[12724] in bugtraq
Re: WordPad/riched20.dll buffer overflow
daemon@ATHENA.MIT.EDU (Gerardo Richarte)
Fri Nov 26 00:45:23 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <383C263F.7D0A66E@core-sdi.com>
Date: Wed, 24 Nov 1999 14:50:02 -0300
Reply-To: Gerardo Richarte <core.lists.bugtraq@CORE-SDI.COM>
From: Gerardo Richarte <core.lists.bugtraq@CORE-SDI.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Solar Eclipse wrote:
> Just find me a single RET instruction and I will rule the world!
'ldkw' == 0x776B646C, in my NT4SP3 is a RET 8 [C2 08] in WS2_32.dll, the
address we wish to return (the one in the heap you [Solar] said) would be
reachable with this RET 8, and I managed to use this RET 8, several times
['ldkwldkwldkwldkwldkwldkwldkw...'], but suddenly it wants to return to 0x00000102
that I couldn't change, I don't know why.
Don't forget that there are other group of addresses that you can jump to (as
Thomas Dullien said in vuln-dev)
The original return address is something like 0x6C00???? (who knows it?) so,
using a by-one, by-two or by-three bytes buffer overflow you can jump to a
different family of addresses, always with a 0x00 in the middle.
By the way, I noticed that a single RET (with no argument) is still useful BUT
you must take care of the 0x00 at the end of the ASCIIZ, so you need a return
address some bytes after the beginning of the string in the HEAP (which I saw
somewhere in the stack).
First I said that if it's exploitable it would be really hard, now I say it
again, being closer to a: 'it's not exploitable' (just matter of luck). Having in
mind the differences between different incarnations of Wordpad in memory (DLLs,
SPs, OSs,etc)
richie
--
A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com
--- For a personal reply use gera@core-sdi.com
