Nmap Development mailing list archives

Re: [NSE] MS08-067 check

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 6 Nov 2008 01:01:08 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 06 Nov 2008 00:57:54 +0000 or thereabouts jah
<jah () zadkiel plus com> wrote:

Anyway, it correctly reports non-vulnerable boxes, correctly reports
vulnerable ones if svchost doesn't crash, but incorrectly reports as
non-vulnerable if svchost does crash.  I've got a script-trace of the
latter if you want it.


This bug is fragile because it relies on previous contents of the stack
to contain certain values, namely a '\'.  I haven't looked too deeply at
Ron's code (although I'm going to test it tonight) but the
check/exploit is never going to be 100%.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkkSQdoACgkQqaGPzAsl94LNDwCfSDJiVWnsSJZJrz5CWDpD2Sk7
hS8AoLtUCHnM5WehZG5r/Od9Z1z2khJe
=SWEk
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[NSE] MS08-067 check Ron (Nov 05)
- Re: [NSE] MS08-067 check jah (Nov 05)
  - Re: [NSE] MS08-067 check Brandon Enright (Nov 05)
  - Re: [NSE] MS08-067 check Ron (Nov 09)
    - Re: [NSE] MS08-067 check Ron (Nov 09)
    - Re: [NSE] MS08-067 check Brandon Enright (Nov 12)
    - Re: [NSE] MS08-067 check Ron (Nov 12)
    - Re: [NSE] MS08-067 check Ron (Nov 12)
    - Re: [NSE] MS08-067 check Brandon Enright (Nov 12)
- Re: [NSE] MS08-067 check Brandon Enright (Nov 05)
- Re: [NSE] MS08-067 check David Fifield (Nov 05)
  - Re: [NSE] MS08-067 check Ron (Nov 07)