[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
I've found the Allchin bug.
Nope. You're wrong. He wasn't referring to windows message queues, he
was referring to MSMQ. You'll find that MSMQ has GUID
Interface UUID: 77df7a80-f298-11d0-8358-00a024c480a8
Interface Ver: 1
Interface Ver Minor: 0
and that opnums 6, 7 and 8 are quite clearly MQLocateBegin, MQLocateNext and
MQLocateEnd. Try passing an overly-long string as an MQRESTRICTION to the
MQLocateBegin function, and you'll find a unicode heap overflow in mqsvc.exe
that lets you overwrite an arbitrary address with an arbitrary long.
You'll also find that this works in w2k sp2, and not in sp4; I haven't
tested sp3 yet. Looks like they quietly fixed it up without any great
If anyone needs further convincing, I'll tidy up and post my p-o-c code,
but I think it's pretty clear from his words that he meant MSMQ and not the
underlying win32 api.
Burn your ID card! http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions.
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD
[This sig is probably too long for demon.local]
Tired of 56k? Get a FREE BT Broadband connection