Vulnerability Development mailing list archives
Re[2]: RunAs weirdness...
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Thu, 20 Dec 2001 17:13:46 +0300
Hello Riley, --Friday, December 21, 2001, 12:42:26 PM, you wrote to vuln-dev () security-focus com: RH> Yeap, what you're seeing is most likely an overflow in a wide character RH> string copying routine. This can be exploited but you need to be able to send RH> a significant amount of data, depending on the situation. RH> If EIP is 00410041 then you can have a payload anywhere in the range of RH> 00010001 -> 00ff00ff, unless there is some format checking of the data RH> your're sending, then your limited to the set of characters allowed through. Why can't you simply pass unicode string as argument in CreateProcessW (Windows NT will pass it to application) to use whole 00010001-fffffff range? (0000 can't be used since it's Unicode string terminator). -- ~/ZARAZA Ýëåêòðè÷åñêèå øîêè î÷åíü ïîëåçíû äëÿ ôîðìèðîâàíèÿ õàðàêòåðà. (Ëåì)
Current thread:
- re: RunAs weirdness... KRFinisterre (Dec 18)
- <Possible follow-ups>
- RE: RunAs weirdness... Ed Moyle (Dec 19)
- RE: RunAs weirdness... jesperht (Dec 19)
- RE: RunAs weirdness... Phillip Nordwall (Dec 19)
- Re: RunAs weirdness... Riley Hassell (Dec 20)
- Re[2]: RunAs weirdness... 3APA3A (Dec 20)
- RE: Re[2]: RunAs weirdness... Riley Hassell (Dec 20)
- Re: RunAs weirdness... Riley Hassell (Dec 20)