Re[2]: RunAs weirdness...

[3APA3A <3APA3A () SECURITY NNOV RU>]

Hello Riley,


--Friday, December 21, 2001, 12:42:26 PM, you wrote to vuln-dev () security-focus com:

RH> Yeap, what you're seeing is most likely an overflow in a wide character 
RH> string copying routine. This can be exploited but you need to be able to send 
RH> a significant amount of data, depending on the situation.

RH> If EIP is 00410041 then you can have a payload anywhere in the range of 
RH> 00010001 -> 00ff00ff, unless there is some format checking of the data 
RH> your're sending, then your limited to the set of characters allowed through.


Why  can't  you simply pass unicode string as argument in CreateProcessW
(Windows  NT  will pass it to application) to use whole 00010001-fffffff
range? (0000 can't be used since it's Unicode string terminator).


-- 
~/ZARAZA
Ýëåêòðè÷åñêèå øîêè î÷åíü ïîëåçíû äëÿ ôîðìèðîâàíèÿ õàðàêòåðà. (Ëåì)