Dailydave mailing list archives
Re: non-SYSTEM to SYSTEM in one click or less
From: Joel Eriksson <je-dailydave () bitnux com>
Date: Tue, 13 Mar 2007 01:13:51 +0100
Hi Dave & the rest of the list, On Mon, Mar 12, 2007 at 11:28:54AM -0400, Dave Aitel wrote:
I just finished converting Joel Eriksson's exploit into CANVAS/MOSDEF and I have to admit, it was a fun one. You can grab it now from Immunity Partners. I can confirm, via my testing, that it is extremely reliable. Assuming it gets cleaned up enough to go into CANVAS by the 1st, that means every CANVAS customer will have the ability to go from non-SYSTEM to SYSTEM on Windows 2000 and XP via a nice unpatched bug. Gotta love that. :>
Enjoy. :> Congrats again on finishing the port to CANVAS/MOSDEF, although it's a shame you didn't make it to the march-release. :) For those interested, there's a screenshot of my original exploit in action at: http://kernelwars.blogspot.com/ This exploit + probably a Metasploit meterpreter-addon for it will be released in the end of april (Immunity bought the rights to it for 60 days, starting from 22nd february or so). During our Blackhat-talk I'll discuss the bug in general and the process of making a reliable exploit for it, except for the minor but crucial part that achieves the actual write-4-primitive. That will be kept to CANVAS-customers for a while yet. ;) For the other two kernel bugs we'll discuss during the talk full exploits will be released directly afterwards, including Karl's neat remote wireless and pure in-memory kernel backdoor for FreeBSD which he made for his 802.11 exploit. :> Regarding the 0-day NetBSD bug that Christer will be talking about he will mention some new techniques that might come in handy for exploiting other kernel bugs on BSD-derived systems too, when certain types of structs / pointers are overflowed. :> The bug itself is in certain "ancient" BSD-code that may very well still be used in some of the commercial Unix-systems too. URL to our talk: http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Eriksson For those of you coming to BH Europe, see you there! :)
- -dave
-- Best Regards, Joel Eriksson CTO Bitsec _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- non-SYSTEM to SYSTEM in one click or less Dave Aitel (Mar 12)
- Re: non-SYSTEM to SYSTEM in one click or less Joel Eriksson (Mar 13)