|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-Disclosure] Allchin bug p-o-c.
From: Dave Korn (davek_throwaway
hotmail.com)
Date: Tue Oct 07 2003 - 05:56:13 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Here's p-o-c code for the allchin vulnerability. It allows you to write a
(fairly) arbitrary DWORD to a (also fairly) arbitrary address in the memory
space of mqsvc.exe on a remote w2k server. It should be straightforward
enough to turn that into any kind of remote shell sploit using the standard
well known techniques (e.g. overwrite an exception handler) but I haven't
done so yet.
Interestingly enough, this works on sp2 but sp4 seems to be immune; I
haven't tested sp3. I say 'interesting', because I can't find any reference
to this bug having been fixed in the lists of bugs fixed in those service
packs, but it's definitely been whacked in some way by sp4....
cheers,
DaveK
_________________________________________________________________
Express yourself with cool emoticons - download MSN Messenger today!
http://www.msn.co.uk/messenger
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- text/plain attachment: allchin.cpp
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]