Vulnerability Development mailing list archives

Re: NSLOOKUP.EXE

From: "Nexus" <nexus () patrol i-way co uk>
Date: Fri, 21 Mar 2003 10:15:41 -0000

----- Original Message -----
From: "Patrick Webster" <webster_p () DeMorgan com au>
To: "Blue Boar" <BlueBoar () thievco com>
Cc: <vuln-dev () securityfocus com>
Sent: Thursday, March 20, 2003 10:28 PM
Subject: RE: NSLOOKUP.EXE

I get an Input too long error if run through cmd.exe, eg. c:\>nslookup.exe
AAAAA[..], but if I run nslookup with no args, then request AAA[..]AAA it
gives the 0x41414141 memory error.

If I give nslookup a much larger amount of A's, the response is:

(null)    dns.server.net

then crashes.

-Patrick

This has been around for a while - I seem to recall looking at this a couple
of years ago but since the overflow (on quick inspection) looked tricky to
exploit *and* it's the client end that overflows, I didn't bother with it.
There is no local priv escalation and you would need control of the victims'
DNS servers - in which case, you can do far more interesting things that
this ;-)   The only use I could think of it was when you are in a restricted
environment and can only use sanctioned commands, with nslookup being one of
them.

Cheers.

Current thread:

NSLOOKUP.EXE Patrick Webster (Mar 20)
- Re: NSLOOKUP.EXE Blue Boar (Mar 20)
  - RE: NSLOOKUP.EXE Brett Moore (Mar 21)
  - Re: NSLOOKUP.EXE Ryan Yagatich (Mar 21)
- Re: NSLOOKUP.EXE K. K. Mookhey (Mar 23)
  - RE: NSLOOKUP.EXE Brett Moore (Mar 23)
  - Re: NSLOOKUP.EXE Marcos D. Marado Torres (Mar 24)
- <Possible follow-ups>
- RE: NSLOOKUP.EXE Patrick Webster (Mar 20)
  - RES: NSLOOKUP.EXE Cleber P. de Souza (Mar 21)
  - Re: NSLOOKUP.EXE Nexus (Mar 21)
- RE: NSLOOKUP.EXE Sillari Andrea (Mar 21)
- Re: NSLOOKUP.EXE Filip Maertens (Mar 21)
- Re: NSLOOKUP.EXE Chris Calabrese (Mar 21)
- Re: NSLOOKUP.EXE Mysq (Mar 21)