Re: WordPad/riched20.dll buffer overflow

[lcamtuf () IDS PL (Michal Zalewski)]

On Sat, 20 Nov 1999, Ussr Labs wrote:

> 1: the filter of the riched20.dll, only accepts letters from "a" to "z" or
> "A" TO "Z", that says you only can change the returned EIP to address from :
> 61616161 to 7a7a7a7a.

Hmm, what about overwriting not whole ret addr but only least significant
byte or two? In this case, probably we'll be able to point something
useable (just an idea, haven't Win95/98/NT around).

_______________________________________________________________________
Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]