Re: NSLOOKUP.EXE

• Original Message ----- From: "Patrick Webster" <webster_p@DeMorgan.com.au> To: "Blue Boar" <BlueBoar@thievco.com> Cc: <vuln-dev@securityfocus.com> Sent: Thursday, March 20, 2003 10:28 PM Subject: RE: NSLOOKUP.EXE

I get an Input too long error if run through cmd.exe, eg. c:\>nslookup.exe AAAAA[..], but if I run nslookup with no args, then request AAA[..]AAA it gives the 0x41414141 memory error.

If I give nslookup a much larger amount of A's, the response is:

(null) dns.server.net

then crashes.

-Patrick

This has been around for a while - I seem to recall looking at this a couple of years ago but since the overflow (on quick inspection) looked tricky to exploit *and* it's the client end that overflows, I didn't bother with it. There is no local priv escalation and you would need control of the victims' DNS servers - in which case, you can do far more interesting things that this ;-) The only use I could think of it was when you are in a restricted environment and can only use sanctioned commands, with nslookup being one of them.

Cheers. Received on Fri Mar 21 18:05:51 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek