NSLOOKUP overflow allows arbitrary command execution

From: Anony Mous (Anon21h@YAHOO.CO.UK)
Date: 04/09/03

  • Next message: Marilee Niemi: "Local SQLDebugger account created by SQL Server 2000 SP3"
    Date:         Wed, 9 Apr 2003 00:02:20 +0100
    From: Anony Mous <Anon21h@YAHOO.CO.UK>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    All,

    (Please scroll to the bottom and read what Russ wrote then come back and
    read from the beginning.)

    The "input too long" error was also encountered by Wajid I think who was
    also using XP. However let me further expand that NSLOOKUP works in two
    modes: interactive and non-interactive. In interactive mode you get the
    prompt and you can enter "sub" commands and do multiple lookups, in
    non-interactive mode, its just a one-off lookup. Check out the standard
    documentationfor the nslookup command for description of modes and sub
    commands (click the Start button then choose Help. In the tabs to the
    left of the window, select the Index tab and type "nslookup" then select
    it in the list just below, to get the help documentation )

    Using non-interactive, you'd enter it like so:

    C:\nslookup aaaaaaaaaaaaaaaaaa........

    thats when you get the "input too long" error even on Win2K. Can someone
    on XP, try it in interactive mode? (type "nslookup" first and press
    enter, then enter the long string).

    James' string lengths have an interesting pattern: 255, 1024, 4096...all
    of them are powers of two and the nslookup behaviour seems to change
    with each one. James didnt try 512, and when I did so (in interactive
    mode) it just crashed nslookup and returned to the command prompt with
    no error message from nslookup itself.
    Still on Win2K interactive mode, we get another feature at 4097 a's. It
    prints the a's, then the server name and address, crashes, then you get
    3 lots of these in sequence:

    C:\>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    The input line is too long.

    and wind up at the command prompt which looks like so (note this is
    using 4097 a's in interactive mode):

    C:\>aaaaa

    If you look carefully at the above, the a's are overflowing into the
    command prompt after nslookup dies. So I suspected you could replace the
    last 5 a's with one of the commands such as "dir". Do this, generate a
    string of 4092 a's, then append "dir" (without the quotes) to the string
    so you have a string with 4095 characters in total. Then at the command
    prompt run nslookup to get into interactive mode and feed in the string.
    This time, it crashes like above but instead of the command prompt
    ending up as "C:\>aaaaa" you wind up with:

    C:\>dir

    Try that again but instead of appending "dir" to the 4092 a's append
    this "what's going on in Redmond", run it again, nslookup dies and you
    wind up with this at the command prompt:

    C:\>what's going on in Redmond

    With nslookup overflowing its input back into the command prompt, one
    can get any command to wind up there. The only thing missing is how to
    simulate pressing the Return key so the command can be executed. Why
    dont we just append a carriage return? Well, I did just that and yep,
    the commands execute!! Try this. Generate your regular 4092 a's (am
    using a tiny program to generate the string) , then append "dir /s"
    (without the quotes) and then append a carriage return to that. Feed the
    resulting string (it will be 4098 characters long) into nslookup.

    WARNING: the "dir /s" will print a directory listing of your ENTIRE
    drive to the command line. After you feed in the string above, you will
    get the listing running and text will just zoom up the screen. Use Ctrl
    + Break to stop the listing.

    Okay, so what evil can be done with this? Well it happens to be that XP
    has a program "shutdown.exe" that can be used to shut down the computer
    with no questions asked. If somebody can try this on XP and let us know.
    Generate 4092 a's and append this "SHUTDOWN -s -t 01", followed by a
    carriage return. Get nslookup on and feed the string in at its prompt.
    That should shut down your computer immediately!!

    on this page "http://www.aumha.org/a/shutcut.php" there are descriptions
    of shutting down Windows in various ways and there some links there to
    knowlegde base articles for shutting down Windows 2000 terminal servers
    too. Can someone see if we have an equivalent of "shutdown.exe" for
    Windows 2000?

    Looking on that page, I saw something interesting. Rundll32.exe seems to
    allow you to execute functions found within DLLs right from the command
    line.Checkout the MS documentation here
    "http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
    tools/tools/rundll32.asp".

