re: RunAs weirdness...

[KRFinisterre () checkfree com]

I tested the runas issue that was recently posted on my Win2k build
5.00.2195 box. The result was similar to jesperht () hotmail com's results
however I was able to see some of my data on the stack... from within
cygwin
I did Administrator@TERMSRV ~
$ runas /user:administrator
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

I noticed if you use too many chars that your data is no longer on the
stack at the point where it crashed... it refrences some other
point in memory.

The above string generated an error that stated:

The instruction at "0x77fc90cd" refrenced memory at "0x00420042". The
memory could not be "written"
Click on OK to terminate the program
Click CANCEL to debug the program.

The reason half of my string is A's and the other half is B's is because I
wanted to make sure that it was indeed my data
on the stack. If the string is all A's by them selves then the error is as
follows.

The instruction at "0x77fc90cd" refrenced memory at "0x00410041". The
memory could not be "written"
Click on OK to terminate the program
Click CANCEL to debug the program.

If you feed it too many A's  you get the error
The instruction at "0x77dd7ef6" refrenced memory at "0x00078000". The
memory could not be "written"
Click on OK to terminate the program

and no option to debug.

If I remember correctly the .ida and .idq overflows on IIS  left a similar
address on the stack with nulls in it like 0x00410041
and the fellas at eEye busted out some ninja technique to exploit it
anyway.
-KF