/Start update 3/2/2011
After updating to latest SP3 hotfixes and patches, the memory address for "jmp esp" is changed again on kernel32.dll.
At the time of this post, the new memory is:
0x7C874413
/End update
An oldy, but during a pentest the client had an old version of Dameware, however running on Windows XP SP3 (not supported) by the following above code.
In the following lines where the code defines its static offset addresses to locate the "jmp esp" command:
target_os[] = ...
"WIN XP" ,{{ 0x71ab7bfb,"kernel32.dll" },{ 0x71ab7bfb,"ws2_32.dll" },{ 0x7C941EED,"ws2_32.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},
...
We can see that item "3" is set to 0x00000000 and unknown.dll. This placeholder is for XP SP3.
Using Immunity Debugger and sifting through Dameware's modules, I found that it is using kernel32.dll 's jmp esp.
Thus, replace item 3 with 0x7C86467B, "kernel32.dll" to effectively altering the script to support Windows XP SP3.
Like most Buffer Overflow exploits, this one, you only get one shot before nuking the service. Thus, double check and test the exploit before carrying it out.
No comments:
Post a Comment