----- Original Message ----- From: "Patrick Webster" <webster_pat_private> To: "Blue Boar" <BlueBoarat_private> Cc: <vuln-devat_private> Sent: Thursday, March 20, 2003 10:28 PM Subject: RE: NSLOOKUP.EXE I get an Input too long error if run through cmd.exe, eg. c:\>nslookup.exe AAAAA[..], but if I run nslookup with no args, then request AAA[..]AAA it gives the 0x41414141 memory error. If I give nslookup a much larger amount of A's, the response is: (null) dns.server.net then crashes. -Patrick This has been around for a while - I seem to recall looking at this a couple of years ago but since the overflow (on quick inspection) looked tricky to exploit *and* it's the client end that overflows, I didn't bother with it. There is no local priv escalation and you would need control of the victims' DNS servers - in which case, you can do far more interesting things that this ;-) The only use I could think of it was when you are in a restricted environment and can only use sanctioned commands, with nslookup being one of them. Cheers.
This archive was generated by hypermail 2b30 : Fri Mar 21 2003 - 15:04:19 PST