Vulnerability Development mailing list archives
RE: NSLOOKUP.EXE
From: "Brett Moore" <brett () softwarecreations co nz>
Date: Fri, 21 Mar 2003 11:56:57 +1200
Hi To do it from the command prompt. you must echo to a file and then redirect. ie: nslookup < foo where foo contains the long string ending with a <CR>. Because this is read error, it may be possible to insert valid values to read untill you hit some code that does a write. Longer strings overflow a strcpy or multibytetowide copy and result in a write error but because the buffer ends at non writeable memory, I couldn't see anything important been overwritten. Perhaps though. nslookup ver 5.0.2195.4985 Brett -----Original Message----- From: Blue Boar [mailto:BlueBoar () thievco com] Sent: Friday, March 21, 2003 9:07 AM To: Patrick Webster Cc: vuln-dev () securityfocus com Subject: Re: NSLOOKUP.EXE Patrick Webster wrote:
Can you do anything interesting with this?: C:\>nslookup Default Server: dns.server.net Address: 111.222.333.444AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Gives error: memory can't be "read" - 0x414141 (aka A).
If you have to manually type all the A's, then probably not. Maybe if someone did something silly like make a CGI script that calls nslookup.exe directly with user input. What OS are you testing on? It looks like it's fixed in XP: C:\winxp\system32>nslookup Default Server: dns1.snfcca.sbcglobal.net Address: 206.13.28.12
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA *** Input is too long
BB
Current thread:
- NSLOOKUP.EXE Patrick Webster (Mar 20)
- Re: NSLOOKUP.EXE Blue Boar (Mar 20)
- RE: NSLOOKUP.EXE Brett Moore (Mar 21)
- Re: NSLOOKUP.EXE Ryan Yagatich (Mar 21)
- Re: NSLOOKUP.EXE K. K. Mookhey (Mar 23)
- RE: NSLOOKUP.EXE Brett Moore (Mar 23)
- Re: NSLOOKUP.EXE Marcos D. Marado Torres (Mar 24)
- <Possible follow-ups>
- RE: NSLOOKUP.EXE Patrick Webster (Mar 20)
- RES: NSLOOKUP.EXE Cleber P. de Souza (Mar 21)
- Re: NSLOOKUP.EXE Nexus (Mar 21)
- RE: NSLOOKUP.EXE Sillari Andrea (Mar 21)
- Re: NSLOOKUP.EXE Filip Maertens (Mar 21)
- Re: NSLOOKUP.EXE Chris Calabrese (Mar 21)
(Thread continues...)
- Re: NSLOOKUP.EXE Blue Boar (Mar 20)