Comentarios en: METHOD_NEITHER: Automatizando la búsqueda de vulnerabilidades http://blog.48bits.com/2008/04/28/method_neither-automatizando-la-busqueda-de-vulnerabilidades/ 48Bits ... The one and a half architecture land. Thu, 09 Feb 2012 23:02:12 +0000 hourly 1 http://wordpress.org/?v=3.3.1 Por: Amian http://blog.48bits.com/2008/04/28/method_neither-automatizando-la-busqueda-de-vulnerabilidades/comment-page-1/#comment-40416 Amian Sun, 11 May 2008 21:35:33 +0000 http://blog.48bits.com/?p=234#comment-40416 Corregido wey Corregido wey

]]> Por: Zohiartze Herce http://blog.48bits.com/2008/04/28/method_neither-automatizando-la-busqueda-de-vulnerabilidades/comment-page-1/#comment-40413 Zohiartze Herce Thu, 08 May 2008 21:44:03 +0000 http://blog.48bits.com/?p=234#comment-40413 Ok, se trataba de un fallo en el Hook, por no preservar el registro ebx. Corregido :-) Ok, se trataba de un fallo en el Hook, por no preservar el registro ebx. Corregido :-)

]]> Por: Zohiartze Herce http://blog.48bits.com/2008/04/28/method_neither-automatizando-la-busqueda-de-vulnerabilidades/comment-page-1/#comment-40407 Zohiartze Herce Mon, 05 May 2008 15:57:31 +0000 http://blog.48bits.com/?p=234#comment-40407 I don't think that this has something to do with Ioctlizador. I've tested on XP SP 2 and everything worked fine. I don’t think that this has something to do with Ioctlizador. I’ve tested on XP SP 2 and everything worked fine.

]]> Por: exceed http://blog.48bits.com/2008/04/28/method_neither-automatizando-la-busqueda-de-vulnerabilidades/comment-page-1/#comment-40404 exceed Thu, 01 May 2008 21:30:07 +0000 http://blog.48bits.com/?p=234#comment-40404 Well, it crashes also rdbss.sys on Window XP SP2, fully patched. Here are some details from minidump: ----- START DUMP ----- BAD_POOL_CALLER (c2) The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc. Arguments: Arg1: 00000007, Attempt to free pool which was already freed Arg2: 00000cd4, (reserved) Arg3: 00000000, Memory contents of the pool block Arg4: 823d9040, Address of the block of pool being deallocated Debugging Details: ------------------ POOL_ADDRESS: 823d9040 FREED_POOL_TAG: ObjT BUGCHECK_STR: 0xc2_7_ObjT CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System LAST_CONTROL_TRANSFER: from 8054b941 to 8053354e STACK_TEXT: f898db28 8054b941 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b f898db78 f7d30a30 823d9040 00000000 f898dbd8 nt!ExFreePoolWithTag+0x2be f898db88 f7cf46a7 823d9040 f7cf472c 00000afa rdbss!_RxFreePool+0x10 f898dbd8 f7cf4472 f898dc4c 00000001 823b6830 mrxsmb!SmbCePnpBindBrowser+0x19c f898dc30 f7cf3325 f898dc48 8231b658 81f65cc8 mrxsmb!MRxSmbpBindTransportCallback+0x152 f898dc5c f884fc62 00000001 0000000a 81f51734 mrxsmb!MRxSmbPnPBindingHandler+0x11f f898dc80 f88502e8 f8851208 8231b658 00000001 TDI!TdiNotifyPnpClientList+0x164 f898dca4 f885051a 00000000 00e65e10 81da5768 TDI!TdiExecuteRequest+0x382 f898dce0 f88505b7 8231b658 0000000d 00000000 TDI!TdiHandleSerializedRequest+0x1c4 f898dcfc f7e82f82 8205b2b8 81da57c0 806ed0e0 TDI!TdiRegisterDeviceObject+0x7d f898dd3c f7e70ee7 81da5660 00000002 81f662e8 netbt!NbtNotifyTdiClients+0x8e f898dd58 f7e65c34 00000000 00000000 00000000 netbt!DelayedNbtProcessDhcpRequests+0x4d f898dd74 804e426b 81f662e8 00000000 823b28b8 netbt!NTExecuteWorker+0x18 f898ddac 8057d0f1 81f662e8 00000000 00000000 nt!ExpWorkerThread+0x100 f898dddc 804f827a 804e4196 00000001 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: kb FOLLOWUP_IP: rdbss!_RxFreePool+10 f7d30a30 5d pop ebp SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: rdbss!_RxFreePool+10 FOLLOWUP_NAME: MachineOwner MODULE_NAME: rdbss IMAGE_NAME: rdbss.sys DEBUG_FLR_IMAGE_TIMESTAMP: 445b1f4b FAILURE_BUCKET_ID: 0xc2_7_ObjT_rdbss!_RxFreePool+10 BUCKET_ID: 0xc2_7_ObjT_rdbss!_RxFreePool+10 kd> lmvm rdbss start end module name f7d30000 f7d5aa00 rdbss (pdb symbols) D:\Symbols\rdbss.pdb\841B86559D834030A09A8292A9BA02C32\rdbss.pdb Loaded symbol image file: rdbss.sys Mapped memory image file: D:\Symbols\rdbss.sys\445B1F4B2aa00\rdbss.sys Image path: rdbss.sys Image name: rdbss.sys Timestamp: Fri May 05 11:47:55 2006 (445B1F4B) CheckSum: 000345EF ImageSize: 0002AA00 File version: 5.1.2600.2902 Product version: 5.1.2600.2902 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 3.7 Driver File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: rdbss.sys OriginalFilename: RDBSS.Sys ProductVersion: 5.1.2600.2902 FileVersion: 5.1.2600.2902 (xpsp_sp2_gdr.060505-0036) FileDescription: Redirected Drive Buffering SubSystem Driver LegalCopyright: © Microsoft Corporation. All rights reserved. ----- END DUMP ----- I'm wondering if this could be exploitable... Well, it crashes also rdbss.sys on Window XP SP2, fully patched. Here are some details from minidump:

