Bugtraq mailing list archives
Re: WordPad/riched20.dll buffer overflow
From: dullien () GMX DE (Thomas Dullien)
Date: Tue, 23 Nov 1999 13:53:08 +0100
On Sat, 20 Nov 1999 00:43:26 -0000, Mnemonix wrote:
This is exploitable. On both Windows NT4 and Windows 2000 the payload can be
It is not. As seen from the posts by USSR labs and Solar Eclipse as well as from my analysis on the vuln-dev list we can safely say that the DLL is not exploitable under the current conditions in Wordpad. If it was used by other programs, it could be that we can possibly exploit it. In our scenario, though, all areas we can set EIP to are non-paged or garbage for our purposes. Even a partial frame buffer overwrite will not lead us anywhere useful, so we can safely assume this one is 'dead' ;) For details see vuln-dev archive :)
Windows 2000 preserves the case. Both OS's have the return address over-written so all you have do do is find an instruction in the memory space that does a JMP ESP - there are quite a few floating around the place.
Not one lies within a range we can point EIP to.
For anyone interested in NT buffer overruns some useful docs on the subject can be found at http://www.infowar.co.uk/mnemonix
Thomas Dullien dullien () gmx de Win32 Security Consultant ;-> Hire me !
Current thread:
- Re: WordPad/riched20.dll buffer overflow, (continued)
- Re: WordPad/riched20.dll buffer overflow Casper Dik (Nov 30)
- Default IE 5.0 security settings allow frame spoofing Georgi Guninski (Nov 30)
- Re: WordPad/riched20.dll buffer overflow Jason Spence (Nov 28)
- TooRcon Computer Security Expo Announces Pre-Registration Ben (Nov 28)
- Re: WordPad/riched20.dll buffer overflow User SCOTT (Nov 18)
- Re: WordPad/riched20.dll buffer overflow - Full Details Solar Eclipse (Nov 21)
- Re: WordPad/riched20.dll buffer overflow Mnemonix (Nov 19)
- Re: WordPad/riched20.dll buffer overflow Solar Eclipse (Nov 22)
- Re: WordPad/riched20.dll buffer overflow Ron Parker (Nov 23)
- Re: WordPad/riched20.dll buffer overflow Solar Eclipse (Nov 22)
- Re: WordPad/riched20.dll buffer overflow Ussr Labs (Nov 19)
- Re: WordPad/riched20.dll buffer overflow Thomas Dullien (Nov 23)
- Re: WordPad/riched20.dll buffer overflow Mnemonix (Nov 23)
- Re: WordPad/riched20.dll buffer overflow Ussr Labs (Nov 23)