Full Disclosure mailing list archives
Re: Wordpad Command line argument vulnerability is it known ?
From: Berend-Jan Wever <berendjanwever () gmail com>
Date: Thu, 18 Mar 2010 14:05:21 +0100
This is very probably known and fixed, as I published about the many BoFs and formatstring vulns in comand line handling in Windows applications in 2004 (http://seclists.org/bugtraq/2004/Oct/45), after which most if not all of them got fixed. I cannot reproduce in XP sp3. If you still want to exploit it, why don't you encode your shellcode to lowercase alphanumeric using ALPHA3? http://code.google.com/p/alpha3/ Berend-Jan Wever <berendjanwever () gmail com> http://skypher.com/SkyLined On Wed, Mar 17, 2010 at 3:20 PM, sachin shinde <sachinshinde11 () gmail com>wrote:
hi, There is classic buffer/Stack overflow in wordpad.exe testing on winxp sp 2.(is it already known?) on text console wordpad.exe takes argument as a filename and there it happens. but writing shellcode for it is very hard,Because wordpad changes uppercase chars to lower case chars. if anyone any idea about this please reply! Though it looks like local vulnerability we can trigger it remotely with ActiveX and Javascript.I can give full demonstration but cant write shellcode because of too many bad characters( of course can show you int 3 (0xcc)) but would like 2 show the full proof of concept demonstration. Regards, _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Wordpad Command line argument vulnerability is it known ? sachin shinde (Mar 17)
- Re: Wordpad Command line argument vulnerability is it known ? Berend-Jan Wever (Mar 18)