RE: RunAs weirdness...

[Phillip Nordwall <Phillip.Nordwall () wwu edu>]

I noticed that there are only two characters that are important as to which
memory location gets accessed character #'s 270 & 271 and there needs to be
at least 288 total characters. I found this by running

runas /user:administrator
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------------------------------------------------------------------
------------------------------------------XY----------------
These can be upper or lower ASCII. There seems to be a memory location that
it goes to independent of what you type in. 0x002d0031
This happens when using ^A^A and a few other combinations that I have tried.
Phillip Nordwall



-----Original Message-----
From: KRFinisterre () checkfree com [mailto:KRFinisterre () checkfree com] 
Sent: Tuesday, December 18, 2001 10:12 AM
To: vuln-dev () security-focus com
Cc: recon () snosoft com
Subject: re: RunAs weirdness...

I tested the runas issue that was recently posted on my Win2k build
5.00.2195 box. The result was similar to jesperht () hotmail com's results
however I was able to see some of my data on the stack... from within
cygwin
I did Administrator@TERMSRV ~
$ runas /user:administrator
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ABB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

I noticed if you use too many chars that your data is no longer on the
stack at the point where it crashed... it refrences some other
point in memory.

The above string generated an error that stated:

The instruction at "0x77fc90cd" refrenced memory at "0x00420042". The
memory could not be "written"
Click on OK to terminate the program
Click CANCEL to debug the program.

The reason half of my string is A's and the other half is B's is because I
wanted to make sure that it was indeed my data
on the stack. If the string is all A's by them selves then the error is as
follows.

The instruction at "0x77fc90cd" refrenced memory at "0x00410041". The
memory could not be "written"
Click on OK to terminate the program
Click CANCEL to debug the program.

If you feed it too many A's  you get the error
The instruction at "0x77dd7ef6" refrenced memory at "0x00078000". The
memory could not be "written"
Click on OK to terminate the program

and no option to debug.

If I remember correctly the .ida and .idq overflows on IIS  left a similar
address on the stack with nulls in it like 0x00410041
and the fellas at eEye busted out some ninja technique to exploit it
anyway.
-KF