Vulnerability Development mailing list archives

Re: NSLOOKUP.EXE

From: "Marcos D. Marado Torres" <marado () student dei uc pt>
Date: Mon, 24 Mar 2003 12:32:32 +0000 (WET)

To know how can winhlp32 be exploited, read http://www.cerberus-infosec.co.uk/wpwhlpbuf.html .
It's a fair simple concept, easy reading.

Mind Booster Noori

On Sat, 22 Mar 2003, K. K. Mookhey wrote:

Hi,

On a related note, we had reported the following local BOs to MS. But since, neither they nor us could come up with 
any remote exploits for this, I guess members on this list could check it out. Some of these do not work on Win2K 
SP3, but do work on earlier versions.

First:
C:\>regsvr32 AAAAAAA...(1300 times)

Second:
C:\>winhlp32 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaa.exe
This one crashes only at a particular value of A's, not if its any more or if its any less.

Again, unless any of these runs with elevated privileges, or someone feeds in data remotely to these exes, the buffer 
overflows do not represent a security risk.

K. K. Mookhey
CTO,
Network Intelligence India Pvt. Ltd.
Web: www.nii.co.in
=================================
Security Auditing Handbooks
http://www.nii.co.in/research/handbook.html
=================================



----- Original Message -----
Hi List,

Can you do anything interesting with this?:

C:\>nslookup
Default Server:  dns.server.net
Address:  111.222.333.444

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Gives error: memory can't be "read" - 0x414141 (aka A).


-- 
===============================================================================
 Marcos Marado AKA Mind Booster Noori
===============================================================================
              My PGP key: http://student.dei.uc.pt/~marado/pgp.txt
      Visit Mordor's (my band) WebPage on: http://www.mordor.freeurl.com
                     Mail me to: marado () student dei uc pt
===============================================================================
Don't get to bragging.

Current thread:

NSLOOKUP.EXE Patrick Webster (Mar 20)
- Re: NSLOOKUP.EXE Blue Boar (Mar 20)
  - RE: NSLOOKUP.EXE Brett Moore (Mar 21)
  - Re: NSLOOKUP.EXE Ryan Yagatich (Mar 21)
- Re: NSLOOKUP.EXE K. K. Mookhey (Mar 23)
  - RE: NSLOOKUP.EXE Brett Moore (Mar 23)
  - Re: NSLOOKUP.EXE Marcos D. Marado Torres (Mar 24)
- <Possible follow-ups>
- RE: NSLOOKUP.EXE Patrick Webster (Mar 20)
  - RES: NSLOOKUP.EXE Cleber P. de Souza (Mar 21)
  - Re: NSLOOKUP.EXE Nexus (Mar 21)
- RE: NSLOOKUP.EXE Sillari Andrea (Mar 21)
- Re: NSLOOKUP.EXE Filip Maertens (Mar 21)
- Re: NSLOOKUP.EXE Chris Calabrese (Mar 21)
- Re: NSLOOKUP.EXE Mysq (Mar 21)