Vulnerability Development mailing list archives
Re: NSLOOKUP.EXE
From: "Nexus" <nexus () patrol i-way co uk>
Date: Fri, 21 Mar 2003 10:15:41 -0000
----- Original Message ----- From: "Patrick Webster" <webster_p () DeMorgan com au> To: "Blue Boar" <BlueBoar () thievco com> Cc: <vuln-dev () securityfocus com> Sent: Thursday, March 20, 2003 10:28 PM Subject: RE: NSLOOKUP.EXE I get an Input too long error if run through cmd.exe, eg. c:\>nslookup.exe AAAAA[..], but if I run nslookup with no args, then request AAA[..]AAA it gives the 0x41414141 memory error. If I give nslookup a much larger amount of A's, the response is: (null) dns.server.net then crashes. -Patrick This has been around for a while - I seem to recall looking at this a couple of years ago but since the overflow (on quick inspection) looked tricky to exploit *and* it's the client end that overflows, I didn't bother with it. There is no local priv escalation and you would need control of the victims' DNS servers - in which case, you can do far more interesting things that this ;-) The only use I could think of it was when you are in a restricted environment and can only use sanctioned commands, with nslookup being one of them. Cheers.
Current thread:
- NSLOOKUP.EXE Patrick Webster (Mar 20)
- Re: NSLOOKUP.EXE Blue Boar (Mar 20)
- RE: NSLOOKUP.EXE Brett Moore (Mar 21)
- Re: NSLOOKUP.EXE Ryan Yagatich (Mar 21)
- Re: NSLOOKUP.EXE K. K. Mookhey (Mar 23)
- RE: NSLOOKUP.EXE Brett Moore (Mar 23)
- Re: NSLOOKUP.EXE Marcos D. Marado Torres (Mar 24)
- <Possible follow-ups>
- RE: NSLOOKUP.EXE Patrick Webster (Mar 20)
- RES: NSLOOKUP.EXE Cleber P. de Souza (Mar 21)
- Re: NSLOOKUP.EXE Nexus (Mar 21)
- RE: NSLOOKUP.EXE Sillari Andrea (Mar 21)
- Re: NSLOOKUP.EXE Filip Maertens (Mar 21)
- Re: NSLOOKUP.EXE Chris Calabrese (Mar 21)
- Re: NSLOOKUP.EXE Mysq (Mar 21)
- Re: NSLOOKUP.EXE Blue Boar (Mar 20)