2008-10-26 17:33:00
By Tim Brown
So having spent a good portion of the last 24 hours trying to get a handle on reliably exploiting this vulnerability, I've drawn a blank. Two things have me stumped, one quite trivial and one that I'm going to have to leave for my betters. Because I'm using rpcclient as my transport to send data to the Server service I have to rely on that for the encoding. In practice this means that in the best case I can only control two out of 4 bytes of my %eip overwrite (namely 0x00__00__) because my input to rpccli_srvsvc_NetPathCanonicalize() gets unicode encoded further down the RPC/CIFS stack. Secondly (and this is the killer right now), the stack appears to vary considerably between exploit attempts. I've been playing with exploiting it under Windows 2K on WMware and every time it appears I've got the offset right to control %eip, I repeat it once more for luck and the damn thing moves. Combine this with the fact that Windows will likely reboot if the Server service crashes and I'm interested to see whether reliable exploits are released.
Mood: Tired
Music: Nothing playing right now
You are unknown, comment