Hi Roman,

I assure you that the address is also different for the French language.
With the similar review with ollydbg, the base address for me is
0x76740000. I've attached the resulting exploit and Metasploit's module
for french's system.

Regards,

--
Fabrice MOURRON ----- Consultant en sécurité des systèmes d'information
fmourron (at) exaprobe (dot) com [email concealed] ------[ ExaProbe ]------ http://www.exaprobe.com/

PGP KeyID: 20D22266
FingerPrint: 767E CB52 94D3 7AEF DD21 BD2F 4D5C 6E6D 20D2 2266

Le jeudi 25 août 2005 à 18:36 +0200, Roman Medina-Heigl Hernandez a
écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I tested existing exploits for PnP bug on my W2k SP4 machine (Spanish)
> and they didn't work ("services" process is crashing but I got no
> shell). So I did a quick review with Olly and I realized that
> umpnpmgr.dll is being loaded at a different base address. In Spanish
> systems this base address is 0x76770000 but current exploits are
> assumming (I guess) 0x767a0000. Then I did a quick hack to HOD's exploit
> and it worked perfectly. I also modified Metasploit's module and
> included a target for Spanish systems. I've attached resulting exploits
> (they are trivial, though).
>
> Is it usual that Windows DLLs have different base address across same
> Windows/SP versions (but different languages)?
>
>
> - --
>
> Cheers,
> - -Roman
>
> PGP Fingerprint:
> 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
> [Key ID: 0xEAD56742. Available at KeyServ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (MingW32)
>
> iD8DBQFDDfOr5H+KferVZ0IRAiZKAKDJ0A1RT+iyFcJipN3k56YEmzctqACePS5e
> aUJNlnMEsftew1Yn993iGJY=
> =XE3r
> -----END PGP SIGNATURE-----

[ reply ]