    I have tried to shutdown Win2K as follows (the string may break over
    onto two lines but its all one string. There's no carriage return):

    "C:\WINNT\system32>rundll32.exe
    c:\winnt\system32\user32.dll,ExitWindowsEx 5"

    but nothing seems to happen. Theoretically, it should work but if
    anybody can get it to work in practice please let us know. For those
    with Ms Visual C++ 6, a tool called "Depends.exe" comes free and it
    allows you to peek into DLLs to see what functions are exported. Also
    using the SDK documentation, you can look up any function in system DLLs
    like user32.dll, kernel32.dll, to see the parameters, then try to run it
    from the command line like I tried above.

    First we found a buffer overflow. Next we discovered how to use it to
    execute any command at the command line. Now we need a way to exploit
    this remotely. If you look under the system32 folder, theres a program
    there called "rsh.exe", which is essentially a remote shell. It's used
    like so:

    Runs commands on remote hosts running the RSH service.

    RSH host [-l username] [-n] command

        host Specifies the remote host on which to run command.
        -l username Specifies the user name to use on the remote host. If
                        omitted, the logged on user name is used.
        -n Redirects the input of RSH to NULL.
        command Specifies the command to run.

    I dont know whether the RSH service runs by default but its well worth a
    try and if anyone comes up with anything, let us know (I couldn't try it
    on my machine because of my own firewall).

    Cheers,Eric.

    ------------------------------------------------------------------------
    Russ wrote:

    Let me just respond to the NSLOOKUP issue described in the post by Anony
    Mous. I have tested the example provided and have found that it does,
    indeed, crash NSLOOKUP on W2K SP3 as described. If you tested this and
    didn't think it produced such an error, look in your Application Event
    Log for an associated Dr. Watson message. You'll also notice that you
    drop to the command prompt after entering the 276 "a"s (this is not
    meant to suggest an exact number, but it was the number provided and the
    number I tested with).

    The input is handled well by NSLOOKUP on XP, however, generating an
    "Input too long" error and staying within NSLOOKUP.

    James D. Stallard also indicated that v5.1.2600.0 NSLOOKUP (from XP SP1)
    has some interesting "features";
    -----
    I tested Erics NSLookup overflow on WinXP
    Windows XP SP1: Version 5.1 (Build 2600.xpsp1.0202828-1920 : Service Pack 1)
    NSLookup.EXE: 5.1.2600.0 (xpclient.010817-1148)

    Entering Erics exact string I got "*** Input is too long" without the
    quotes.

    Working upwards in string length (still using "a") I get "non-existent
    domain" for a string length of up to 63, however 64 returns "Unspecified
    error" up to 255 characters. At 256 to 1021 I get "Input is too long".

    At 1022 and 1023 I get nothing and when I hit enter again I get the
    NSLookup prompt, expecting input.

    At 1024 I get a return as if I had searched for only the last digit in
    the string and from then on any characters prior to the 1025th are ignored.

    At 4096 I get a return as if I had searched for only the last 2 digits
    in the string and from then on the input buffer is full and accepts no more.

    Anyone got any explanations for this rather inconsistent behaviour,
    albeit I was unable to get anything to break?

    ----
    Cheers,
    Russ - NTBugtraq Editor
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Have you discovered a security vulnerability related to Windows or a
    commercial product which runs on Windows?
    Need assistance crafting the format or translating your advisory to English?
    Need to verify it, or having problems contacting the Vendor?
    Contact mailto:Advisories@NTBugtraq.com
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    

  • Next message: Marilee Niemi: "Local SQLDebugger account created by SQL Server 2000 SP3"

    Relevant Pages

    • Re: Assistance in understanding the sub-Process module
      ... /args/ should be a string, or a sequence of program arguments. ... which opened up a command prompt. ... launch cmd for internal commands which aren't executables in ...
      (comp.lang.python)
    • Re: How to pars text from a command prompt?
      ... a text string to a vbs ... |> In a command prompt I type: ...
      (microsoft.public.scripting.vbscript)
    • Re: Command History
      ... What I understand from your answer is after closing command window it ... Run it under a Command Prompt. ... Scan the registry for the string "mhmtzdmr". ...
      (microsoft.public.win2000.general)
    • TIP #185: Null Handling
      ... nulls, and command modifications for manipulating them. ... Tcl deals with strings, the universal medium for representing data. ... is know and it is an empty string, but if a respondent forgets to give ...
      (comp.lang.tcl)
    • Re: Determine how Word was launched
      ... inspect the command line used to launch Word. ... Private Declare Function GetCommandLineA Lib "kernel32" As Long ... Public Function GetCommandLineAs String ... Dim lngCmdLinePtr As Long ...
      (microsoft.public.office.developer.vba)