Vulnerability Development mailing list archives
Re: development of wordpad exploit
From: core.lists.exploit-dev () CORE-SDI COM (Gerardo Richarte)
Date: Fri, 19 Nov 1999 15:15:10 -0300
"hypoclear - lUSt - (Linux Users Strike Today)" wrote:
I light of the latest windows vulnerability in wordpad, it would be great if in this forum we could develop an exploit
for it. As of now details of the vulnerability are on the net, however no exploit exists yet. This would be an excellent opportunity for all of us who don't really know how to code exploits (yet) to see all the details of developing one. Anyone else like this idea?!? I've been playing with this since yesterday. Just today could make the buffer overflow with EIP pointing to 0x61616161, BUT... (of course, what did you expected?), first what's first: demo: ---------- kk.rtf ----------------------------- {\rtf1\abcdefghijklmnaabbstuvwxyzabcdefghijklmnccddstuvwxyzabcdefghijklmneeffstuvwxyzabcdefghijklmngghhstuvwxyzabcdefghijklmniijjstuvwxyzabcdefghijklmnkkllstuvwxyzabcdefghijklmnmmnnstuvwxyzansi\deff0\deftab720{\fonttbl{\f0\fswiss MS Sans Serif;}{\f1\froman\fcharset2 Symbol;}{\f2\froman Times New Roman;}} {\colortbl\red0\green0\blue0;} \deflang1033\pard\plain\f2\fs20 hola \par } ^@ ----------------------------------------------- [lines finishing in '}}',';}','hola',' }','^@'] It's a standard RTF file for the text 'hola', plus, an inserted string ('abcde....xyz') befor the string 'ansi'. [there's almost a bufferoverflow in every parameter in the RTF] 'ccdd' is the return address (EIP) If the string ansi is missing (i tested with some other strings, not every other string...) nothing 'good' happens. Any non letter character befor the string 'ccdd' makes nothing happen. I'm not sure which characters can be in this section of the .RTF. If uppercase letters are used, they are lowercased (at least the return address) (!!! It's what looks like, but in the original post, it says EIP = 0x41414141, what I couldn't reproduce...) I can't find the [reminding or original] string in memory... I'll continue some more time with this, but it doesn't look too easy to exploit... richie PS:if you have Word installed, this is the default opener for RTFs (which doesn't crash), what makes it a little harder to exploit remotley PPS: I found another buffer overflow that affects Word, use a .RTF file like {\rtf\AAAAAAAAAAAA..............} (more that 5000 As) this doesn't make EIP = 0x41414141, it makes ESI = 0x41414141, and if you use more than 10.000 As, it makes EDI = 0x41414141. It may be exploitable, but doesn't look easy. -- A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0 Investigacion y Desarrollo - CoreLabs - Core SDI http://www.core-sdi.com <HR> <UL> <LI>application/rtf attachment: kk.rtf </UL>
Current thread:
- development of wordpad exploit Linux Users Strike Today (Nov 18)
- RES: development of wordpad exploit Marlon Jabbur (Nov 19)
- Re: development of wordpad exploit Gerardo Richarte (Nov 19)
- Re: development of wordpad exploit Gerardo Richarte (Nov 19)
- <Possible follow-ups>
- Re: development of wordpad exploit Larry W. Cashdollar (Nov 19)
- Re: development of wordpad exploit Taneli Huuskonen (Nov 19)
- Re: development of wordpad exploit Jason Paulson (Nov 19)
- Re: development of wordpad exploit Riley, Steven (Nov 19)
- Re: development of wordpad exploit Thomas Dullien (Nov 19)
- Re: development of wordpad exploit Harlan Carvey (Nov 19)
- Re: development of wordpad exploit Vanna P. Rella (Nov 19)
- Re: development of wordpad exploit Witold Chrabaszcz (Nov 19)
- Re: development of wordpad exploit Blue Boar (Nov 19)
- Re: development of wordpad exploit Rodrick Brown (Nov 19)
- Re: development of wordpad exploit Witold Chrabaszcz (Nov 19)