ShellExecute ()

[David <dv () quicknet nl>]

Hello,
I've taken a deeper look at the vulnerability in the ShellExecute API 
function.
http://www.lac.co.jp/security/english/snsadv_e/65_e.html

After some research I've noticed that the lpFile parameter is converted 
to unicode
before handled. The IP can therefore only be overwritten with 00xx00xx 
values
(where xx can be any legal HEX value). I think that exploitation of this 
function
becomes very difficult in this way, cause there is no 00xx0xx-type 
memory address
within the overwritten address space (2088 bytes).

I wonder if there are any other techniques available to exploit this 
kind of vulnerability.

-David

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature