Vulnerability Development mailing list archives
RE: Re[2]: RunAs weirdness...
From: "Riley Hassell" <root () cyphernaut net>
Date: Thu, 20 Dec 2001 09:45:41 -0800
You very well may be able to in this situation, in fact that would be optimal. ;) I was just referencing the heap spray considering we never really talked about it much. But yes, that would be the optimal way to exploit vulnerabilities in this category. In fact those functions are there to handle multilingual support, so it's appropriate to use Unicode. -R Riley Hassell Network Penetration Specialist eEye Digital Security Get up... and light the world on fire. -----Original Message----- From: 3APA3A [mailto:3APA3A () SECURITY NNOV RU] Sent: Thursday, December 20, 2001 6:14 AM To: Riley Hassell Cc: vuln-dev () security-focus com; riley () eeye com Subject: Re[2]: RunAs weirdness... Hello Riley, --Friday, December 21, 2001, 12:42:26 PM, you wrote to vuln-dev () security-focus com: RH> Yeap, what you're seeing is most likely an overflow in a wide RH> character RH> string copying routine. This can be exploited but you need to be able to send RH> a significant amount of data, depending on the situation. RH> If EIP is 00410041 then you can have a payload anywhere in the range RH> of RH> 00010001 -> 00ff00ff, unless there is some format checking of the data RH> your're sending, then your limited to the set of characters allowed through. Why can't you simply pass unicode string as argument in CreateProcessW (Windows NT will pass it to application) to use whole 00010001-fffffff range? (0000 can't be used since it's Unicode string terminator). -- ~/ZARAZA Ýëåêòðè÷åñêèå øîêè î÷åíü ïîëåçíû äëÿ ôîðìèðîâàíèÿ õàðàêòåðà. (Ëåì)
Current thread:
- re: RunAs weirdness... KRFinisterre (Dec 18)
- <Possible follow-ups>
- RE: RunAs weirdness... Ed Moyle (Dec 19)
- RE: RunAs weirdness... jesperht (Dec 19)
- RE: RunAs weirdness... Phillip Nordwall (Dec 19)
- Re: RunAs weirdness... Riley Hassell (Dec 20)
- Re[2]: RunAs weirdness... 3APA3A (Dec 20)
- RE: Re[2]: RunAs weirdness... Riley Hassell (Dec 20)
- Re: RunAs weirdness... Riley Hassell (Dec 20)