-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sanjay Rawat wrote: > I too observed the same thing. i am running a windows 2K, SP4. i found > that base address of UMPNPMGR.DLL is 0x767a0000. however, when i run the > attack with this address, the target machine got rebooted (a crash). > this may be, because umpnpmgr.dll is a part of "service.exe", therefore, > on failure, it reboots. but with the unchanged base address, it worked > perfectly. so now the same code can be used for DoS also!!!
You are simply crashing "services" proccess because EIP is not reaching the right instructions (eg: pop;pop;ret) or (depending on process' memory layout) it's referencing an invalid address. When Windows detects the crash, it reboots (since it lacks an important system component). This is a side effect. Anyway, if you have a shell, why do you want a simple DoS? :) In order to clarify: - - my hacked hod's exploit changed "destination EIP" to match Spanish systems. So it will NOT work on English systems (call it "DoS"; I prefer to name it "didn't work" ;-)). And that's why appended "-spanish" to filename. - - for Metasploit module, I simply added a new "target", so it supports both English (target 0) and Spanish (target 1). It can be directly copied to "exploits" directory on Metasploit source-tree. That's the reason I didn't change filename in this case (hdm: feel free to add it to Metasploit). Finally, the purpose of my post was not only to add a new target to an exploit (ml would be fastly flooded with tons of similar mails, if every people did it... so please, don't do it, I'm a bad example :-(), but to bring attention over the base address issue and try to learn from you, guys :). Indeed, I still have some questions: - - which is the connection between different languages' Windows, if there is any? (for instance, [EMAIL PROTECTED] suggested that "french offets are like the deutsch") (btw, I didn't change the offset but the base address, which is a different thing) - - any more or less accurate list of connections/links in Windows across different languages? Or perhaps it's something fairly random? PS: You could write directly to me and I'll summarize responses (different base addresses for the exploit are welcome; I don't think it's appropiate to flood the mailing-list with this...). - -- Regards, - -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFDDwzF5H+KferVZ0IRAu65AKCQC9nsb1VjzmooamBTWKZeEUS7sgCgjTwe BAz1iweHkMIgPq0pQaCW99s= =4fg1 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
