-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FYI This does not appear to be exploitable on an en Windows 2000 SP3 + all current hotfixes (have not loaded SP4 yet however). advpack32.dll does not exist on my win2k pro system, however advpack.dll does and this was attempted, using 499 chars + more. Tried a few other DLL's to no avail. Curt Wilson On Sun, 06 Jul 2003 11:42:42 -0700 Rick <rikulat_private> wrote: >There is buffer overflow in rundll32.exe when it is passed big string >as routine name for a module. I've tested this on WindowsXP SP1. But >other version of windows might be vuln. > >rundll32.exe advpack32.dll,<'A'x499> > >advpack32.dll is just example. Any executable/dll will work. The >cmdline does get converted to UNICODE. And EIP ends up being 00410041. > Curt R. Wilson Netw3 Security www.netw3.com -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj8KP48ACgkQRnf2MGkR9yv0OwCgmn2cTEZG650eKc8VVah61Mm0dyMA n2X8Ye9pNyC4S/wXXkxXGfxM8cQc =qexc -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 16:41:30 PDT