-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
FYI This does not appear to be exploitable on an en Windows 2000 SP3
+ all current hotfixes (have not loaded SP4 yet however). advpack32.dll
does not exist on my win2k pro system, however advpack.dll does and this
was attempted, using 499 chars + mor
interesting, in win2ksp4 i can't get it to overflow...
with regular characters.
if i use a lot of %'s it appears to overwrite eip. but if
i tack on any character at the end it won't overflow.
C:\WINNT\system32>rundll32.exe
rundll32.exe,
AAA
Hi,
There is buffer overflow in rundll32.exe when it is passed big string as
routine name for a module. I've tested this on WindowsXP SP1. But other
version of windows might be vuln.
rundll32.exe advpack32.dll,<'A'x499>
advpack32.dll is just example. Any executable/dll will work.