Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re[2]: Steve Gibson smokes crack?
From: blad3 <fd () blad3 ro>
Date: Sat, 14 Jan 2006 14:56:02 +0200

Hello Georgi,

Saturday, January 14, 2006, 1:26:36 PM, you wrote:

On Fri, Jan 13, 2006 at 05:55:17PM -0500, eric williams wrote:
however, the question is I gather flowing from the Gibson commentary,
how or what exactly causes WINE to execute the code pointed at by the
SetAbortProc record?  Is it the "incorrect record length" is it some
other munged input, is it "by design" which has also been alluded to,
and seems to be your reference here.

So what I found was that, when I deliberately lied about the size of this
record and set the size to one and no other value, and I gave this particular
byte sequence that makes no sense for a metafile, then Windows created a
thread and jumped into my code, began executing my code. 


It turns out that the only way to get Windows to misbehave in this bizarre
fashion is to set the length to one, which is an impossible value. I tried
setting it to zero. It didn't trigger the exploit. I tried setting it to two,
no effect. Three, no effect. Nothing, not even the correct length. Only one.

The claim about the length is not true.


Btw, somebody else in this thread already proved that.

using invalid values to exploit a "design flaw" is "strange" at least.
can someone comment if the claim about the length is true?

Best regards,
 blad3                            mailto:fd () blad3 ro

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]