Welcome,
Guest
. Please
login
or
register
.
September 20, 2024, 07:37:19 PM
News:
tastyspleen.net has a new discord server:
http://discord.tastyspleen.net
Home
Forum
Help
TinyPortal
Search
Calendar
Login
Register
tastyspleen::quake 2 community
»
Forum
»
The Tech Junkie Boards
»
Tech Junkie Lounge
»
interesting analysis
« previous
next »
Print
Pages: [
1
]
Go Down
Author
Topic: interesting analysis (Read 1957 times)
reaper
Opulent Member
Posts: 2872
Nice night for a walk, eh? - Nice night for a walk
Rated:
interesting analysis
«
on:
May 05, 2009, 05:21:53 PM »
http://vrt-sourcefire.blogspot.com/2008/12/ms08-067-in-wild.html
Logged
VaeVictus "reaper is a lying sack of shit and ragequit then had, probably slugs, come alias and beat me, wasnt even the same person playing OBVIOUSLY, accuracies basicly doubled, and strategy
peewee_RotA
Brobdingnagian Member
Posts: 4152
Hi, I'm from the gov'ment and I'm here to help you
Rated:
Re: interesting analysis
«
Reply #1 on:
May 05, 2009, 05:36:06 PM »
That article reads like the repair manual for a turbo encabulator.
Logged
GOTO ROTAMODS (rocketgib)
GOTO ROTAMAPS (fireworks)
HappyFriar- q2server.fuzzylogicinc.com
Tune in to the
Tastycast!!!!
http://dna.zeliepa.net
reaper
Opulent Member
Posts: 2872
Nice night for a walk, eh? - Nice night for a walk
Rated:
Re: interesting analysis
«
Reply #2 on:
May 05, 2009, 05:55:05 PM »
They actually step through the code which is cool.
Basically a intrustion detection system caught a packet that matched a signature. When this packet matched the signature it stored the packet. The security researcher recognized a pattern in the hex representation of the data that was a very simple decoding/enoding scheme using xor. - they knew it was an exploit against ms-0867. This is a exploit against the windows server service, attacking a poorly written function in the SMB protocol.
The shellcode is weakly encrypted to not be pattern matched by various types security systems. But the intrustion detection system was matching on analysis of all attacks against the vulnerability. They realize that to really run the shellcode through the loop to decode it, they must populate a register with what is normally there from the Windows server service. They do that and now they have attack payload assembly which they disassemble and analyze.
The code is putting data in the stack that shouldn't be there by overflowing a buffer in the problem function netpathcanonicalize. It rewrites the function return address and the machine runs the new code.
Logged
VaeVictus "reaper is a lying sack of shit and ragequit then had, probably slugs, come alias and beat me, wasnt even the same person playing OBVIOUSLY, accuracies basicly doubled, and strategy
Print
Pages: [
1
]
Go Up
« previous
next »
tastyspleen::quake 2 community
»
Forum
»
The Tech Junkie Boards
»
Tech Junkie Lounge
»
interesting analysis
El Box de Shoutamente
Last 10 Shouts:
RyU
September 03, 2024, 05:15:49 PM
And wow Derrick is still playing lol
RyU
September 03, 2024, 05:15:15 PM
Just know yesterday is gone and soon tomorrow will be gone too
Lejionator
August 08, 2024, 07:28:01 PM
It's tiem to QuakeCon!!!
https://www.youtube.com/watch?v=ThQd_UJaTys
ImperiusDamian
July 26, 2024, 09:34:53 PM
In nomine Quake II et Id Software et Spiritus John Carmack, Amen.
QuakeDuke
July 26, 2024, 05:10:30 PM
Hey, shout, summertime blues
Jump up and down in you blue suede shoes
Hey, did you rock and roll? Rock on!! ...QD
Yotematoi
July 24, 2024, 01:31:20 PM
Ayer me mato 5 veces para robarme en la vida real hará lo mismo? [img]<iframe src="https://www.facebook.com/plugins/post.php?href=https%3A%2F%2Fwww.facebook.com%2Fzoloyoze.torito%2Fposts%2Fpfbid0wXU2VgS7atesBcSoMz5BWMJCJajeZFVT6GzSU6TtpJGddN9kLTvWNgcZaskkbKFQl&show_text=true&width=500
https://www.facebook.com/plugins/post.php?href=https%3A%2F%2Fwww.facebook.com%2Fzoloyoze.torito%2Fposts%2Fpfbid0wXU2VgS7atesBcSoMz5BWMJCJajeZFVT6GzSU6TtpJGddN9kLTvWNgcZaskkbKFQl&show_text=true&width=500
" width="500"
Yotematoi
July 24, 2024, 01:25:59 PM
hi ya está la basura de Martin, se cambió el nombre es un ladron estupido, asi llegó a 10000[img]<iframe src="https://www.facebook.com/plugins/post.php?href=https%3A%2F%2Fwww.facebook.com%2Fzoloyoze.torito%2Fposts%2Fpfbid03hZrkDUBJPZKCuFgy5hRUy831ekKJYVRzC7ajXaKQbJ6xcPgKftLukUDfovFyEq3l&show_text
https://www.facebook.com/plugins/post.php?href=https%3A%2F%2Fwww.facebook.com%2Fzoloyoze.torito%2Fposts%2Fpfbid03hZrkDUBJPZKCuFgy5hRUy831ekKJYVRzC7ajXaKQbJ6xcPgKftLukUDfovFyEq3l&show_text
Yotematoi
July 24, 2024, 01:25:59 PM
hi ya está la basura de Martin, se cambió el nombre es un ladron estupido, asi llegó a 10000[img]<iframe src="https://www.facebook.com/plugins/post.php?href=https%3A%2F%2Fwww.facebook.com%2Fzoloyoze.torito%2Fposts%2Fpfbid03hZrkDUBJPZKCuFgy5hRUy831ekKJYVRzC7ajXaKQbJ6xcPgKftLukUDfovFyEq3l&show_text
https://www.facebook.com/plugins/post.php?href=https%3A%2F%2Fwww.facebook.com%2Fzoloyoze.torito%2Fposts%2Fpfbid03hZrkDUBJPZKCuFgy5hRUy831ekKJYVRzC7ajXaKQbJ6xcPgKftLukUDfovFyEq3l&show_text
[BTF]Jehar
July 19, 2024, 04:28:08 PM
http://forum.tastyspleen.net/quake/index.php?topic=23579.msg238738#msg238738
ts500 comin!
-Unh0ly-
July 05, 2024, 05:20:36 AM
https://unh0lyquakeii.godaddysites.com/
[/i]
Show 50 latest
User
Welcome,
Guest
. Please
login
or
register
.
September 20, 2024, 07:37:19 PM
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
Search
Advanced search