Hosting Provided By

Fate Research Labs Presents: Analysis of the NTDLL.DLL Exploit

From: Eric Hines <eric.hines(at)fatelabs.com>
Date: Fri Mar 28 2003 - 11:32:30 EST

Lists:

I have written a 13 page analysis of NTDLL.DLL webdav exploit, which is located at http://www.fatelabs.com/library/fatelabs-ntdll-analysis.pdf . This paper provides granular detail on the affected component, log traces for log analysis, exploit output, and packet traces for those looking to make their own signatures. The paper is based on the exploit released by Roman Soft to Bugtraq in combination with his follow-up RET address brute forcer. Remember, the exploit can be easily modified to use GET, LOCK, et. al.

Our Log Analysis team will be posting the logs and full packet traces to the log division's web site located at http://www.fatelabs.com shortly. In addition, as updates are made to this paper and as different methods of exploiting this buffer overflow are discovered by our team, we will make updates to the paper located at our site.

P.S. Thanks to Roman Medina for his follow-up and response.

Eric Hines
Internet Warfare and Intelligence
Fate Research Labs
http://www.fatelabs.com Received on Fri Mar 28 16:31:28 2003

This message: [ Message body ]
Next message: methodic(at)libpcap.net: "Webserver CVS (In)Security"
Previous message: Jeremy Junginger: "WebDAV Exploit Lab"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT