mailing list archives
Windows 2000 Remote Buffer Overflow by class101
From: <sk3tch () sk3tch net>
Date: Fri, 22 Oct 2004 13:20:36 -0500
"Stack based overflow, bug discovered by Luigi Auriemma
Tested working on Win2K, This public version crash on any WinXP, read
the code why.
The exploit bind a shellcode on the victim port 101."
From the code:
"Why Win2k only?
After some days of debugging on it , I finally figured out how to
hole, this public overflow method works only on Win2k, using the
JMP EBX from comdlg32.dll from Win2k SP4 english.
Because on WinXP , the register EBX points to a NULL address, this is
even if you update the JMP EBX, not exploitable VIA THIS WAY on XP I
How do I did then on Win2k?
I overwritte EIP with a JMP EBX, EBX is a perfect register because it
to my buffer, but problem, it points 4 bytes only before EIP, quite
But enough to say him to jump ~80 bytes higher.
Now i have enough space to adjust my shellcode to ESI and to finally
jump to it...
That's why on WinXP (and maybe others , havent tested) this doesnt works
because EBX isnt
Not happy? code yours or get a pvt version ;p
How do I update to Win2k SP1 Dutch for example ?
Grab a JMP EBX address in comdlg32.dll from this OS and update the
Full-Disclosure - We believe in it.
- Windows 2000 Remote Buffer Overflow by class101 sk3tch (Oct 22)