FYI This does not appear to be exploitable on an en Windows 2000 SP3
+ all current hotfixes (have not loaded SP4 yet however). advpack32.dll
does not exist on my win2k pro system, however advpack.dll does and this
was attempted, using 499 chars + more. Tried a few other DLL's to no
avail.
Curt Wilson
On Sun, 06 Jul 2003 11:42:42 -0700 Rick <rikul (at) bellsouth (dot) net [email concealed]> wrote:
>There is buffer overflow in rundll32.exe when it is passed big string
>as routine name for a module. I've tested this on WindowsXP SP1. But
>other version of windows might be vuln.
>
>rundll32.exe advpack32.dll,<'A'x499>
>
>advpack32.dll is just example. Any executable/dll will work. The
>cmdline does get converted to UNICODE. And EIP ends up being 00410041.
>
Curt R. Wilson
Netw3 Security
www.netw3.com
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FYI This does not appear to be exploitable on an en Windows 2000 SP3
+ all current hotfixes (have not loaded SP4 yet however). advpack32.dll
does not exist on my win2k pro system, however advpack.dll does and this
was attempted, using 499 chars + more. Tried a few other DLL's to no
avail.
Curt Wilson
On Sun, 06 Jul 2003 11:42:42 -0700 Rick <rikul (at) bellsouth (dot) net [email concealed]> wrote:
>There is buffer overflow in rundll32.exe when it is passed big string
>as routine name for a module. I've tested this on WindowsXP SP1. But
>other version of windows might be vuln.
>
>rundll32.exe advpack32.dll,<'A'x499>
>
>advpack32.dll is just example. Any executable/dll will work. The
>cmdline does get converted to UNICODE. And EIP ends up being 00410041.
>
Curt R. Wilson
Netw3 Security
www.netw3.com
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
wkYEARECAAYFAj8KP48ACgkQRnf2MGkR9yv0OwCgmn2cTEZG650eKc8VVah61Mm0dyMA
n2X8Ye9pNyC4S/wXXkxXGfxM8cQc
=qexc
-----END PGP SIGNATURE-----
[ reply ]