Hi i do alot of exploit development and i think i might have came across a serious bug where we could execute shellcode by gain control of the eip through a seh overwrite if one of the dev wants to pm for further detail's it isn't a problem although i wont release and exploit or give out any detail's but clearly the exception handler's got smashed.I will be investigating this tonight.
Yeh im just looking into this m8 collecting some more information by what i know of seh overwrite's it look exploitable because we can walk the long chain of exception handler's then just do a pop pop ret <=== asm > back to our shell code we could use a address inside the dll like we would use normally a jmp or call with a straight forward buffer over flow this is alot different we need to pop 2 address of the stack and return back in the stack where our shell code or could do a jmp esp +8 there are a few way's.
So the stack would look like this
----------------------------------------------
41414141
41414141
0012F498 44444444 Pointer to next SEH record
0012F49C 45454545 SE handler
-----------------------------------------------
SEH chain of main thread
#Address SE handler
#---------------------------
#0012E46C
#45454545 <<<--SE handler
Look's exploitable to me thank god it's not remotely exploitable.But m8 if they see it here thay can pm me just the same and get the detail's about it i get a little sick of contacting vendor's about buffer over flow's and stuff nothing happen's then this happen's lol the bug's get released to ther public via a fully functional exploit ..
You're better off PMing Scawen about this, I bet he would be interested in what you have to say. The devs here actually listen to what the community has to say.
imthebestracerthereis ur not funny no im not 1337 H4XX0R LOL i write exploit's and do alot of exploit development ur brain cant even comprehend what im talking about so you got to make a joke about it.If i was you i would be worried as you own lfs 2 also.Some people just don't realize that i was actually trying to help the community..
Ill try and get in touch today with him no one should be worried as the bug has not been confirmed and only me know's about it and will be kept that way.
Link tells me nothing i am afraid. Made me dizzy though. This is not really the place for this kind of technical info. Don't know if you are referring to a general windows bug or something LFS devs can prevent.
My experience is that the devs are quite receptive to the community and communicate with it a lot.
This kind of bug/exploit can best be handled with them directly.
Yeh im not going to untill im 100% sure this is exploitable although i was having problems recreating the same result's i did last night for some reason although i will see what happen's today and if i do come across it ill send them all the info they need..It's not window's related it lfs
Oh fuk i just recreated the bug and it's a buffer over flow im not 100% sure where but i have a test file that show's this bug is easy exploitable through a standard exploit rather than seh over write it's a pretty serious bug i was able to over write the eip and my esp point's to the user supplied data serious bug.I just cant get over all the time i've been looking at finding a bug in lfs and come across an exploitable buffer over flow as i know im not the only one who has looked.
I think ill write a poc code for the dev's to show it is exploitable the problem is it's a comon buffer over flow,The actual result's im looking at know show's that it's a serious problem like i said ill write a poc and itll get fixed so be prepared for a new patch some time soon..
Clever enough to play with code, but too stupid to type/spell properly? All in all just making the English look lazy and idiotic with no grasp of even their own language.
tristancliffe ok if you want to play like that m8 it's not a problem im trying to do 1000 thing's at once and im typing fast as hell im not bothered weather i make typo or not.The reason it's like that is because i just updated the post u numpty.Look if your guna be funny about it ill just write and release a poc for it simple then it put's every one at risk of being hacked.Im not 100% english so my english is bad if you cant read it then tough sh!t.
Obviously alot more cleaver than you by the look's of thing's.Any way which part of my post can you not read because if it's the memory register's there supposed to look like that.
Edit: I don't care about memory registers. To be honest I don't really care about this exploit you claim exists, mainly because you are too stupid to tell us in normal terms what it means. But the major parts of your posts I don't understand are the parts you have written. Doing 1000 things at once? Wow. Why not calm down, do 10 things at once, and do them to a level that is vaguely meritorious? Or did you fail your SATS for the 10 times last week?
Chances are, nobody is going to take you seriously if you don't give a shit about typing properly. You might be knowledgeable, but you come off as a script kiddie that way.
You guy's need to calm the hell down .And know what a script kiddie is not some one who write's there own exploit's im far from a script kiddie as you could possibly get maybe you should find out what a script kiddie is before calling some one this ****ing never been insulted so much you know what it's your loss you guys obviously are just plain looking for an argument look ill just release the poc for every one i know ok then we will see who is being a smart ass.
You guy's need to grow up and stop trawl for argument's if you got nothing constructive to post dont bother posting simple.
Do you mean your to stupid to realize what the hell im talking about that's your problem not mine.
Holy crap, did you even read my post? I didn't say you are a script kiddie who doesn't have any clue about real hacking, just that you look like one with a spelling as bad as yours.
I don't understand the bashing mentality in here sometimes.
Anyway, i don't think this exploit could work online as there has been an exploit like this in the past but it wouldn't work online or for hotlaps.
If it's true that it wont work online then i'm not too bothered, people can hack/exploit single player as much as they want. However, if it could be used online or in hotlaps then we may have a problem.
Anyway, i'd suggest just sending a mail to the DEV's
Ok well what i can tell you is i was right it is exploitable and after 20 min's of trial and error i was able too execute shell code it is local exploit but it wont be to hard for some one to be tricked into this very easy if you want to be my Guinea pig just let me know lol.I am still not sure what to do i want to release a poc code for it .But i don't want to put other's in risk maybe ill tell the dev's then release the poc code..It's up to them to fix it not me .But it defiantly work's was able to execute calc.exe ..Ok haw do i get in touch with dev's.
Was straight forward the eip got overwritten 37 byte's of buffer the next 4byte's for the static adress inside jmp esp next 4byte's point's directly to our user supplied data then we added 351 byte's of shell code followed by 353 byte's of buffer to fill the rest of the static buffer up..The done a jmp esp into our shell code..
Hold on there is nothing to say i have to tell them any thing about this i could keep it to my-self im not sure haw easy it will be to fix this problem.I wasn't sure if it was exploitable i needed to do more testing on this which i confirmed my suspicions that it is,Do you think it is that easy just to write a poc with debugging info and send it to them try it and let me know,It take's time to write every thing up with explanation of the stuff needed.I need to know which language they want the pc code in..Perl,ruby,python,c c++ but ill send them an email i wasn't going to bother them till i new that it was exploitable which i know now.
Sent email fingure's crossed they take it seriously.
It's only a local exploit so it's not a major issue, however it is an issue.
I'm sure if the DEV's think there is a genuine risk to the LFS players they will sort it out.
.But i don't want to put other's in risk maybe ill tell the dev's then release the poc code..It's up to them to fix it not me .But it defiantly work's was able to execute calc.exe ..Ok haw do i get in touch with dev's.