—– START DUMP —–

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 00000000, Memory contents of the pool block
Arg4: 823d9040, Address of the block of pool being deallocated

Debugging Details:
——————

POOL_ADDRESS: 823d9040

FREED_POOL_TAG: ObjT

BUGCHECK_STR: 0xc2_7_ObjT

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from 8054b941 to 8053354e

STACK_TEXT:
f898db28 8054b941 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
f898db78 f7d30a30 823d9040 00000000 f898dbd8 nt!ExFreePoolWithTag+0x2be
f898db88 f7cf46a7 823d9040 f7cf472c 00000afa rdbss!_RxFreePool+0×10
f898dbd8 f7cf4472 f898dc4c 00000001 823b6830 mrxsmb!SmbCePnpBindBrowser+0x19c
f898dc30 f7cf3325 f898dc48 8231b658 81f65cc8 mrxsmb!MRxSmbpBindTransportCallback+0×152
f898dc5c f884fc62 00000001 0000000a 81f51734 mrxsmb!MRxSmbPnPBindingHandler+0x11f
f898dc80 f88502e8 f8851208 8231b658 00000001 TDI!TdiNotifyPnpClientList+0×164
f898dca4 f885051a 00000000 00e65e10 81da5768 TDI!TdiExecuteRequest+0×382
f898dce0 f88505b7 8231b658 0000000d 00000000 TDI!TdiHandleSerializedRequest+0x1c4
f898dcfc f7e82f82 8205b2b8 81da57c0 806ed0e0 TDI!TdiRegisterDeviceObject+0x7d
f898dd3c f7e70ee7 81da5660 00000002 81f662e8 netbt!NbtNotifyTdiClients+0x8e
f898dd58 f7e65c34 00000000 00000000 00000000 netbt!DelayedNbtProcessDhcpRequests+0x4d
f898dd74 804e426b 81f662e8 00000000 823b28b8 netbt!NTExecuteWorker+0×18
f898ddac 8057d0f1 81f662e8 00000000 00000000 nt!ExpWorkerThread+0×100
f898dddc 804f827a 804e4196 00000001 00000000 nt!PspSystemThreadStartup+0×34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0×16

STACK_COMMAND: kb

FOLLOWUP_IP:
rdbss!_RxFreePool+10
f7d30a30 5d pop ebp

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: rdbss!_RxFreePool+10

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: rdbss

IMAGE_NAME: rdbss.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 445b1f4b

FAILURE_BUCKET_ID: 0xc2_7_ObjT_rdbss!_RxFreePool+10

BUCKET_ID: 0xc2_7_ObjT_rdbss!_RxFreePool+10

kd> lmvm rdbss
start end module name
f7d30000 f7d5aa00 rdbss (pdb symbols) D:\Symbols\rdbss.pdb\841B86559D834030A09A8292A9BA02C32\rdbss.pdb
Loaded symbol image file: rdbss.sys
Mapped memory image file: D:\Symbols\rdbss.sys\445B1F4B2aa00\rdbss.sys
Image path: rdbss.sys
Image name: rdbss.sys
Timestamp: Fri May 05 11:47:55 2006 (445B1F4B)
CheckSum: 000345EF
ImageSize: 0002AA00
File version: 5.1.2600.2902
Product version: 5.1.2600.2902
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: rdbss.sys
OriginalFilename: RDBSS.Sys
ProductVersion: 5.1.2600.2902
FileVersion: 5.1.2600.2902 (xpsp_sp2_gdr.060505-0036)
FileDescription: Redirected Drive Buffering SubSystem Driver
LegalCopyright: © Microsoft Corporation. All rights reserved.

—– END DUMP —–

I’m wondering if this could be exploitable…

]]> Por: Zohiartze Herce http://blog.48bits.com/2008/04/28/method_neither-automatizando-la-busqueda-de-vulnerabilidades/comment-page-1/#comment-40403 Zohiartze Herce Wed, 30 Apr 2008 21:22:06 +0000 http://blog.48bits.com/?p=234#comment-40403 Ioctlizador shouldn't make any driver crash. Anyway, without further information it's impossible to research the reason. Could you send me the crash dump to "zohiartze [at] 48bits [dot] com"? Ioctlizador shouldn’t make any driver crash. Anyway, without further information it’s impossible to research the reason. Could you send me the crash dump to “zohiartze [at] 48bits [dot] com”?

]]>