Vulnerability Development mailing list archives
Re: WordPad/riched20.dll buffer overflow
From: labs () USSRBACK COM (Ussr Labs)
Date: Fri, 26 Nov 1999 13:53:47 -0300
in my first message i write it, is probably, but is noting, noting appear in the address of you can overwrite. u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com -----Original Message----- From: Michal Zalewski [mailto:lcamtuf () ids pl] Sent: Sunday, July 18, 1999 2:36 AM To: Ussr Labs Cc: BUGTRAQ () SECURITYFOCUS COM; VULN-DEV () SECURITYFOCUS COM Subject: Re: WordPad/riched20.dll buffer overflow On Sat, 20 Nov 1999, Ussr Labs wrote:
1: the filter of the riched20.dll, only accepts letters from "a" to "z" or "A" TO "Z", that says you only can change the returned EIP to address from
:
61616161 to 7a7a7a7a.
Hmm, what about overwriting not whole ret addr but only least significant byte or two? In this case, probably we'll be able to point something useable (just an idea, haven't Win95/98/NT around). _______________________________________________________________________ Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
Current thread:
- Re: WordPad/riched20.dll buffer overflow Michal Zalewski (Jul 17)
- Re: WordPad/riched20.dll buffer overflow Ussr Labs (Nov 26)
- <Possible follow-ups>
- Re: WordPad/riched20.dll buffer overflow Gas (Nov 22)