Re: WordPad/riched20.dll buffer overflow

[labs () USSRBACK COM (Ussr Labs)]

in my first message i write it, is probably, but is noting, noting appear in
the address of you can overwrite.

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c h
http://www.ussrback.com

-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf () ids pl]
Sent: Sunday, July 18, 1999 2:36 AM
To: Ussr Labs
Cc: BUGTRAQ () SECURITYFOCUS COM; VULN-DEV () SECURITYFOCUS COM
Subject: Re: WordPad/riched20.dll buffer overflow

On Sat, 20 Nov 1999, Ussr Labs wrote:

> 1: the filter of the riched20.dll, only accepts letters from "a" to "z" or
> "A" TO "Z", that says you only can change the returned EIP to address from
:
> 61616161 to 7a7a7a7a.

Hmm, what about overwriting not whole ret addr but only least significant
byte or two? In this case, probably we'll be able to point something
useable (just an idea, haven't Win95/98/NT around).

_______________________________________________________________________
Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]