Vulnerability Development mailing list archives
RE: RunAs weirdness...
From: Ed Moyle <emoyle () scsnet csc com>
Date: Wed, 19 Dec 2001 09:40:42 -0500
If I remember correctly the .ida and .idq overflows on IIS left a similar address on the stack with nulls in it like 0x00410041 and the fellas at eEye busted out some ninja technique to exploit it anyway.
KF mentioned it might be useful to share this with the list. It seems to me to be likely that the nulls in this string are from a unicode/widechar conversion of the input arguments. I checked the runas.exe import table, and it looks to be bringing in lstrcpy and wsprintf (wide char versions of the more traditional strcpy and sprintf). The thing also brings in CommandLineToArgvW, which makes me think somebody is doing something like (don't criticize the code... this is just off the top of my head): WCHAR buf[OVERFLOW_ME_SIZE]; LPTSTR lpCommandLine = GetCommandLine(); int argc = 0; LPWSTR wargv = CommandLineToArgvW(lpCommandLine, &argc); //don't know exactly what they are doing, but it could be something like: lstrcpy(buf, wargv[1]); Good find to whoever started this thread, by the way. -E
Current thread:
- re: RunAs weirdness... KRFinisterre (Dec 18)
- <Possible follow-ups>
- RE: RunAs weirdness... Ed Moyle (Dec 19)
- RE: RunAs weirdness... jesperht (Dec 19)
- RE: RunAs weirdness... Phillip Nordwall (Dec 19)
- Re: RunAs weirdness... Riley Hassell (Dec 20)
- Re[2]: RunAs weirdness... 3APA3A (Dec 20)
- RE: Re[2]: RunAs weirdness... Riley Hassell (Dec 20)
- Re: RunAs weirdness... Riley Hassell (Dec 20)