Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Brett Moore (brett.mooresecurity-assessment.com)
Date: Wed May 30 2007 - 19:22:59 CDT
> The riddle: Let said you are trying to exploit a remote service on an
> old Windows 2000 (whatever SP you want) and the primitive is the
> inc [edi] // you control edi
> What would be the best option for edi?
> * You can only do it one time.
> * Note: The riddle is taken from an old silenty patched bug on WINS.
nico, you say you can only do it once. Does the service crash,handle an
exception, or nothing after this one increment?
Stating the obivous here, but does using a writable vs a non-writeble
address make any difference.
Also does using different bit values for EDI make any difference to code
If you can do 1 increment, and the service continues to operate, then
you are needing to modify a value that
is then used later, to somehow get other data under your control to be
Maybe combining a couple of the already suggested ideas, and hit some
values in known static locations on win2k.
like the PEB? or TIB?
As already noted by misaligning the word you can affect different bytes.
So maybe adjust the thread SEH chain
ptr to something else on the stack.
Be interesting to see what you come up with.
[mailto:dailydave-bounceslists.immunitysec.com] On Behalf Of Nicolas
Sent: Thursday, 31 May 2007 3:04 a.m.
To: Dave Korn
Subject: Re: [Dailydave] A 3 a.m. Riddle
You can only do it one time.
Note: The riddle is taken from an old silenty patched bug on WINS.
On Wed, May 30, 2007 at 03:15:13PM +0100, Dave Korn wrote:
> On 30 May 2007 07:13, Nicolas Waisman wrote:
> > Lets have a fun riddle to cheer up the spirit ( Mate at 11pm, its
> > night insomnia.)
> > The riddle: Let said you are trying to exploit a remote service on
> > old Windows 2000 (whatever SP you want) and the primitive is the
> > inc [edi] // you control edi
> > What would be the best option for edi?
> Depends what else you control apart from edi, and whether you can do
> than once. If you can overwrite an SEH handler, point edi at an
> address to invoke your code. If you can do it multiple times, perhaps
> point edi somewhere on the stack and increment a stored ebp to point
> you control. Don't forget the possibility of pointing it at a
> non-word-aligned address to e.g increment just the high byte of a
> Can't think of a witty .sigline today....
Dailydave mailing list
Dailydave mailing list