Bugtraq mailing list archives
Re: WordPad/riched20.dll buffer overflow
From: ron () GWMICRO COM (Ron Parker)
Date: Tue, 23 Nov 1999 16:04:39 -0500
At 06:57 PM 11/22/1999 -0600, Solar Eclipse wrote:
Mnemonix wrote that the shell code is not lowercased on Win2K. Are there any other restrictions? Can you use characters > 128 ? What about Win9x? Are there any DLLs loaded in the 6161616-7A7A7A7A range on there machines?
Only alphabetic characters seem to be allowed, but neither Win2K nor Win98 changes the case. I couldn't find any code loaded at useful addresses in Win98, but in my Win2K it seems to load SHELL32.DLL at 775A1000. There are useful RETs at the following addresses: 775A6267 gbZw: RET 775A7A73 szZw: RET 4 775A706D mpZw: RET 10 775A7156 VqZw: RET 14 775A7249 IrZw: RET 18 There are additional complications, though, in the form of stack variables between the corrupted frame and the desired address. These variables must be worked around. I haven't yet found a satisfactory combination of RETs to get to the goal, but I've been within a DWORD of it. -- Ron Parker GW Micro, Inc. Voice 219-489-3671 Fax 219-489-2608
Current thread:
- Re: WordPad/riched20.dll buffer overflow, (continued)
- Re: WordPad/riched20.dll buffer overflow Crispin Cowan (Nov 27)
- Re: WordPad/riched20.dll buffer overflow Solar Designer (Nov 29)
- Re: WordPad/riched20.dll buffer overflow Casper Dik (Nov 30)
- Default IE 5.0 security settings allow frame spoofing Georgi Guninski (Nov 30)
- Re: WordPad/riched20.dll buffer overflow Jason Spence (Nov 28)
- TooRcon Computer Security Expo Announces Pre-Registration Ben (Nov 28)
- Re: WordPad/riched20.dll buffer overflow User SCOTT (Nov 18)
- Re: WordPad/riched20.dll buffer overflow - Full Details Solar Eclipse (Nov 21)
- Re: WordPad/riched20.dll buffer overflow Mnemonix (Nov 19)
- Re: WordPad/riched20.dll buffer overflow Solar Eclipse (Nov 22)
- Re: WordPad/riched20.dll buffer overflow Ron Parker (Nov 23)
- Re: WordPad/riched20.dll buffer overflow Solar Eclipse (Nov 22)
- Re: WordPad/riched20.dll buffer overflow Ussr Labs (Nov 19)
- Re: WordPad/riched20.dll buffer overflow Thomas Dullien (Nov 23)
- Re: WordPad/riched20.dll buffer overflow Mnemonix (Nov 23)
- Re: WordPad/riched20.dll buffer overflow Ussr Labs (Nov 23)