[12690] in bugtraq

home help back first fref pref prev next nref lref last post

Re: WordPad/riched20.dll buffer overflow

daemon@ATHENA.MIT.EDU (Ussr Labs)
Mon Nov 22 17:46:05 1999

Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id:  <NCBBKFKDOLAGKIAPMILPCENJCAAA.labs@ussrback.com>
Date:         Sat, 20 Nov 1999 04:29:42 -0300
Reply-To: Ussr Labs <labs@USSRBACK.COM>
From: Ussr Labs <labs@USSRBACK.COM>
X-To:         BUGTRAQ <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM

Well i work in the exploit of the WordPad/riched20.dll buffer overflow, and
i have to say something bad, IT CANT BE EXPLOITABLE FOR TWO REASONS.

1: the filter of the riched20.dll, only accepts letters from "a" to "z" or
"A" TO "Z", that says you only can change the returned EIP to address from :
61616161 to 7a7a7a7a.
I found one trick to get one, 0061616, of you put something like this in the
rtf file

00000000:  7B 5C 72 74-66 31 5C 61-61 61 61 61-61 61 61 61  {\rtf1\aaaaaaaaa
00000010:  61 61 61 61-61 61 61 61-61 61 61 61-61 61 61 61  aaaaaaaaaaaaaaaa
00000020:  61 61 61 61-61 61 61 61-61 61 61 61-61 61 69 69  aaaaaaaaaaaaaaii
00000030:  69 00 69 69-69 5C 61 6E-73 69 63 70-67 31 32 35  i iii\ansicpg125
00000040:  32 5C 64 65-66 66 30 5C-64 65 66 6C-61 6E 67 31  2\deff0\deflang1

in the address 0000031, the "i iii", the zero is a non accepted character
the filter of riched20.dll cut it, and story ends,

in the overflow area appears like this,

69 69 00 48

and the eip is : EIP=48006969

you can change the file with bad characters ' the filter cut it ' and maybe
you can get one,EIP LIKE 00616161, (I did it), but anyway, you have to think
another good point, you are over the SEGMENT OF CODE, CS, if you can get any
good EIP , you have to think you only can return over a segment of code of
the riched20.dll, and if you search in the complete range of code/data of
riched20.dll, no are anything like ours 'aaaaaiii'. story ends there....

sorry for my English,

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c h
http://www.ussrback.com


;Just if someone needs to know...
;
;Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer
;overflow problem with ".rtf"-files.
;
;Crashme.rtf :
;{\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
;
;A malicious document may probably abuse this to execute arbitary
;code. WordPad crashes with EIP=41414141.
;
;Someone else do deeper investigation since I don't care to.
;
;______________________________________________________
;Get Your Private, Free Email at http://www.hotmail.com

home help back first fref pref prev next nref lref last post