Solar Eclipse wrote: > Just find me a single RET instruction and I will rule the world! 'ldkw' == 0x776B646C, in my NT4SP3 is a RET 8 [C2 08] in WS2_32.dll, the address we wish to return (the one in the heap you [Solar] said) would be reachable with this RET 8, and I managed to use this RET 8, several times ['ldkwldkwldkwldkwldkwldkwldkw...'], but suddenly it wants to return to 0x00000102 that I couldn't change, I don't know why. Don't forget that there are other group of addresses that you can jump to (as Thomas Dullien said in vuln-dev) The original return address is something like 0x6C00???? (who knows it?) so, using a by-one, by-two or by-three bytes buffer overflow you can jump to a different family of addresses, always with a 0x00 in the middle. By the way, I noticed that a single RET (with no argument) is still useful BUT you must take care of the 0x00 at the end of the ASCIIZ, so you need a return address some bytes after the beginning of the string in the HEAP (which I saw somewhere in the stack). First I said that if it's exploitable it would be really hard, now I say it again, being closer to a: 'it's not exploitable' (just matter of luck). Having in mind the differences between different incarnations of Wordpad in memory (DLLs, SPs, OSs,etc) richie -- A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0 Investigacion y Desarrollo - CoreLabs - Core SDI http://www.core-sdi.com --- For a personal reply use gera@core-sdi.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:14:09 PDT