Re: NSLOOKUP.EXE

Hey All,

Tested on Win2k pro SP3.
I found that it is possible to overwrite EAX and ECX. It seems there are atleast two places in the exploit string that allows these addresses to be overwriten. The first overwriting is in the bytes:
225,226,227,228 - overwrite ecx
229,230,231,232 - overwrite eax
while using 325 bytes for the exploit string. (If more is used - the overwrite byte possition changes).

(128.518): Access violation - code c0000005

eax=42424242,ebx=7800110c 
ecx=41414141,edx=00000002 
esi=01037fa0,edi=00000000
eip=01007dee,esp=0004fa38 
ebp=00000000 

I also couldn't see any of the exploit string in memory near the eip or esp memory addresses.

I am not going to continue researching this issue due to the fact that it would only be remotly exploitable if arguments inputed by a remote user (which are not validated) are passed to nslookup on the server. I don't really see the point in a server application doing this. As a local exploit, the nslookup process runs with privilage of the user who executes it so that removes possibilty for privilage escalation.

Question to BO guru's: How would it be possible to control the eip if only eax/ecx are overwritten ?

Best Regards to all,
MysQ  

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup