Nmap Development mailing list archives
Re: [NSE] MS08-067 check
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 6 Nov 2008 01:01:08 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 06 Nov 2008 00:57:54 +0000 or thereabouts jah <jah () zadkiel plus com> wrote:
Anyway, it correctly reports non-vulnerable boxes, correctly reports vulnerable ones if svchost doesn't crash, but incorrectly reports as non-vulnerable if svchost does crash. I've got a script-trace of the latter if you want it.
This bug is fragile because it relies on previous contents of the stack to contain certain values, namely a '\'. I haven't looked too deeply at Ron's code (although I'm going to test it tonight) but the check/exploit is never going to be 100%. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkkSQdoACgkQqaGPzAsl94LNDwCfSDJiVWnsSJZJrz5CWDpD2Sk7 hS8AoLtUCHnM5WehZG5r/Od9Z1z2khJe =SWEk -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] MS08-067 check Ron (Nov 05)
- Re: [NSE] MS08-067 check jah (Nov 05)
- Re: [NSE] MS08-067 check Brandon Enright (Nov 05)
- Re: [NSE] MS08-067 check Ron (Nov 09)
- Re: [NSE] MS08-067 check Ron (Nov 09)
- Re: [NSE] MS08-067 check Brandon Enright (Nov 12)
- Re: [NSE] MS08-067 check Ron (Nov 12)
- Re: [NSE] MS08-067 check Ron (Nov 12)
- Re: [NSE] MS08-067 check Brandon Enright (Nov 12)
- Re: [NSE] MS08-067 check jah (Nov 05)
- Re: [NSE] MS08-067 check Ron (Nov 07)