i everyone,

It seems that the old windows98 rundll32.exe command line stack overflow has reappeared
in Windows XP SP0 and SP1. Also the old regsvr32.exe command line buffer overflow has also been observed.


giving the command rundll32.exe shell32.dll,AAAAA...about 500 A's
causes the EIP of the program to be overwritten.Since we are dealing with unicode here exploitation is a bit difficult.

The problem lies in a routine which formats the error for invalid entry point the AAAAA's , the local function allocates a small amount of stack(THE EPILOG ) for the storage.The stack is overwritten and when the program returns from the function it pops up the registers wrongly,since there will be only A's here.The program causes exception.

The same thing occurs with regsvr32.exe, but case is different here, in windows 98 it was because of of Overflow in LoadLibrary.(psst... also in GetProcAddress etc).