Re: WordPad/riched20.dll buffer overflow

From: Ussr Labs (labsat_private)
Date: Fri Nov 19 1999 - 23:29:42 PST

Next message: antirezat_private: "more about IP ID"

Previous message: Savochkin Andrey Vladimirovich: "Re: local users can panic linux kernel (was: SuSE syslogd"
Maybe in reply to: Pauli Ojanpera: "WordPad/riched20.dll buffer overflow"
Next in thread: Mnemonix: "Re: WordPad/riched20.dll buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well i work in the exploit of the WordPad/riched20.dll buffer overflow, and
i have to say something bad, IT CANT BE EXPLOITABLE FOR TWO REASONS.

1: the filter of the riched20.dll, only accepts letters from "a" to "z" or
"A" TO "Z", that says you only can change the returned EIP to address from :
61616161 to 7a7a7a7a.
I found one trick to get one, 0061616, of you put something like this in the
rtf file

00000000:  7B 5C 72 74-66 31 5C 61-61 61 61 61-61 61 61 61  {\rtf1\aaaaaaaaa
00000010:  61 61 61 61-61 61 61 61-61 61 61 61-61 61 61 61  aaaaaaaaaaaaaaaa
00000020:  61 61 61 61-61 61 61 61-61 61 61 61-61 61 69 69  aaaaaaaaaaaaaaii
00000030:  69 00 69 69-69 5C 61 6E-73 69 63 70-67 31 32 35  i iii\ansicpg125
00000040:  32 5C 64 65-66 66 30 5C-64 65 66 6C-61 6E 67 31  2\deff0\deflang1

in the address 0000031, the "i iii", the zero is a non accepted character
the filter of riched20.dll cut it, and story ends,

in the overflow area appears like this,

69 69 00 48

and the eip is : EIP=48006969

you can change the file with bad characters ' the filter cut it ' and maybe
you can get one,EIP LIKE 00616161, (I did it), but anyway, you have to think
another good point, you are over the SEGMENT OF CODE, CS, if you can get any
good EIP , you have to think you only can return over a segment of code of
the riched20.dll, and if you search in the complete range of code/data of
riched20.dll, no are anything like ours 'aaaaaiii'. story ends there....

sorry for my English,

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c h
http://www.ussrback.com


;Just if someone needs to know...
;
;Win98/NT4 Riched20.dll (which WordPad uses) has a classic buffer
;overflow problem with ".rtf"-files.
;
;Crashme.rtf :
;{\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
;
;A malicious document may probably abuse this to execute arbitary
;code. WordPad crashes with EIP=41414141.
;
;Someone else do deeper investigation since I don't care to.
;
;______________________________________________________
;Get Your Private, Free Email at http://www.hotmail.com

Next message: antirezat_private: "more about IP ID"
Previous message: Savochkin Andrey Vladimirovich: "Re: local users can panic linux kernel (was: SuSE syslogd"
Maybe in reply to: Pauli Ojanpera: "WordPad/riched20.dll buffer overflow"
Next in thread: Mnemonix: "Re: WordPad/riched20.dll buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:42 PDT