RE: Re[2]: RunAs weirdness...

["Riley Hassell" <root () cyphernaut net>]

You very well may be able to in this situation, in fact that would be
optimal. ;) I was just referencing the heap spray considering we never
really talked about it much.

But yes, that would be the optimal way to exploit vulnerabilities in
this category. In fact those functions are there to handle multilingual
support, so it's appropriate to use Unicode.

-R



Riley Hassell
Network Penetration Specialist
eEye Digital Security

Get up...
and light the world on fire.

-----Original Message-----
From: 3APA3A [mailto:3APA3A () SECURITY NNOV RU] 
Sent: Thursday, December 20, 2001 6:14 AM
To: Riley Hassell
Cc: vuln-dev () security-focus com; riley () eeye com
Subject: Re[2]: RunAs weirdness...


Hello Riley,


--Friday, December 21, 2001, 12:42:26 PM, you wrote to
vuln-dev () security-focus com:

RH> Yeap, what you're seeing is most likely an overflow in a wide 
RH> character
RH> string copying routine. This can be exploited but you need to be
able to send 
RH> a significant amount of data, depending on the situation.

RH> If EIP is 00410041 then you can have a payload anywhere in the range

RH> of
RH> 00010001 -> 00ff00ff, unless there is some format checking of the
data 
RH> your're sending, then your limited to the set of characters allowed
through.


Why  can't  you simply pass unicode string as argument in CreateProcessW
(Windows  NT  will pass it to application) to use whole 00010001-fffffff
range? (0000 can't be used since it's Unicode string terminator).


-- 
~/ZARAZA
Ýëåêòðè÷åñêèå øîêè î÷åíü ïîëåçíû äëÿ ôîðìèðîâàíèÿ õàðàêòåðà. (Ëåì)