Re: Is it possible to read a SGA's memory architecture ?

>
> I see it is win32s, win95 and winnt supported.. what happens on win95
> kernels? I would assume that there the call has none of the winnt
> restrictions?

Yes, you are correct. Actually, win95 puts no restrictions on processes whatsoever. You can even execute low-level hardware ports i/o from unprivileged process and it won't raise any exception - on NT you have to create a kernel mode driver and call it for this.

> > Plus there's that Shatter technique that may be (or may be not) applicable
> > to Oracle - this one doesn't require any advanced privileges if you can
> > find a LocalSystem service that can interact with the desktop. You then
> > use pretty innocent messages to get your code into target's memory space
> > and execute it in that context...
>
> Please expand on this...

This is a rather old technique, recently rediscovered and studied by Foon. He claims that Win32 has architectural flaws (unfixable) which may be exploited for privilege escalation with very little skill and effort, using only Windows messaging mechanisms and several APIs that send and process messages. Pretty good essay plus links to Microsoft answers on it, and answers on answers :) can be found here:

http://security.tombom.co.uk/shatter.html

-- 
Vladimir Zakharychev (bob@dpsp-yes.com)                http://www.dpsp-yes.com
Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.
All opinions are mine and do not necessarily go in line with those of my employer.




> 

> --

> Billy