Re: exdploiting the recent windows media player nsc buffer overflow

From: Pauli Ojanpera (pauli_ojanperaat_private)
Date: Sun Aug 05 2001 - 05:29:34 PDT

  • Next message: sea urchin attacks: "Re: Suspicious joe.exe"

    IIRC if you feed a suitably sized string in the field
    an overflow will happen before the unicode conversion.
    Don't really remember it's been a long time since.
    
    ----Original Message Follows----
    From: Franklin DeMatto <franklinat_private>
    To: vuln-DEVat_private
    CC: pauli_ojanperaat_private
    Subject: exdploiting the recent windows media player nsc buffer overflow
    Date: Sun, 05 Aug 2001 07:40:55 -0400
    
    WMP converts the IP Address field into unicode.  This will insert null
    bytes into every other byte in the buffer, making it very hard to exploit
    (although it may be possible, like the folks at eeye did with a similar
    conversion in one of their recent IIS exploits)
    
    However, if an nsc file can use unicode directly, than an attacker would be
    able to put unicode in the ip addr field, bypassing the conversion, and
    easily sploiting.  I have searched through the microsoft documentation, but
    not been able to determine if nsc 's can be written using unicode
    characters (like HTML can).  Anyone have any info?
    
    
    Franklin DeMatto - http://qDefense.com
    qDefense - DEFENDING THE ELECTRONIC FRONTIER
    
    Please do not send mail to antispaamat_private
    
    
    
    _________________________________________________________________
    Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
    



    This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 05:58:28 PDT