[Dailydave] non-SYSTEM to SYSTEM in one click or less
Joel Eriksson
je-dailydave at bitnux.com
Mon Mar 12 20:13:51 EDT 2007
Hi Dave & the rest of the list,
On Mon, Mar 12, 2007 at 11:28:54AM -0400, Dave Aitel wrote:
>
> I just finished converting Joel Eriksson's exploit into CANVAS/MOSDEF
> and I have to admit, it was a fun one. You can grab it now from
> Immunity Partners. I can confirm, via my testing, that it is
> extremely reliable. Assuming it gets cleaned up enough to go into
> CANVAS by the 1st, that means every CANVAS customer will have the
> ability to go from non-SYSTEM to SYSTEM on Windows 2000 and XP via a
> nice unpatched bug. Gotta love that. :>
Enjoy. :> Congrats again on finishing the port to CANVAS/MOSDEF,
although it's a shame you didn't make it to the march-release. :)
For those interested, there's a screenshot of my original exploit
in action at:
http://kernelwars.blogspot.com/
This exploit + probably a Metasploit meterpreter-addon for it will
be released in the end of april (Immunity bought the rights to it
for 60 days, starting from 22nd february or so).
During our Blackhat-talk I'll discuss the bug in general and the
process of making a reliable exploit for it, except for the minor
but crucial part that achieves the actual write-4-primitive. That
will be kept to CANVAS-customers for a while yet. ;)
For the other two kernel bugs we'll discuss during the talk full
exploits will be released directly afterwards, including Karl's
neat remote wireless and pure in-memory kernel backdoor for
FreeBSD which he made for his 802.11 exploit. :>
Regarding the 0-day NetBSD bug that Christer will be talking about
he will mention some new techniques that might come in handy for
exploiting other kernel bugs on BSD-derived systems too, when certain
types of structs / pointers are overflowed. :> The bug itself is in
certain "ancient" BSD-code that may very well still be used in some
of the commercial Unix-systems too.
URL to our talk:
http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Eriksson
For those of you coming to BH Europe, see you there! :)
> - -dave
--
Best Regards,
Joel Eriksson
CTO Bitsec
More information about the Dailydave
mailing list