Hey All, Tested on Win2k pro SP3. I found that it is possible to overwrite EAX and ECX. It seems there are atleast two places in the exploit string that allows these addresses to be overwriten. The first overwriting is in the bytes: 225,226,227,228 - overwrite ecx 229,230,231,232 - overwrite eax while using 325 bytes for the exploit string. (If more is used - the overwrite byte possition changes). (128.518): Access violation - code c0000005 eax=42424242,ebx=7800110c ecx=41414141,edx=00000002 esi=01037fa0,edi=00000000 eip=01007dee,esp=0004fa38 ebp=00000000 I also couldn't see any of the exploit string in memory near the eip or esp memory addresses. I am not going to continue researching this issue due to the fact that it would only be remotly exploitable if arguments inputed by a remote user (which are not validated) are passed to nslookup on the server. I don't really see the point in a server application doing this. As a local exploit, the nslookup process runs with privilage of the user who executes it so that removes possibilty for privilage escalation. Question to BO guru's: How would it be possible to control the eip if only eax/ecx are overwritten ? Best Regards to all, MysQ -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup
This archive was generated by hypermail 2b30 : Fri Mar 21 2003 - 13:05:02 PST