[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-disclosure] 2 nice pop/pop/ret :) (update)

To: class101@xxxxxxxxxxxxx, Full-Disclosure@xxxxxxxxxxxxxxxxx
Subject: RE: [Full-disclosure] 2 nice pop/pop/ret :) (update)
From: "Dave Korn" <davek_throwaway@xxxxxxxxxxx>
Date: Thu, 10 Mar 2005 19:05:58 +0000

From: "class 101" Date: Wed, 9 Mar 2005 10:01:57 +0100

Hi there class 101!

 Here is the result of comparing some huge list of pop/pop/ret of XP SP1,
SP1a, SP2 ENGLISH

I got 2 universal offsets accross those 3 Os

SP2 ENGLISH

0x71ABE325 pop esi - pop - retbis - WS2_32.DLL
0x77E7F69E pop ebx - pop - retbis - RPCRT4.DLL

SP1a ENGLISH

0x71ABE325 pop edi - pop - retbis - WS2_32.DLL
0x77E7F69E pop ebx - pop - retbis  - KERNEL32.DLL

SP1 ENGLISH

0x71ABE325 pop edi - pop - retbis - WS2_32.DLL
0x77E7F69E pop ebx - pop - retbis - KERNEL32.DLL

enjoy :)

That's interesting: on my sp1 english system, only one of those addresses works. The winsock one is good:

0:003> u 0x71ABE325
WS2_32!CopyBlobIndirect+0x71:
71abe325 5f               pop     edi
71abe326 5e               pop     esi
71abe327 c20400           ret     0x4

but the kernel32 one just isn't there:

0:003> u 0x77E7F69E kernel32!BasepShimCacheSearch+0x1d: 77e7f69e c02802 shr byte ptr [eax],0x2 77e7f6a1 0000 add [eax],al 77e7f6a3 03442414 add eax,[esp+0x14] 77e7f6a7 66833800 cmp word ptr [eax],0x0 77e7f6ab 7415 jz kernel32!BasepShimCacheSearch+0x3d (77e7f6c2) 77e7f6ad 50 push eax 77e7f6ae ff74241c push dword ptr [esp+0x1c]

I had the same problem with that universal w2k offset you posted about on 9th Feb (Subject: Nice call to ebx found). I went and looked for it on my W2k Pro Sp2 system at home. It wasn't there :-(

What do you suppose could be the reason why we find different results? Hotfixes perhaps? How does the version info look like from _your_ copy of kernel32.dll? Mine says

0:003> lm v mkernel32 start end module name 77e60000 77f46000 kernel32 (pdb symbols) C:\symcache\kernel32.pdb\40D1D0C52\kernel32.pdb Loaded symbol image file: C:\WINDOWS\system32\kernel32.dll Image path: C:\WINDOWS\system32\kernel32.dll Image name: kernel32.dll Timestamp: Thu Jun 17 18:58:35 2004 (40D1DBCB) CheckSum: 000EC3A9 ImageSize: 000E6000 File version: 5.1.2600.1560 Product version: 5.1.2600.1560 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: kernel32 OriginalFilename: kernel32 ProductVersion: 5.1.2600.1560 FileVersion: 5.1.2600.1560 (xpsp2_gdr.040517-1325) FileDescription: Windows NT BASE API Client DLL LegalCopyright: © Microsoft Corporation. All rights reserved.


   cheers,
     DaveK
--
Can't think of a witty .sigline today....


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Follow-Ups:
- Re: [Full-disclosure] 2 nice pop/pop/ret :) (update)
  - From: class 101

References:
- [Full-disclosure] 2 nice pop/pop/ret :) (update)
  - From: class 101

Prev by Date: Re: [Full-disclosure] Reverse dns
Next by Date: RE: [Full-disclosure] Reverse dns
Previous by thread: [Full-disclosure] 2 nice pop/pop/ret :) (update)
Next by thread: Re: [Full-disclosure] 2 nice pop/pop/ret :) (update)
Index(es):
- Date
- Thread