Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NSLOOKUP.EXE

From: "Mysq " <mysq () mail com>
Date: Fri, 21 Mar 2003 08:11:21 -0500
Hey All,

Tested on Win2k pro SP3.
I found that it is possible to overwrite EAX and ECX. It seems there are atleast two places in the exploit string that 
allows these addresses to be overwriten.
The first overwriting is in the bytes:
225,226,227,228 - overwrite ecx
229,230,231,232 - overwrite eax
while using 325 bytes for the exploit string. (If more is used - the overwrite byte possition changes). 

(128.518): Access violation - code c0000005 
eax=42424242,ebx=7800110c 
ecx=41414141,edx=00000002 
esi=01037fa0,edi=00000000
eip=01007dee,esp=0004fa38 
ebp=00000000 

I also couldn't see any of the exploit string in memory near the eip or esp memory addresses.

I am not going to continue researching this issue due to the fact that it would only be remotly exploitable if 
arguments inputed by a remote user (which are not validated) are passed to nslookup on the server. I don't really see 
the point in a server application doing this. As a local exploit, the nslookup process runs with privilage of the user 
who executes it so that removes possibilty for privilage escalation.  

Question to BO guru's: How would it be possible to control the eip if only eax/ecx are overwritten ?

Best Regards to all,
MysQ

 
-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
Previous By Date Next
Previous By Thread Next

Current thread: