| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3F08A51B.60304@quicknet.nl> From: dv at quicknet.nl (David) Subject: ShellExecute () Hello, I've taken a deeper look at the vulnerability in the ShellExecute API function. http://www.lac.co.jp/security/english/snsadv_e/65_e.html After some research I've noticed that the lpFile parameter is converted to unicode before handled. The IP can therefore only be overwritten with 00xx00xx values (where xx can be any legal HEX value). I think that exploitation of this function becomes very difficult in this way, cause there is no 00xx0xx-type memory address within the overwritten address space (2088 bytes). I wonder if there are any other techniques available to exploit this kind of vulnerability. -David -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4925 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030707/89e32dfe/smime.bin
Powered by blists - more mailing lists