There is buffer overflow in rundll32.exe when it is passed big string as
routine name for a module. I've tested this on WindowsXP SP1. But other
version of windows might be vuln.
rundll32.exe advpack32.dll,<'A'x499>
advpack32.dll is just example. Any executable/dll will work. The
cmdline does get converted to UNICODE. And EIP ends up being 00410041.
There is buffer overflow in rundll32.exe when it is passed big string as
routine name for a module. I've tested this on WindowsXP SP1. But other
version of windows might be vuln.
rundll32.exe advpack32.dll,<'A'x499>
advpack32.dll is just example. Any executable/dll will work. The
cmdline does get converted to UNICODE. And EIP ends up being 00410041.
-
Rick Patel
[ reply ]