Solar Eclipse wrote:
> Just find me a single RET instruction and I will rule the world!
'ldkw' == 0x776B646C, in my NT4SP3 is a RET 8 [C2 08] in WS2_32.dll, the
address we wish to return (the one in the heap you [Solar] said) would be
reachable with this RET 8, and I managed to use this RET 8, several times
['ldkwldkwldkwldkwldkwldkwldkw...'], but suddenly it wants to return to 0x00000102
that I couldn't change, I don't know why.
Don't forget that there are other group of addresses that you can jump to (as
Thomas Dullien said in vuln-dev)
The original return address is something like 0x6C00???? (who knows it?) so,
using a by-one, by-two or by-three bytes buffer overflow you can jump to a
different family of addresses, always with a 0x00 in the middle.
By the way, I noticed that a single RET (with no argument) is still useful BUT
you must take care of the 0x00 at the end of the ASCIIZ, so you need a return
address some bytes after the beginning of the string in the HEAP (which I saw
somewhere in the stack).
First I said that if it's exploitable it would be really hard, now I say it
again, being closer to a: 'it's not exploitable' (just matter of luck). Having in
mind the differences between different incarnations of Wordpad in memory (DLLs,
SPs, OSs,etc)
richie
--
A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com
--- For a personal reply use gera@core-sdi.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:14:09 PDT