-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I tested existing exploits for PnP bug on my W2k SP4 machine (Spanish) and they didn't work ("services" process is crashing but I got no shell). So I did a quick review with Olly and I realized that umpnpmgr.dll is being loaded at a different base address. In Spanish systems this base address is 0x76770000 but current exploits are assumming (I guess) 0x767a0000. Then I did a quick hack to HOD's exploit and it worked perfectly. I also modified Metasploit's module and included a target for Spanish systems. I've attached resulting exploits (they are trivial, though). Is it usual that Windows DLLs have different base address across same Windows/SP versions (but different languages)? - -- Cheers, - -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFDDfOr5H+KferVZ0IRAiZKAKDJ0A1RT+iyFcJipN3k56YEmzctqACePS5e aUJNlnMEsftew1Yn993iGJY= =XE3r -----END PGP SIGNATURE-----
Attachment:
ms05_039_spanish.tgz
Description: GNU Unix tar archive