Home page logo

pen-test logo Penetration Testing mailing list archives

Re: LSADump2 Crashing Systems
From: Nicolas RUFF <nicolas.ruff () gmail com>
Date: Fri, 16 Sep 2005 17:07:48 +0200


After investigating deeper, I found several problems in LSADUMP2 :
- Buffers too small (300 bytes for the smallest)
- Allocated memory not flagged as executable (that is why LSADUMP2 is
not compatible with the NX flag)
- Reuse of freed memory

Here is a small patch that has been tested sucessfully on Windows XP SP2
with DEP "AlwaysOn" enabled (where LSADUMP2 failed).

- Nicolas RUFF
Security researcher @ EADS-CCR


diff lsadump2/dumplsa.c lsadump3/dumplsa.c
#define BUF_SIZE 1024
<     char szBuffer[1000];
    char szBuffer[BUF_SIZE];
<     TCHAR szBuffer[300];
    TCHAR szBuffer[BUF_SIZE];
<         WCHAR wszSecret[500];
        WCHAR wszSecret[BUF_SIZE];
<             char szSecret[500];
            char szSecret[BUF_SIZE];
                      lsaData = NULL;

diff lsadump2/lsadump2.c lsadump3/lsadump2.c
<                                    MEM_COMMIT, PAGE_READWRITE);
                                   MEM_COMMIT, PAGE_EXECUTE_READWRITE);

Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]