Full Disclosure mailing list archives
ShellExecute ()
From: David <dv () quicknet nl>
Date: Mon, 07 Jul 2003 00:39:23 +0200
Hello,I've taken a deeper look at the vulnerability in the ShellExecute API function.
http://www.lac.co.jp/security/english/snsadv_e/65_e.htmlAfter some research I've noticed that the lpFile parameter is converted to unicode before handled. The IP can therefore only be overwritten with 00xx00xx values (where xx can be any legal HEX value). I think that exploitation of this function becomes very difficult in this way, cause there is no 00xx0xx-type memory address
within the overwritten address space (2088 bytes).I wonder if there are any other techniques available to exploit this kind of vulnerability.
-David
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- ShellExecute () David (Jul 06)
- <Possible follow-ups>
- RE: ShellExecute () segfault (Jul 07)