NSLOOKUP overflow allows arbitrary command execution
From: Anony Mous (Anon21h@YAHOO.CO.UK)
Date: Wed, 9 Apr 2003 00:02:20 +0100 From: Anony Mous <Anon21h@YAHOO.CO.UK> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
(Please scroll to the bottom and read what Russ wrote then come back and
read from the beginning.)
The "input too long" error was also encountered by Wajid I think who was
also using XP. However let me further expand that NSLOOKUP works in two
modes: interactive and non-interactive. In interactive mode you get the
prompt and you can enter "sub" commands and do multiple lookups, in
non-interactive mode, its just a one-off lookup. Check out the standard
documentationfor the nslookup command for description of modes and sub
commands (click the Start button then choose Help. In the tabs to the
left of the window, select the Index tab and type "nslookup" then select
it in the list just below, to get the help documentation )
Using non-interactive, you'd enter it like so:
thats when you get the "input too long" error even on Win2K. Can someone
on XP, try it in interactive mode? (type "nslookup" first and press
enter, then enter the long string).
James' string lengths have an interesting pattern: 255, 1024, 4096...all
of them are powers of two and the nslookup behaviour seems to change
with each one. James didnt try 512, and when I did so (in interactive
mode) it just crashed nslookup and returned to the command prompt with
no error message from nslookup itself.
Still on Win2K interactive mode, we get another feature at 4097 a's. It
prints the a's, then the server name and address, crashes, then you get
3 lots of these in sequence:
The input line is too long.
and wind up at the command prompt which looks like so (note this is
using 4097 a's in interactive mode):
If you look carefully at the above, the a's are overflowing into the
command prompt after nslookup dies. So I suspected you could replace the
last 5 a's with one of the commands such as "dir". Do this, generate a
string of 4092 a's, then append "dir" (without the quotes) to the string
so you have a string with 4095 characters in total. Then at the command
prompt run nslookup to get into interactive mode and feed in the string.
This time, it crashes like above but instead of the command prompt
ending up as "C:\>aaaaa" you wind up with:
Try that again but instead of appending "dir" to the 4092 a's append
this "what's going on in Redmond", run it again, nslookup dies and you
wind up with this at the command prompt:
C:\>what's going on in Redmond
With nslookup overflowing its input back into the command prompt, one
can get any command to wind up there. The only thing missing is how to
simulate pressing the Return key so the command can be executed. Why
dont we just append a carriage return? Well, I did just that and yep,
the commands execute!! Try this. Generate your regular 4092 a's (am
using a tiny program to generate the string) , then append "dir /s"
(without the quotes) and then append a carriage return to that. Feed the
resulting string (it will be 4098 characters long) into nslookup.
WARNING: the "dir /s" will print a directory listing of your ENTIRE
drive to the command line. After you feed in the string above, you will
get the listing running and text will just zoom up the screen. Use Ctrl
+ Break to stop the listing.
Okay, so what evil can be done with this? Well it happens to be that XP
has a program "shutdown.exe" that can be used to shut down the computer
with no questions asked. If somebody can try this on XP and let us know.
Generate 4092 a's and append this "SHUTDOWN -s -t 01", followed by a
carriage return. Get nslookup on and feed the string in at its prompt.
That should shut down your computer immediately!!
on this page "http://www.aumha.org/a/shutcut.php" there are descriptions
of shutting down Windows in various ways and there some links there to
knowlegde base articles for shutting down Windows 2000 terminal servers
too. Can someone see if we have an equivalent of "shutdown.exe" for
Looking on that page, I saw something interesting. Rundll32.exe seems to
allow you to execute functions found within DLLs right from the command
line.Checkout the MS documentation here
I have tried to shutdown Win2K as follows (the string may break over
onto two lines but its all one string. There's no carriage return):
but nothing seems to happen. Theoretically, it should work but if
anybody can get it to work in practice please let us know. For those
with Ms Visual C++ 6, a tool called "Depends.exe" comes free and it
allows you to peek into DLLs to see what functions are exported. Also
using the SDK documentation, you can look up any function in system DLLs
like user32.dll, kernel32.dll, to see the parameters, then try to run it
from the command line like I tried above.
First we found a buffer overflow. Next we discovered how to use it to
execute any command at the command line. Now we need a way to exploit
this remotely. If you look under the system32 folder, theres a program
there called "rsh.exe", which is essentially a remote shell. It's used
Runs commands on remote hosts running the RSH service.
RSH host [-l username] [-n] command
host Specifies the remote host on which to run command.
-l username Specifies the user name to use on the remote host. If
omitted, the logged on user name is used.
-n Redirects the input of RSH to NULL.
command Specifies the command to run.
I dont know whether the RSH service runs by default but its well worth a
try and if anyone comes up with anything, let us know (I couldn't try it
on my machine because of my own firewall).
Let me just respond to the NSLOOKUP issue described in the post by Anony
Mous. I have tested the example provided and have found that it does,
indeed, crash NSLOOKUP on W2K SP3 as described. If you tested this and
didn't think it produced such an error, look in your Application Event
Log for an associated Dr. Watson message. You'll also notice that you
drop to the command prompt after entering the 276 "a"s (this is not
meant to suggest an exact number, but it was the number provided and the
number I tested with).
The input is handled well by NSLOOKUP on XP, however, generating an
"Input too long" error and staying within NSLOOKUP.
James D. Stallard also indicated that v5.1.2600.0 NSLOOKUP (from XP SP1)
has some interesting "features";
I tested Erics NSLookup overflow on WinXP
Windows XP SP1: Version 5.1 (Build 2600.xpsp1.0202828-1920 : Service Pack 1)
NSLookup.EXE: 5.1.2600.0 (xpclient.010817-1148)
Entering Erics exact string I got "*** Input is too long" without the
Working upwards in string length (still using "a") I get "non-existent
domain" for a string length of up to 63, however 64 returns "Unspecified
error" up to 255 characters. At 256 to 1021 I get "Input is too long".
At 1022 and 1023 I get nothing and when I hit enter again I get the
NSLookup prompt, expecting input.
At 1024 I get a return as if I had searched for only the last digit in
the string and from then on any characters prior to the 1025th are ignored.
At 4096 I get a return as if I had searched for only the last 2 digits
in the string and from then on the input buffer is full and accepts no more.
Anyone got any explanations for this rather inconsistent behaviour,
albeit I was unable to get anything to break?
---- Cheers, Russ - NTBugtraq Editor oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Have you discovered a security vulnerability related to Windows or a commercial product which runs on Windows? Need assistance crafting the format or translating your advisory to English? Need to verify it, or having problems contacting the Vendor? Contact mailto:Advisories@NTBugtraq.com oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo