Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Dailydave: Re: Vista SP1

Re: Vista SP1

From: Alexander Sotirov <alex_at_sotirov.net>
Date: Sat, 26 Apr 2008 12:18:25 -0700

On Fri, Apr 25, 2008 at 03:26:50PM -0400, Kostya Kortchinsky wrote:
> Switching to DEP OptOut prevented the exploitation.
>
> By carefully following Mark's steps, when restoring EIP from the saved
> pointer to your bytecode, you end up with an access violation on executing
> your marker byte (which at this point is followed by the call backwards)
> since it's not in an executable page.
>
> And bytecode is data, not actual x86 instructions to be executed.

I was confused because Dave was talking about something that changed in SP1, but
it looks like there's no difference in the exploitation on SP0 and SP1. In in
default configuration on both systems IE does not have DEP. If you switch to
OptOut DEP on both SP0 and SP1, the exploit won't work because it tries to
execute data.

Alex

_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

  • application/pgp-signature attachment: stored
Received on Apr 26 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]