exdploiting the recent windows media player nsc buffer overflow

From: Franklin DeMatto (franklinat_private)
Date: Sun Aug 05 2001 - 04:40:55 PDT

Next message: Marc Maiffret: "CodeRedII - New non-variant codered worm - Analysis."

Previous message: Jakub Jankowski: "Re: slackware permissions"
Next in thread: Pauli Ojanpera: "Re: exdploiting the recent windows media player nsc buffer overflow"
Reply: Pauli Ojanpera: "Re: exdploiting the recent windows media player nsc buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

WMP converts the IP Address field into unicode.  This will insert null 
bytes into every other byte in the buffer, making it very hard to exploit 
(although it may be possible, like the folks at eeye did with a similar 
conversion in one of their recent IIS exploits)

However, if an nsc file can use unicode directly, than an attacker would be 
able to put unicode in the ip addr field, bypassing the conversion, and 
easily sploiting.  I have searched through the microsoft documentation, but 
not been able to determine if nsc 's can be written using unicode 
characters (like HTML can).  Anyone have any info?


Franklin DeMatto - http://qDefense.com
qDefense - DEFENDING THE ELECTRONIC FRONTIER

Please do not send mail to antispaamat_private

Next message: Marc Maiffret: "CodeRedII - New non-variant codered worm - Analysis."
Previous message: Jakub Jankowski: "Re: slackware permissions"
Next in thread: Pauli Ojanpera: "Re: exdploiting the recent windows media player nsc buffer overflow"
Reply: Pauli Ojanpera: "Re: exdploiting the recent windows media player nsc buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 05:56:00 PDT