Re: development of wordpad exploit

[bwrics () ANTIONLINE ORG (Aubrey Smith)]

 ('binary' encoding is not supported, stored as-is)

Gerardo, for those of us who are less exploit-savvy, could you please explain how your hack works? The only text that I 
saw in your attached kk.rtf file was "hola".

While Spanish has been know to overflow my buffers (being and english-only speaker), I would like to know how you are 
using the overflow and how I could duplicate your hack (for educational purposes only, except possibly where my 
mother-in-law is concerned).

Thanks

> Date:         Fri, 19 Nov 1999 13:40:45 -0300
> Reply-To: Gerardo Richarte <core.lists.exploit-dev () CORE-SDI COM>
> From: Gerardo Richarte <core.lists.exploit-dev () CORE-SDI COM>
> Subject:      Re: development of wordpad exploit
> To: VULN-DEV () SECURITYFOCUS COM
>
> "hypoclear - lUSt - (Linux Users Strike Today)" wrote:
> > I light of the latest windows vulnerability in wordpad, it would be great if in this forum we could develop an 
> > exploit for it.  As of now details of the vulnerability are on the net, however no exploit exists yet.  This would 
> > be an excellent opportunity for all of us who don't really know how to code exploits (yet) to see all the details of 
> > developing one.  Anyone else like this idea?!?
>
>     I've been playing with this since yesterday. Just today could make the
> buffer overflow with EIP pointing to 0x61616161, BUT... (of course, what
> did you expected?), first what's first:
>
> demo:
>
> ---------- kk.rtf -----------------------------
> {\rtf1\abcdefghijklmnaabbstuvwxyzabcdefghijklmnccddstuvwxyzabcdefghijklmneeffstuvwxyzabcdefghijklmngghhstuvwxyzabcdefghijklmniijjstuvwxyzabcdefghijklmnkkllstuvwxyzabcdefghijklmnmmnnstuvwxyzansi\deff0\deftab720{\fonttbl{\f0\fswiss
> MS Sans Serif;}{\f1\froman\fcharset2 Symbol;}{\f2\froman Times New
> Roman;}}
> {\colortbl\red0\green0\blue0;}
> \deflang1033\pard\plain\f2\fs20 hola
> \par }
> ^@
> -----------------------------------------------
>     [lines finishing in '}}',';}','hola',' }','^@']
>
>      It's a standard RTF file for the text 'hola', plus, an inserted string
> ('abcde....xyz') befor the string 'ansi'.
>
>     'ccdd' is the return address (EIP)
>     If the string ansi is missing (i tested with some other strings, not
> every other string...) nothing 'good' happens.
>     Any non letter character befor the string 'ccdd' makes nothing happen.
> I'm not sure which characters can be in this section of the .RTF.
>     If uppercase letters are used, they are lowercased (at least the return
> address)  (!!! It's what looks like, but in the original post, it says
> EIP = 0x41414141, what I couldn't reproduce...)
>
>     I can't find the [reminding or original] string in memory...
>
>     I'll continue some more time with this, but it doesn't look too easy to
> exploit...
>
>     richie
>
> PS:if you have Word installed, this is the default opener for RTFs
> (which doesn't crash), what makes it a little harder to exploit remotley
> PPS: I found another buffer overflow that affects Word, use a .RTF file
> like
> {\rtf\AAAAAAAAAAAA..............}       (more that 5000 As)
>
>     this doesn't make EIP = 0x41414141, it makes ESI = 0x41414141, and if
> you use more than 10.000 As, it makes EDI = 0x41414141. It may be
> exploitable, but doesn't look easy.
>
> --
> A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
> Investigacion y Desarrollo - CoreLabs - Core SDI
> http://www.core-sdi.com
> << kk.rtf >>

------------------------------------------------------------
I Got My Free E-mail Account, Get Yours! - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!