested ideas, and hit some
values in known static locations on win2k.
like the PEB? or TIB?
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT
%20Objects/Process/PEB.html
http://en.wikipedia.org/wiki/Win32_Thread_Information_Block
As already noted by misaligning the word you can affect different bytes.
So maybe adjust the thread SEH chain
ptr to something else on the stack.
Be interesting to see what you come up with.
Brett
-----Original Message-----
From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Nicolas
Waisman
Sent: Thursday, 31 May 2007 3:04 a.m.
To: Dave Korn
Cc: dailydave () lists immunitysec com
Subject: Re: [Dailydave] A 3 a.m. Riddle
You can only do it one time.
Note: The riddle is taken from an old silenty patched bug on WINS.
Nico
On Wed, May 30, 2007 at 03:15:13PM +0100, Dave Korn wrote:
On 30 May 2007 07:13, Nicolas Waisman wrote:
Lets have a fun riddle to cheer up the spirit ( Mate at 11pm, its
all
night insomnia.)
The riddle: Let said you are trying to exploit a remote service on
an
old Windows 2000 (whatever SP you want) and the primitive is the
following
inc [edi] // you control edi
What would be the best option for edi?
Depends what else you control apart from edi, and whether you can do
it more
than once. If you can overwrite an SEH handler, point edi at an
illegal
address to invoke your code. If you can do it multiple times, perhaps
you can
point edi somewhere on the stack and increment a stored ebp to point
at data
you control. Don't forget the possibility of pointing it at a
non-word-aligned address to e.g increment just the high byte of a
stored
pointer.
cheers,
DaveK
--
Can't think of a witty .sigline today....
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
 By Date 
By Thread
Current thread:
- Re: A 3 a.m. Riddle, (continued)
- Re: A 3 a.m. Riddle Brett Moore (May 30)
Re: A 3 a.m. Riddle Piotr Bania (May 30)
Re: A 3 a.m. Riddle Chris Anley (May 30)
| 
Intro
