Vulnerability Development mailing list archives
Re: RunAs weirdness...
From: Riley Hassell <rhassell () eeye com>
Date: Thu, 20 Dec 2001 22:42:26 -1100
Yeap, what you're seeing is most likely an overflow in a wide character string copying routine. This can be exploited but you need to be able to send a significant amount of data, depending on the situation. If EIP is 00410041 then you can have a payload anywhere in the range of 00010001 -> 00ff00ff, unless there is some format checking of the data your're sending, then your limited to the set of characters allowed through. You need to find an area in heap that you can write to, that is in that range, which without a doubt there is. If that service is restarted after you take it out then you have a fresh heap to work with, in that case exploitation can be automated. Basically flush the heap by nuking the process, then when it starts in a guessable range, fill it with between a 5000-30000 Nop/Pad slide that slips into your code. Keep in mind that you can use any service to inject it into heap ;) One more point you may be able to format your data in a way that you don't need to "spray the heap." Take a look at HSJ's ida exploit, he had a neat little trick to get around that. It may or may not be available in this situation. ----------- In the event that your seeing the default exception handler pop up and it's dumping out do to the fact that it can't read or write to the memory address 0x00410041, then it gets more interesting. To exploit that you have to be precise and timing is crucial. Just keep in mind: If you get an access violation and you can control the data that it is attempting to read, write, or execute, almost every time you can control that process. -R Riley Hassell Network Penetration Specialist eEye Digital Security Get up... and light the world on fire On Wednesday 19 December 2001 08:18, you wrote:
I noticed that there are only two characters that are important as to which memory location gets accessed character #'s 270 & 271 and there needs to be at least 288 total characters. I found this by running runas /user:administrator --------------------------------------------------------------------------- - --------------------------------------------------------------------------- - --------------------------------------------------------------------------- - ------------------------------------------XY---------------- These can be upper or lower ASCII. There seems to be a memory location that it goes to independent of what you type in. 0x002d0031 This happens when using ^A^A and a few other combinations that I have tried. Phillip Nordwall -----Original Message----- From: KRFinisterre () checkfree com [mailto:KRFinisterre () checkfree com] Sent: Tuesday, December 18, 2001 10:12 AM To: vuln-dev () security-focus com Cc: recon () snosoft com Subject: re: RunAs weirdness... I tested the runas issue that was recently posted on my Win2k build 5.00.2195 box. The result was similar to jesperht () hotmail com's results however I was able to see some of my data on the stack... from within cygwin I did Administrator@TERMSRV ~ $ runas /user:administrator AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A AAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A ABB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB B BBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB I noticed if you use too many chars that your data is no longer on the stack at the point where it crashed... it refrences some other point in memory. The above string generated an error that stated: The instruction at "0x77fc90cd" refrenced memory at "0x00420042". The memory could not be "written" Click on OK to terminate the program Click CANCEL to debug the program. The reason half of my string is A's and the other half is B's is because I wanted to make sure that it was indeed my data on the stack. If the string is all A's by them selves then the error is as follows. The instruction at "0x77fc90cd" refrenced memory at "0x00410041". The memory could not be "written" Click on OK to terminate the program Click CANCEL to debug the program. If you feed it too many A's you get the error The instruction at "0x77dd7ef6" refrenced memory at "0x00078000". The memory could not be "written" Click on OK to terminate the program and no option to debug. If I remember correctly the .ida and .idq overflows on IIS left a similar address on the stack with nulls in it like 0x00410041 and the fellas at eEye busted out some ninja technique to exploit it anyway. -KF
Current thread:
- re: RunAs weirdness... KRFinisterre (Dec 18)
- <Possible follow-ups>
- RE: RunAs weirdness... Ed Moyle (Dec 19)
- RE: RunAs weirdness... jesperht (Dec 19)
- RE: RunAs weirdness... Phillip Nordwall (Dec 19)
- Re: RunAs weirdness... Riley Hassell (Dec 20)
- Re[2]: RunAs weirdness... 3APA3A (Dec 20)
- RE: Re[2]: RunAs weirdness... Riley Hassell (Dec 20)
- Re: RunAs weirdness... Riley Hassell (Dec 20)