[12688] in bugtraq
Re: WordPad/riched20.dll buffer overflow
daemon@ATHENA.MIT.EDU (Mnemonix)
Mon Nov 22 17:36:25 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <001101bf32f0$42925790$b8aa93c3@cerberusinfosec.co.uk>
Date: Sat, 20 Nov 1999 00:43:26 -0000
Reply-To: Mnemonix <mnemonix@GLOBALNET.CO.UK>
From: Mnemonix <mnemonix@GLOBALNET.CO.UK>
X-To: Gerardo Richarte <core.lists.bugtraq@CORE-SDI.COM>,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
----- Original Message -----
From: "Gerardo Richarte" <core.lists.bugtraq@CORE-SDI.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Thursday, November 18, 1999 9:45 PM
Subject: Re: WordPad/riched20.dll buffer overflow
<SNIP>
> I've been trying to determine if it's exploitable, and couldn't
> reproduce what you described. I want to know if there is some other
> information I need to know... here is what I tried:
>
> an rtf file with
>
> {\rtf\AAAAAAAAA...} a lot of As (tryed 32,49,1000,2000,...
> 5000...
> 20000)
>
<SNIP>
> could anybody reproduce this bug?
>
This is exploitable. On both Windows NT4 and Windows 2000 the payload can be
found at the ESP - but there is a difference between the two OSs.
NT 4 seems to do a tolower() on the string turning "AAAA" to "aaaa" where as
Windows 2000 preserves the case. Both OS's have the return address
over-written so all you have do do is find an instruction in the memory
space that does a JMP ESP - there are quite a few floating around the place.
On NT 4 if any of the bytes for the exploit code or return address are <
0x61 then they'll be turned into the uppercase version ie 0x41 -> 0x61 so
anyone writing an exploit for NT will have to be cunning. On Win2K there is
not this problem. For both OSs from the ESP you'll get around 152 bytes of
room to put your exploit code in.
For anyone interested in NT buffer overruns some useful docs on the subject
can be found at http://www.infowar.co.uk/mnemonix
Cheers,
David Litchfield
