[framework] ms06-040 ETA?
Tomas L. Byrnes
tomb at byrneit.net
Wed Aug 9 21:06:34 CDT 2006
Does Hardware DEP prevent it, or does it overflow in the code segment?
-----Original Message-----
From: H D Moore [mailto:hdm at metasploit.com]
Sent: Wednesday, August 09, 2006 6:44 PM
To: framework at metasploit.com
Subject: Re: [framework] ms06-040 ETA?
This is a plain old stack overflow actually, the tricky part is that
exploiting XP and 2003 requires you bypass /GS protection. What bothers
me the most about this bug is that I had a PoC for it six months ago,
but overlooked an NDR encoding issue and couldn't reproduce it...
-HD
On Wednesday 09 August 2006 20:27, Rhys Kidd wrote:
> Give HD and the other devs the time they need to get it working
> reliably :)
>
> Although I haven't played with this bug, I'd assume the exploit will
> be a bit different to the usual win32 ones, as it almost certainly
> overflows in kernel space, and will require a new payload once EIP is
> controlled.
>
> Although there has been a few papers on kernel shellcode, notably from
> eEye's Barnaby Jack, there hasn't been much further public
> demonstration of kernel space exploitation techniques.
>
> Should be interesting!
More information about the framework
mailing list