Brett:
Are you using the version of the code from the Russian Web Site? I compiled and tested it against XP. Forces the machine to crash both patched and unpatched. (MS is aware of this). None of the code ever added a user to the device. Did this happen on the 2K unpatched machine? I've seen some other versions of the code that don't seem to require the external bshell file but incorporates the shell into the C code but I haven't really had much time to investigate.
Yes the code does work against an unpatched system..
Code execution reaches
77FCC992 mov dword ptr [edx],ecx
77FCC994 mov dword ptr [eax+4],ecx
Where EDX is critical address and ECX is heap offset
It then reaches
77FCC663 mov dword ptr [ecx],eax
77FCC665 mov dword ptr [eax+4],ecx
Where ECX is heap offset and EAX is jump instruction..
This is what flashsky was referring to in his post about a universal way
to exploit heap overflows..
Its not 100% reliable tho, as sometimes execution reaches the second code
segment first, which will cause a crash.
We also saw execution reaching
77D399FD call dword ptr [esi+8]
where ESI points into the overflow buffer, but also causes a crash..
After installig the MS03-039 patch, the exploit code had no affect on our
test system...
Test system is Win2k English SP4+MS03-039..
It is possible however that other versions of Win2K are vulnerable to the
denial of service that has been discussed...
Has anybody confirmed this with details of the vulnerable systems?
Brett
Michael A. Gordon
Information Security Services
LM Aero - Fort Worth
817-935-1646
Mail Zone: 9381
<<Gordon, Mike.vcf>>
Gordon, Mike.vcf
Description: Binary data
