Re: WordPad/riched20.dll buffer overflow

[core.lists.bugtraq () CORE-SDI COM (Gerardo Richarte)]

Solar Eclipse wrote:

> Just find me a single RET instruction and I will rule the world!

    'ldkw' == 0x776B646C, in my NT4SP3 is a RET 8 [C2 08] in WS2_32.dll, the
address we wish to return (the one in the heap you [Solar] said) would be
reachable with this RET 8, and I managed to use this RET 8, several times
['ldkwldkwldkwldkwldkwldkwldkw...'], but suddenly it wants to return to 0x00000102
that I couldn't change, I don't know why.
    Don't forget that there are other group of addresses that you can jump to (as
Thomas Dullien said in vuln-dev)
    The original return address is something like 0x6C00???? (who knows it?) so,
using a by-one, by-two or by-three bytes buffer overflow you can jump to a
different family of addresses, always with a 0x00 in the middle.
    By the way, I noticed that a single RET (with no argument) is still useful BUT
you must take care of the 0x00 at the end of the ASCIIZ, so you need a return
address some bytes after the beginning of the string in the HEAP (which I saw
somewhere in the stack).
    First I said that if it's exploitable it would be really hard, now I say it
again, being closer to a: 'it's not exploitable' (just matter of luck). Having in
mind the differences between different incarnations of Wordpad in memory (DLLs,
SPs, OSs,etc)

    richie

--
A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com

--- For a personal reply use gera () core-sdi com