Hi To do it from the command prompt. you must echo to a file and then redirect. ie: nslookup < foo where foo contains the long string ending with a <CR>. Because this is read error, it may be possible to insert valid values to read untill you hit some code that does a write. Longer strings overflow a strcpy or multibytetowide copy and result in a write error but because the buffer ends at non writeable memory, I couldn't see anything important been overwritten. Perhaps though. nslookup ver 5.0.2195.4985 Brett -----Original Message----- From: Blue Boar [mailto:BlueBoarat_private] Sent: Friday, March 21, 2003 9:07 AM To: Patrick Webster Cc: vuln-devat_private Subject: Re: NSLOOKUP.EXE Patrick Webster wrote: > Can you do anything interesting with this?: > > C:\>nslookup > Default Server: dns.server.net > Address: 111.222.333.444 > > >>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA > > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > > Gives error: memory can't be "read" - 0x414141 (aka A). If you have to manually type all the A's, then probably not. Maybe if someone did something silly like make a CGI script that calls nslookup.exe directly with user input. What OS are you testing on? It looks like it's fixed in XP: C:\winxp\system32>nslookup Default Server: dns1.snfcca.sbcglobal.net Address: 206.13.28.12 > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA *** Input is too long > BB
This archive was generated by hypermail 2b30 : Fri Mar 21 2003 - 10:26:08 PST