RE: NSLOOKUP.EXE

Hi

To do it from the command prompt. you must echo to a file and then redirect.

ie:
nslookup < foo

where foo contains the long string ending with a <CR>.

Because this is read error, it may be possible to insert valid values to read
untill you hit some code that does a write.

Longer strings overflow a strcpy or multibytetowide copy and result in a write error
but because the buffer ends at non writeable memory, I couldn't see anything important
been overwritten. Perhaps though.

nslookup ver 5.0.2195.4985

Brett

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-----Original Message-----
From: Blue Boar [mailto:BlueBoar@thievco.com] Sent: Friday, March 21, 2003 9:07 AM
To: Patrick Webster
Cc: vuln-dev@securityfocus.com
Subject: Re: NSLOOKUP.EXE

Patrick Webster wrote:
> Can you do anything interesting with this?:
AAAA
>
>

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

If you have to manually type all the A's, then probably not. Maybe if someone did something silly like make a CGI script that calls nslookup.exe directly with user input.

What OS are you testing on? It looks like it's fixed in XP:

C:\winxp\system32>nslookup
Default Server: dns1.snfcca.sbcglobal.net Address: 206.13.28.12

 >

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

                                        BB Received on Fri Mar 21 13:26:20 2003