Re: rundll32.exe buffer overflow

From: Curt Wilson (netw3_security_at_hushmail.com)
Date: 07/08/03

  • Next message: tupac sakur: "xchar crash after 3 continually server call"
    Date: Mon,  7 Jul 2003 20:55:00 -0700
    To: bugtraq@securityfocus.com, rikul@bellsouth.net
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    FYI This does not appear to be exploitable on an en Windows 2000 SP3
    + all current hotfixes (have not loaded SP4 yet however). advpack32.dll
    does not exist on my win2k pro system, however advpack.dll does and this
    was attempted, using 499 chars + more. Tried a few other DLL's to no
    avail.

    Curt Wilson

    On Sun, 06 Jul 2003 11:42:42 -0700 Rick <rikul@bellsouth.net> wrote:
    >There is buffer overflow in rundll32.exe when it is passed big string
    >as routine name for a module. I've tested this on WindowsXP SP1. But
    >other version of windows might be vuln.
    >
    >rundll32.exe advpack32.dll,<'A'x499>
    >
    >advpack32.dll is just example. Any executable/dll will work. The
    >cmdline does get converted to UNICODE. And EIP ends up being 00410041.
    >

    Curt R. Wilson
    Netw3 Security
    www.netw3.com
    -----BEGIN PGP SIGNATURE-----
    Note: This signature can be verified at https://www.hushtools.com/verify
    Version: Hush 2.3

    wkYEARECAAYFAj8KP48ACgkQRnf2MGkR9yv0OwCgmn2cTEZG650eKc8VVah61Mm0dyMA
    n2X8Ye9pNyC4S/wXXkxXGfxM8cQc
    =qexc
    -----END PGP SIGNATURE-----


  • Next message: tupac sakur: "xchar crash after 3 continually server call"