|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Nicolas Waisman (nicolas.waisman
immunitysec.com)
Date: Wed May 30 2007 - 10:03:31 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
You can only do it one time.
Note: The riddle is taken from an old silenty patched bug on WINS.
Nico
On Wed, May 30, 2007 at 03:15:13PM +0100, Dave Korn wrote:
> On 30 May 2007 07:13, Nicolas Waisman wrote:
>
> > Lets have a fun riddle to cheer up the spirit ( Mate at 11pm, its all
> > night insomnia.)
> >
> > The riddle: Let said you are trying to exploit a remote service on an
> > old Windows 2000 (whatever SP you want) and the primitive is the following
> > inc [edi] // you control edi
> >
> > What would be the best option for edi?
>
> Depends what else you control apart from edi, and whether you can do it more
> than once. If you can overwrite an SEH handler, point edi at an illegal
> address to invoke your code. If you can do it multiple times, perhaps you can
> point edi somewhere on the stack and increment a stored ebp to point at data
> you control. Don't forget the possibility of pointing it at a
> non-word-aligned address to e.g increment just the high byte of a stored
> pointer.
>
> cheers,
> DaveK
> --
> Can't think of a witty .sigline today....
>
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]