Home page logo

fulldisclosure logo Full Disclosure mailing list archives

upnphost null pointer fun
From: ned <nd () felinemenace org>
Date: Sun, 7 Nov 2004 21:31:11 -0800 (PST)

unlike my other recent posts, i will revealing bug information which is 
NOT exploitable. i hope. i think they're properly diagnosed. i think.

in upnphost module which is the windows UPNP service (http://upnp.org) 
there is a couple of null pointer exceptions, i named them 'upnp1' and 
'upnp2' and POC code is availiable at http://felinemenace.org/~nd/upnp/

a quick demo using dumbug (http://phenoelit.de):
(cmdline 'python upnp1.py')
Debugger [INFO] Access violation at 5AFDDF5C
Tracer [WARNING] AccessViolation EIP = 5AFDDF5C while reading from 00000002
Tracer [WARNING] E_AccessViolation: Offending access not in mapped memory?
(cmdline 'python upnp2.py')
Debugger [INFO] Access violation at 5AFD7FEC
Tracer [WARNING] AccessViolation EIP = 5AFD7FEC while reading from 00000000
Tracer [WARNING] E_AccessViolation: Offending access not in mapped memory?

completely useless of course, does not even stop the UPNP service or lock 
up svchost. dumbug is pretty cool though when screeshots just wont do!
- nd


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • upnphost null pointer fun ned (Nov 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]