for the MS holes such this, yeah this is always like this because all
windows are differents, and about the langages if I remember the french
offets are like the deutsch, nl, etc , when you have a lot of free time you
can find out some OS langages using the same offsets.
****************************************************************
KEY: 0xA7C69C5F
PRINT: 694C 3495 BCC4 2F8B D794 6BD4 AF8B 457B A7C6 9C5F
****************************************************************
----- Original Message -----
From: "Roman Medina-Heigl Hernandez" <roman@xxxxxxxxxxx>
To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Thursday, August 25, 2005 6:36 PM
Subject: [Full-disclosure] MS05_039 Exploitation (different languages)
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| Hi,
|
| I tested existing exploits for PnP bug on my W2k SP4 machine (Spanish)
| and they didn't work ("services" process is crashing but I got no
| shell). So I did a quick review with Olly and I realized that
| umpnpmgr.dll is being loaded at a different base address. In Spanish
| systems this base address is 0x76770000 but current exploits are
| assumming (I guess) 0x767a0000. Then I did a quick hack to HOD's exploit
| and it worked perfectly. I also modified Metasploit's module and
| included a target for Spanish systems. I've attached resulting exploits
| (they are trivial, though).
|
| Is it usual that Windows DLLs have different base address across same
| Windows/SP versions (but different languages)?
|
|
| - --
|
| Cheers,
| - -Roman
|
| PGP Fingerprint:
| 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
| [Key ID: 0xEAD56742. Available at KeyServ]
| -----BEGIN PGP SIGNATURE-----
| Version: GnuPG v1.4.0 (MingW32)
|
| iD8DBQFDDfOr5H+KferVZ0IRAiZKAKDJ0A1RT+iyFcJipN3k56YEmzctqACePS5e
| aUJNlnMEsftew1Yn993iGJY=
| =XE3r
| -----END PGP SIGNATURE-----
|
----------------------------------------------------------------------------
----
| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.grok.org.uk/full-disclosure-charter.html
| Hosted and sponsored by Secunia - http://secunia.com/
