Vulnerability Development mailing list archives
RE: RunAs weirdness...
From: Phillip Nordwall <Phillip.Nordwall () wwu edu>
Date: Wed, 19 Dec 2001 11:18:27 -0800
I noticed that there are only two characters that are important as to which memory location gets accessed character #'s 270 & 271 and there needs to be at least 288 total characters. I found this by running runas /user:administrator ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ------------------------------------------XY---------------- These can be upper or lower ASCII. There seems to be a memory location that it goes to independent of what you type in. 0x002d0031 This happens when using ^A^A and a few other combinations that I have tried. Phillip Nordwall -----Original Message----- From: KRFinisterre () checkfree com [mailto:KRFinisterre () checkfree com] Sent: Tuesday, December 18, 2001 10:12 AM To: vuln-dev () security-focus com Cc: recon () snosoft com Subject: re: RunAs weirdness... I tested the runas issue that was recently posted on my Win2k build 5.00.2195 box. The result was similar to jesperht () hotmail com's results however I was able to see some of my data on the stack... from within cygwin I did Administrator@TERMSRV ~ $ runas /user:administrator AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ABB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB I noticed if you use too many chars that your data is no longer on the stack at the point where it crashed... it refrences some other point in memory. The above string generated an error that stated: The instruction at "0x77fc90cd" refrenced memory at "0x00420042". The memory could not be "written" Click on OK to terminate the program Click CANCEL to debug the program. The reason half of my string is A's and the other half is B's is because I wanted to make sure that it was indeed my data on the stack. If the string is all A's by them selves then the error is as follows. The instruction at "0x77fc90cd" refrenced memory at "0x00410041". The memory could not be "written" Click on OK to terminate the program Click CANCEL to debug the program. If you feed it too many A's you get the error The instruction at "0x77dd7ef6" refrenced memory at "0x00078000". The memory could not be "written" Click on OK to terminate the program and no option to debug. If I remember correctly the .ida and .idq overflows on IIS left a similar address on the stack with nulls in it like 0x00410041 and the fellas at eEye busted out some ninja technique to exploit it anyway. -KF
Current thread:
- re: RunAs weirdness... KRFinisterre (Dec 18)
- <Possible follow-ups>
- RE: RunAs weirdness... Ed Moyle (Dec 19)
- RE: RunAs weirdness... jesperht (Dec 19)
- RE: RunAs weirdness... Phillip Nordwall (Dec 19)
- Re: RunAs weirdness... Riley Hassell (Dec 20)
- Re[2]: RunAs weirdness... 3APA3A (Dec 20)
- RE: Re[2]: RunAs weirdness... Riley Hassell (Dec 20)
- Re: RunAs weirdness... Riley Hassell (Dec 20)