http://www.milw0rm.com/exploits/3634
str0ke told me to test this one and no miracle, it works under vista and the default DEP settings doesnt catch it. [EMAIL PROTECTED] wrote: > From the published poc yes vista is vulnerable , the poc doesn't > exploit it but shows enough.. > The whole windows browser crashes when you try to open the folder of the > malicious .ani file, > can't even attach it to an email because thunderbird crashes when I'm > browsing to attach the .ani, > EIP is overwritten by some wrong datas near the shellcode, . To resume > you don't have to open the file > on vista, displaying it is enough, there is less user interaction > required to exploit that bug on vista than older windows os, > > surprising... ...or not =) > > Larry Seltzer wrote: > >>>> It is completely possible to execute shellcode if we can do some DEP >>>> >>>> >> bypass (ie. ret2libc attack, etc..) >> >> In Vista this should have problems because of ASLR, right? >> >> I'm beginning to think that web-based attacks with this in Vista aren't >> really so scary. Even if you can get them to execute what can you really >> do in IE protected mode? You need to get the user to run the ANI outside >> of IE. Can anyone say what actually happens if you read an e-mail in the >> Vista Mail program with an attack ANI embedded? >> >> Larry Seltzer >> eWEEK.com Security Center Editor >> http://security.eweek.com/ >> http://blog.eweek.com/blogs/larry%5Fseltzer/ >> Contributing Editor, PC Magazine >> [EMAIL PROTECTED] >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> . >> >> >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > . > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
