Just wanted to post that using a ret2libc attack works as shown in the video here:
http://www.zippyvideos.com/5991194746836606/ani-xp-sp2/ >From: "Chris Lyon" <[EMAIL PROTECTED]> >To: [email protected] >Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow >Date: Sun, 1 Apr 2007 09:24:51 -0700 > >On 4/1/07, wac <[EMAIL PROTECTED]> wrote: >> >> >> >>On 4/1/07, Larry Seltzer <[EMAIL PROTECTED]> wrote: >> > >> > >>The issue is that this only works with DEP turned off! >> > >> > Interesting point. I haven't seen this mentioned anywhere, including >>the >> > Microsoft advisory >> > ( http://www.microsoft.com/technet/security/advisory/935423.mspx). >> > >> > Has anyone actually tested this with DEP on/off to be sure? >> >> >Did you guys see this from the CISRT. > >http://www.cisrt.org/enblog/read.php?68 > > >Yes, winhex uses the function when you open the .ani and I don't have it >>running with DEP turned on and the same goes for firefox that also leaves >>the file openend when I openen web link dev sent me (already tested >>winhex >>with the address of exitprocess that btw seems to float around from system >>to system since the version dev sent me does not works for me and it works >>like a charm when I built it). I was talking with dev code about DEP >>bypassing btw, we think that is possible to exploit even with >> DEP ON >><<. >>Just ideas for now. >> >>Larry Seltzer >> > eWEEK.com Security Center Editor >> > http://security.eweek.com/ >> > http://blog.eweek.com/blogs/larry_seltzer/ >> > Contributing Editor, PC Magazine >> > [EMAIL PROTECTED] >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> >> >>_______________________________________________ >>Full-Disclosure - We believe in it. >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>Hosted and sponsored by Secunia - http://secunia.com/ >> >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _________________________________________________________________ The average US Credit Score is 675. The cost to see yours: $0 by Experian. http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
