[Dailydave] A 3 a.m. Riddle

Wed May 30 20:22:59 EDT 2007

> The riddle: Let said you are trying to exploit a remote service on an
> old Windows 2000 (whatever SP you want) and the primitive is the
following
>  inc [edi]   // you control edi
> What would be the best option for edi?

> * You can only do it one time.
> * Note: The riddle is taken from an old silenty patched bug on WINS.

nico, you say you can only do it once. Does the service crash,handle an
exception, or nothing after this one increment?

Stating the obivous here, but does using a writable vs a non-writeble
address make any difference.
Also does using different bit values for EDI make any difference to code
path execution.

If you can do 1 increment, and the service continues to operate, then
you are needing to modify a value that
is then used later, to somehow get other data under your control to be
used.''

Maybe combining a couple of the already suggested ideas, and hit some
values in known static locations on win2k.
like the PEB? or TIB?
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT
%20Objects/Process/PEB.html
http://en.wikipedia.org/wiki/Win32_Thread_Information_Block

As already noted by misaligning the word you can affect different bytes.
So maybe adjust the thread SEH chain
ptr to something else on the stack.

Be interesting to see what you come up with.

Brett

-----Original Message-----
From: dailydave-bounces at lists.immunitysec.com
[mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Nicolas
Waisman
Sent: Thursday, 31 May 2007 3:04 a.m.
To: Dave Korn
Cc: dailydave at lists.immunitysec.com
Subject: Re: [Dailydave] A 3 a.m. Riddle

You can only do it one time.
Note: The riddle is taken from an old silenty patched bug on WINS.

Nico

On Wed, May 30, 2007 at 03:15:13PM +0100, Dave Korn wrote:
> On 30 May 2007 07:13, Nicolas Waisman wrote:
> 
> > Lets have a fun riddle to cheer up the spirit ( Mate at 11pm, its
all
> > night insomnia.)
> > 
> >  The riddle: Let said you are trying to exploit a remote service on
an
> > old Windows 2000 (whatever SP you want) and the primitive is the
following
> >     inc [edi]   // you control edi
> > 
> >  What would be the best option for edi?
> 
>   Depends what else you control apart from edi, and whether you can do
it more
> than once.  If you can overwrite an SEH handler, point edi at an
illegal
> address to invoke your code.  If you can do it multiple times, perhaps
you can
> point edi somewhere on the stack and increment a stored ebp to point
at data
> you control.  Don't forget the possibility of pointing it at a
> non-word-aligned address to e.g increment just the high byte of a
stored
> pointer.
> 
>     cheers,
>       DaveK
> -- 
> Can't think of a witty .sigline today....
> 
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave