Re: NSLOOKUP.EXEMar 21 2003 05:04PM Ryan Yagatich (ryany pantek com)
RE: NSLOOKUP.EXEMar 20 2003 11:56PM Brett Moore (brett softwarecreations co nz)
Hi
To do it from the command prompt. you must echo to a file and then redirect.
ie:
nslookup < foo
where foo contains the long string ending with a <CR>.
Because this is read error, it may be possible to insert valid values to
read
untill you hit some code that does a write.
Longer strings overflow a strcpy or multibytetowide copy and result in a
write error
but because the buffer ends at non writeable memory, I couldn't see anything
important
been overwritten. Perhaps though.
nslookup ver 5.0.2195.4985
Brett
-----Original Message-----
From: Blue Boar [mailto:BlueBoar (at) thievco (dot) com [email concealed]]
Sent: Friday, March 21, 2003 9:07 AM
To: Patrick Webster
Cc: vuln-dev (at) securityfocus (dot) com [email concealed]
Subject: Re: NSLOOKUP.EXE
Patrick Webster wrote:
> Can you do anything interesting with this?:
>
> C:\>nslookup
> Default Server: dns.server.net
> Address: 111.222.333.444
>
>
>>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAA
>
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
> Gives error: memory can't be "read" - 0x414141 (aka A).
If you have to manually type all the A's, then probably not. Maybe if
someone did something silly like make a CGI script that calls nslookup.exe
directly with user input.
What OS are you testing on? It looks like it's fixed in XP:
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** Input is too long
>
To do it from the command prompt. you must echo to a file and then redirect.
ie:
nslookup < foo
where foo contains the long string ending with a <CR>.
Because this is read error, it may be possible to insert valid values to
read
untill you hit some code that does a write.
Longer strings overflow a strcpy or multibytetowide copy and result in a
write error
but because the buffer ends at non writeable memory, I couldn't see anything
important
been overwritten. Perhaps though.
nslookup ver 5.0.2195.4985
Brett
-----Original Message-----
From: Blue Boar [mailto:BlueBoar (at) thievco (dot) com [email concealed]]
Sent: Friday, March 21, 2003 9:07 AM
To: Patrick Webster
Cc: vuln-dev (at) securityfocus (dot) com [email concealed]
Subject: Re: NSLOOKUP.EXE
Patrick Webster wrote:
> Can you do anything interesting with this?:
>
> C:\>nslookup
> Default Server: dns.server.net
> Address: 111.222.333.444
>
>
>>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAA
>
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
> Gives error: memory can't be "read" - 0x414141 (aka A).
If you have to manually type all the A's, then probably not. Maybe if
someone did something silly like make a CGI script that calls nslookup.exe
directly with user input.
What OS are you testing on? It looks like it's fixed in XP:
C:\winxp\system32>nslookup
Default Server: dns1.snfcca.sbcglobal.net
Address: 206.13.28.12
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** Input is too long
>
BB
[ reply ]