Vulnerability Development mailing list archives
Re: NSLOOKUP.EXE
From: "Mysq " <mysq () mail com>
Date: Fri, 21 Mar 2003 08:11:21 -0500
Hey All, Tested on Win2k pro SP3. I found that it is possible to overwrite EAX and ECX. It seems there are atleast two places in the exploit string that allows these addresses to be overwriten. The first overwriting is in the bytes: 225,226,227,228 - overwrite ecx 229,230,231,232 - overwrite eax while using 325 bytes for the exploit string. (If more is used - the overwrite byte possition changes). (128.518): Access violation - code c0000005 eax=42424242,ebx=7800110c ecx=41414141,edx=00000002 esi=01037fa0,edi=00000000 eip=01007dee,esp=0004fa38 ebp=00000000 I also couldn't see any of the exploit string in memory near the eip or esp memory addresses. I am not going to continue researching this issue due to the fact that it would only be remotly exploitable if arguments inputed by a remote user (which are not validated) are passed to nslookup on the server. I don't really see the point in a server application doing this. As a local exploit, the nslookup process runs with privilage of the user who executes it so that removes possibilty for privilage escalation. Question to BO guru's: How would it be possible to control the eip if only eax/ecx are overwritten ? Best Regards to all, MysQ -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup
Current thread:
- Re: NSLOOKUP.EXE, (continued)
- Re: NSLOOKUP.EXE Ryan Yagatich (Mar 21)
- Re: NSLOOKUP.EXE K. K. Mookhey (Mar 23)
- RE: NSLOOKUP.EXE Brett Moore (Mar 23)
- Re: NSLOOKUP.EXE Marcos D. Marado Torres (Mar 24)
- RE: NSLOOKUP.EXE Patrick Webster (Mar 20)
- RES: NSLOOKUP.EXE Cleber P. de Souza (Mar 21)
- Re: NSLOOKUP.EXE Nexus (Mar 21)
- RE: NSLOOKUP.EXE Sillari Andrea (Mar 21)
- Re: NSLOOKUP.EXE Filip Maertens (Mar 21)
- Re: NSLOOKUP.EXE Chris Calabrese (Mar 21)
- Re: NSLOOKUP.EXE Mysq (Mar 21)