[12712] in bugtraq
Re: WordPad/riched20.dll buffer overflow
daemon@ATHENA.MIT.EDU (Ron Parker)
Wed Nov 24 02:40:58 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.1.32.19991123160439.02a32148@gwmicro.com>
Date: Tue, 23 Nov 1999 16:04:39 -0500
Reply-To: Ron Parker <ron@GWMICRO.COM>
From: Ron Parker <ron@GWMICRO.COM>
X-To: Solar Eclipse <solareclipse@SOFTHOME.NET>,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3839E66C4E.41BDSOLARECLIPSE@smtp.softhome.net>
At 06:57 PM 11/22/1999 -0600, Solar Eclipse wrote:
>Mnemonix wrote that the shell code is not lowercased on Win2K. Are there
>any other restrictions? Can you use characters > 128 ?
>
>What about Win9x?
>
>Are there any DLLs loaded in the 6161616-7A7A7A7A range on there
>machines?
Only alphabetic characters seem to be allowed, but neither Win2K nor
Win98 changes the case. I couldn't find any code loaded at useful
addresses in Win98, but in my Win2K it seems to load SHELL32.DLL at
775A1000. There are useful RETs at the following addresses:
775A6267 gbZw: RET
775A7A73 szZw: RET 4
775A706D mpZw: RET 10
775A7156 VqZw: RET 14
775A7249 IrZw: RET 18
There are additional complications, though, in the form of stack variables
between the corrupted frame and the desired address. These variables must
be worked around. I haven't yet found a satisfactory combination of
RETs to get to the goal, but I've been within a DWORD of it.
--
Ron Parker
GW Micro, Inc.
Voice 219-489-3671
Fax 219-489-2608
