Well i work in the exploit of the WordPad/riched20.dll buffer overflow, and i have to say something bad, IT CANT BE EXPLOITABLE FOR TWO REASONS. 1: the filter of the riched20.dll, only accepts letters from "a" to "z" or "A" TO "Z", that says you only can change the returned EIP to address from : 61616161 to 7a7a7a7a. I found one trick to get one, 0061616, of you put something like this in the rtf file 00000000: 7B 5C 72 74-66 31 5C 61-61 61 61 61-61 61 61 61 {\rtf1\aaaaaaaaa 00000010: 61 61 61 61-61 61 61 61-61 61 61 61-61 61 61 61 aaaaaaaaaaaaaaaa 00000020: 61 61 61 61-61 61 61 61-61 61 61 61-61 61 69 69 aaaaaaaaaaaaaaii 00000030: 69 00 69 69-69 5C 61 6E-73 69 63 70-67 31 32 35 i iii\ansicpg125 00000040: 32 5C 64 65-66 66 30 5C-64 65 66 6C-61 6E 67 31 2\deff0\deflang1 in the address 0000031, the "i iii", the zero is a non accepted character the filter of riched20.dll cut it, and story ends, in the overflow area appears like this, 69 69 00 48 and the eip is : EIP=48006969 you can change the file with bad characters ' the filter cut it ' and maybe you can get one,EIP LIKE 00616161, (I did it), but anyway, you have to think another good point, you are over the SEGMENT OF CODE, CS, if you can get any good EIP , you have to think you only can return over a segment of code of the riched20.dll, and if you search in the complete range of code/data of riched20.dll, no are anything like ours 'aaaaaiii'. story ends there.... sorry for my English, u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com ;Just if someone needs to know... ; ;Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer ;overflow problem with ".rtf"-files. ; ;Crashme.rtf : ;{\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA} ; ;A malicious document may probably abuse this to execute arbitary ;code. WordPad crashes with EIP=41414141. ; ;Someone else do deeper investigation since I don't care to. ; ;______________________________________________________ ;Get Your Private, Free Email at http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:42 PDT