Vulnerability Development mailing list archives
Re: exdploiting the recent windows media player nsc buffer overflow
From: "Pauli Ojanpera" <pauli_ojanpera () hotmail com>
Date: Sun, 05 Aug 2001 15:29:34 +0300
IIRC if you feed a suitably sized string in the field an overflow will happen before the unicode conversion. Don't really remember it's been a long time since. ----Original Message Follows---- From: Franklin DeMatto <franklin () qdefense com> To: vuln-DEV () securityfocus com CC: pauli_ojanpera () hotmail com Subject: exdploiting the recent windows media player nsc buffer overflow Date: Sun, 05 Aug 2001 07:40:55 -0400 WMP converts the IP Address field into unicode. This will insert null bytes into every other byte in the buffer, making it very hard to exploit (although it may be possible, like the folks at eeye did with a similar conversion in one of their recent IIS exploits) However, if an nsc file can use unicode directly, than an attacker would be able to put unicode in the ip addr field, bypassing the conversion, and easily sploiting. I have searched through the microsoft documentation, but not been able to determine if nsc 's can be written using unicode characters (like HTML can). Anyone have any info? Franklin DeMatto - http://qDefense.com qDefense - DEFENDING THE ELECTRONIC FRONTIER Please do not send mail to antispaam () qdefense com _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Current thread:
- exdploiting the recent windows media player nsc buffer overflow Franklin DeMatto (Aug 05)
- <Possible follow-ups>
- Re: exdploiting the recent windows media player nsc buffer overflow Pauli Ojanpera (Aug 05)